security questionnaire or undergo an audit of their data security practices and facilities. Does the vendor meet standards of SSAE16, SOC II, ISO or have related data security certifications? Comply with NIST? Insurance A business can also manage some of its own data privacy risk through insurance. A review of current insurance policies should determine what coverage the business is entitled to relative to business interruption, crisis management, costs related to breach notification, response to government investigations, restoration of computer systems and data recovery, computer fraud and criminal activities. Third party liability coverage such as general business liability policies, professional liability (E&O) policies, and directors and officers liability policies should be reviewed. Special “niche” cyber liability and other new media policies are increasingly appearing on the market. In some cases, insurers make it clear that “electronic data” is not covered by the policy and some courts have found that “electronic data” is not tangible property that can be damaged. Have someone knowledgeable in data privacy and security risks and insurance review your current insurance and any contemplated purchase of additional coverage. Questions to ask when looking for a policy include: Does the insurance cover costs to respond to government investigations? Breach notifications and related costs? Is the computer network and system of the business covered? What about mobile devices? Laptops? Tablets? The insurance policy should be scrutinized to make sure that it covers all of the business activities and relevant technology. For example, does a software provider of cloud services have insurance coverage for the network under its control as well as the computer networks operated by a third party for which it provides cloud services?
167
Made with FlippingBook - Online Brochure Maker