Over the past few weeks, our clients have advised us of several circumstances where their sensitive, personnel information was sent to an unknown third party. In the two most recent situations, Client #1 had over 900 records affected and Client #2 had about 80 records affected. The breach cost for Client #1 is estimated to be around $60,000 and the estimated breach cost for Client #2 is about $70,000.
The evolution of cybercrime has escalated and evolved in recent years from perpetrators sending phising emails to criminals now use "spear phising" attacks. Spear phising is the process whereby the criminal poses as an employee or a person in management asking another employee for protected and/or personal identifiable information. Several years ago, these type of crimes targeted a company's accounting department - where an employee in the department would receive an email from someone in management requesting a wire to be sent to a third party for either payment of an invoice or for a transaction.
This year, the evolution of these crimes have now targeted the human resources and payroll departments. These scams are well thought out and have taken a considerable amount of time and research by the perpetrators to target the people that have access to the right information. They will send an email that appears to be from someone in a decision making role - a manager, senior executive, President, or CEO. The email often appears very similar to the actual email address of these executives, with only a small character differential that may not be easily caught.
The information requested in these spear phising attacks have been sensitive information about the company's employees, including their 2016 W-2s . It is not a coincidence that the number of these spear head phising attacks has increased recently because of the tax filing season. These criminals will take the W-2 and file a fraudulent tax return in the employee's name. In 2015, the IRS confirmed they stopped 1.4 million confirmed identify theft tax returns totaling more than $8 billion dollars. Many experts believe this figure is much higher.
The best prevention is for the employee to make a phone call and confirm with the person requesting the information.
If you find yourself in a position where sensitive information was sent out to an unknown third party, it is vital the company follow the privacy breach notification protocols that have been mandated by the respective states where the records where effected. Failure to notify and follow the guidelines that have been setup by the state regulatory authority may result in fines and penalties against the company.
A Cyber Liability policy provides the best coverage and resource in this scenario. This product is evolving every year to meet the demands of the changing landscape where criminals can quickly adapt their tactics to obtain sensitive personal information of individuals, clients and employees. Several resources are important in the Cyber Liability policy once a breach has been discovered;
All of these resources are covered if there is a Cyber Liability policy in place. The costs for a Cyber policy is minimal compared to the costs of a breach and to approach these individual resources separately. Many companies are ill prepared to handle the multitude of steps involved in handling a breach situation.
For additional information on obtaining a Cyber Liability policy, please contact your Equity Risk professional.
Jason Leong - Director of Partners Service Group
Jason Leong has two decades of insurance experience specializing in Management Liability for Private Equity firms and Property & Casualty for Public Entity Groups. Mr. Leong is currently the Director of the Partners Service Group focused on producing the next generation of insurance professionals through coaching and laying the foundation ingrained with strong and deep ethics, intellectual curiosity, empathy and front line exposure to insurance resolutions. Prior to joining Equity Risk Partners, Mr. Leong was at Alliant Insurance Services - Public Entity Group.
Mr. Leong holds a Bachelor of Arts in History from the University of California, Davis.
Contact Information: firstname.lastname@example.org
Phone: (415) 874-7142