Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

BYOD: Cool, but Dangerous – 3 HIPAA Security Rule challenges, 7 key precautions

Posted in Mobile Privacy, Privacy and Data Security

Written by Peter F. McLaughlin

September 24, 2014

HEALTH SYSTEMS ALERT

From reliable surveys and less dependable anecdotes, opinions point to the almost inevitable expansion of BYOD – bring your own device – as a cost-saving model for employers.

Advisors assure company decision makers that direct savings will flow by avoiding the cost of purchasing handsets and absorbing service plan fees. Finance managers concur that the proposed numbers look good. And employees simply want to be able to pick their own device and avoid the hassle of carrying two. There are particular lures for health organizations: not least, a quick search of a major app store presents thousands of apps dedicated to the health space, both for consumer engagement and for direct activity within the healthcare setting.

However, often overlooked is that a company’s election to adopt BYOD for mobile phones and tablets (as an example) brings along myriad complex risks, ranging from information security and regulatory compliance to employee privacy concerns.

Company policies and procedures must address these risks. This article will briefly survey risks from the US healthcare perspective when companies choose to adopt a BYOD policy, and will conclude with guidance that should assist healthcare organizations to comply with their HIPAA obligations.

 

For entire article go to: http://www.dlapiper.com/en/us/insights/publications/2014/09/bring-our-own-device/

Big Data, Big Privacy Issues

Posted in Cookies, EU Data Protection, International Privacy, Mobile Privacy, New Privacy Laws, Privacy and Data Security, Social Networking, Uncategorized

By Patrick Van Eecke & Mathieu Le Boudec

Last week, a resolution on big data was adopted under the auspices of the 36th International Conference of Data Protection and Privacy Commissioners (hereafter: “ICDPPC”). After earlier guiding documents released this year by, among others, the Executive Office of the President of the United States, the Information Commissioner’s Office (UK), the Working Party 29 and the European Data Protection Supervisor, this resolution is yet another confirmation of the attention big data gets from regulators worldwide.

Continue Reading

BELGIUM: Belgian government’s new focus on privacy and technology laws

Posted in Cloud Computing, Cybersecurity, E-Commerce and Social Media, EU Data Protection, International Privacy, New Privacy Laws, Privacy and Data Security, Security Breaches

By Patrick Van Eecke and Antoon Dierick

Almost five months after federal parliamentary elections took place, the negotiators from the four political parties around the negotiating table (Flemish parties NVA, CD&V and Open VLD and Walloon party MR) reached a coalition agreement which contains quite a few interesting policy initiatives from a privacy and IT law perspective.

The newly formed government aims to be “a digital federal authority” by the end of the legislature, the goal being to smooth away superfluous paperwork circulating in the different federal public services. Inspired by the success of Tax-on-web (an online tax declaration platform) and student@work (an online platform relating to work performed by students), the development of new tools and apps will be a priority of the new government. Moreover, public authorities will be asked to use means of electronic communication as much as possible when communicating with the public.

Several privacy and IT related areas have been explicitly discussed in the coalition agreement. Some of the announced initiatives include the following:

1. Privacy

The new Belgian government seems to take citizens’ privacy rights very seriously. For the first time, the federal government will include a Secretary of State (i.e. a member of the cabinet assigned to a Minister) responsible for privacy matters.

This Secretary of State has not been tasked lightly. He will need to supervise the modernization of the current legal framework relating to personal data protection. Important to note is that the coalition agreement has stated that the basic principle in relation to data protection should be an informed consent (this being one of the six forms of legal basis which can be invoked to process personal data). The Belgian government itself will advocate for a strongly harmonized European regulatory framework for privacy which nevertheless gives Member States the possibility to provide a higher level of protection, especially in the government, healthcare and social security sectors.

The coalition agreement further highlights the importance of transparency of public authorities and companies with regard to the data they gather and how they are used. Security measures, including encryption, should protect governmental databases and avoid that entities obtain unreasonable access to the private life of a person.

Citizens will also see their rights reinforced based on principles such as control, reasonableness, security, transparency, etc. An interesting principle is the “contextuality principle” according to which data can only be collected and used in the same context as the one in which they were given. Abuse or negligence will be punished in an appropriate manner. During a round table with public authorities, companies and citizens the new government plans to refine and apply the aforementioned principles.

The protection of privacy will be given special attention when enacting legislation, while developing the federal ICT infrastructure and in the context of the digitization of the federal services. As an example, ICT tenders of the federal government will have to include the aspects “cyber security” and “privacy by design”.

Finally, a reform of the Belgian Privacy Commission is announced in order to avoid conflicts of interest between its members and the applicants for authorisations taking into account the increasing use of electronic services by public authorities.

2.     Cyber security

Cyber security is a hot topic in Belgium since several recent cases of computer hacking, amongst others in public services. The new government has announced to improve cyber security, whilst respecting the fundamental rights and values of a modern society. It also wishes to strive for an optimal protection of critical infrastructures, scientific and economic potential and governmental systems against cyber threats.

Further, a “Belgian Centre for Cyber Security” will be put into operation, which will elaborate a cyber security strategy, play a coordinating role and give policy and general advice.

Finally, it has been announced that resources for police services, intelligence services and the Public Prosecutor with respect to cyber security will be increased.

3.     E-commerce, e-invoicing and telecommunications

In the light of European reports highlighting the limited market share of (cross-border) electronic commerce (“e-shopping”), the new government intends to support this sector by creating an independent platform for e-commerce which should address structural handicaps by taking initiatives in several areas which may create obstacles for the full development of electronic commerce, such as issues relating to product safety, online payment solutions, out-of-court dispute settlement possibilities, etc.

Next, the general use of e-invoicing is one of the measures the government wishes to implement in order to reduce the administrative burden for SMEs. With regard to public authorities, the current pilot project will be widened to all departments and starting from 2016 the use of e-invoicing will be mandatory. The government will make sure that suppliers of public authorities will be able to send all their invoices through the same electronic platform, irrespective of whether the receiver is a federal, regional or local authority.

Finally, the government intends to expand the Ethical Code relating to telecommunications to smartphone applications.

***

We will of course further report on any further IT and privacy related initiatives taken by the new Belgian government.

For more information, please contact patrick.van.eecke@dlapiper.com and antoon.dierick@dlapiper.com.

Joint Ownership of Intellectual Property: Complexity That Only a Lawyer Could Love

Posted in Commercial Contracting, Technology and Commercial

Written by Mark Radcliffe

Companies are increasingly working cooperatively to develop technology, particularly software programs. One critical issue is the ownership of the resulting intellectual property in the software programs. This decision is complicated because software programs can be protected by multiple forms of intellectual property rights: copyright (works of authorship, like books and music) and trade secrets (information which is not commonly known and whose confidentiality is protected by the developers) are available for virtually all software programs. In addition, many software programs can be protected by patents (although the company must file with the appropriate national patent office for such protection).  During these negotiations, one company frequently proposes “joint ownership” because it has an attractive ring of “fairness”. However, joint ownership of intellectual property has major risks and should only be used after careful consideration of its many disadvantages and careful drafting to deal with the uncertainties raised by joint ownership.

The major problems of joint ownership are:

1.         The rights of joint owners vary between different forms of intellectual property. For example, the joint owner of a copyright in the United States has an obligation to share in profits from exploiting the copyright (called a “duty to account”) and not to “decrease” the value of the copyright.  On the other hand, the joint owner of a United States patent has no such obligations.

2.         The rights of joint owners for the same type of intellectual property, such as copyright, vary in different countries.  Each country has its own intellectual property laws and the rights under these laws may vary. For example, the joint owner of a US copyright in a software program can grant a non-exclusive license to third parties without the permission of the other joint owners. However, in France, the consent of all joint owners of a copyright in a software program are required to grant a non-exclusive license.

3.         The enforcement of jointly owned intellectual property rights may require participation by other joint owners. For example, all of the joint owners of a United States patent are required to participate in the lawsuit for it to proceed.  This problem was recently highlighted in a case in which University of New Mexico (“UNM”) tried to enforce a patent against Intel Corporation without the participation of its joint owner Sandia Corporation (“Sandia”). Sandia refused to join the lawsuit and there was no agreement in place between UNM and Sandia to require a joint owner to join a lawsuit. The district court dismissed the lawsuit for a lack of standing and the Court of Appeals for the Federal Circuit (“CAFC”) affirmed the dismissal.  The CAFC  stated:  “as a matter of substantive patent law, all co-owners must ordinarily consent to join as plaintiffs in an infringement suit”.

4.         The effect of bankruptcy by one of the joint owners is uncertain.

5.         Jointly owned patents have special issues: the owners must determine how the patent prosecution will be managed. The prosecution of patents requires fundamental decisions, such as which inventions to protect by patent (instead of keeping them as trade secrets), the countries in which to seek protection and responsibility for payment of the costs of prosecution.

Although many of these issues can be mitigated by appropriate contract provisions, joint ownership is not a simple solution to intellectual property rights ownership.  We generally recommend that companies avoid joint ownership of intellectual property rights. Instead, we recommend one company be the owner of the intellectual property rights and grant the other company a very broad royalty-free, non-exclusive worldwide license.

NIST RFI to Solicit Feedback on Cybersecurity Framework Closing: Good Opportunity to Assess Suggestions and Concerns

Posted in Cybersecurity, Privacy and Data Security, Technology and Commercial

Written by Peter McLaughlin

On Friday, October 10th, an opportunity to submit comments on  a Request for Information concerning awareness and implementation of the “Framework for Improving Critical Infrastructure Cybersecurity” closes. Companies of all sizes and sectors should pay attention to the resulting conclusions from the National Institute for Standards and Technology (NIST).

While NIST has reiterated the voluntary nature of the Framework, the definition of “critical infrastructure” is sufficiently broad as to cover most industry sectors, ranging from utilities to healthcare and medical devices. There is also a skepticism from the private sector that it will evolve to a de facto standard of care. Most companies should have an interest in monitoring the content of the Framework and particularly the determination of compliance criteria because over time it is likely that the Framework will be deemed a benchmark for security.

The official task of NIST in the context of cybersecurity is for the consolidation and evaluation of standards and practices that are then considered guidance for securing data in the federal government. The Framework was initiated pursuant to an Executive Order with the goal of reducing cyber risks to the country’s infrastructure, and it expands upon NIST’s extensive series of publications regarding data safeguards. By focusing on the nation’s infrastructure, NIST has a broader need to solicit contributions from the private sector as to what approaches are realistic. The recent RFI, then, presented nearly two dozen questions and expressly invited parties to address topics outside the listed questions.

The NIST Framework should be of interest to those across industry sectors in part because of the potential future regulatory consequences. In the absence of broad private sector equivalents, the standards and guidance that NIST produces have increasingly been referenced as a standard of care. That is, if an organization’s security measures diverge from NIST’s “good practices” the firm may need to demonstrate the value or applicability of the variation in order to mitigate criticism, enforcement or liability. This is especially so as state breach notification rules and federal regulators such as the SEC focus on self-reporting of events impacting personal information and proprietary assets.

The topic of liability exclusions or safe harbor mechanism are outside NIST’s bailiwick, but NIST has included content and questions about how an organization is to be deemed “compliant” with the Framework. NIST has said that discussion on such “conformity assessments” will continue. Companies should pay close attention to both the substantive safeguards and these conformance criteria, as they provide an opportunity for all participants to voice an opinion on the means, carrots and sticks for protecting the country’s critical infrastructure.

Interested parties have until 5p ET on October 10, 2014, to submit comments and all comments submitted should be publicly accessible in due course.

Connected Cars – Legal Issues and Hurdles!

Posted in International Privacy, Mobile Privacy, Privacy and Data Security, Technology and Commercial, Telecoms

Written by by Giulio Coraggio

October 3, 2014

Connected cars are expected to generate $ 131.9 billion by 2019 with a compound annual growth rate (CAGR) of 34.7% from 2013 to 2019.  But such growth shall face legal issues that not only affect data protection matters, but also have an impact on product liability issues, telecom law obligations, security and data loss risks.

Connected cars are the subcategory of the Internet of Things relating to technologies that for instance can prevent accidents detecting other vehicles around the car or monitor the body conditions of drivers to prevent accidents if he feels sick or falls asleep.  Likewise, it refers to vehicles with self-parking technologies allowing them to autonomously park themselves and everyone has been amazed by Google driverless car.  Also, connected cars can interact not only with the traffic system of our municipalities to find the best route to get home and the available parking lot, but also with your smart home technologies turning on for instance the heating system when the car is 20 minutes away from our home.

This is a massive business not only for car manufacturers and original equipment manufacturers (OEM), but also for instance for insurance companies that can monitor cars, determine the liability in case of accidents and reduce the risk exposure.  But what are the legal issues to be overcome by connected cars?

Data protection law obligations

Given the close interaction between connected cars and their drivers, the data protection issues relevant for connected cars are the similar to those previously covered with reference to the Internet of Things and wearable technologies.

Data generated through the usage of connected cars are meant to be “personal data” if linkable to an individual.  But the matter is even more complicated with connected cars.  Indeed, cars more than other devices can be used by different users.  And because of such peculiarity, shall an informed privacy consent to the processing of personal data be given each time the car is turned on?  And if the consent is necessary to use some functionalities of the car, will this fall under the exemption to the need of a prior consent or a free consent shall be in any case ensured and therefore cannot be an obligation to use some basic functionalities of the car?

Additionally, how can data generated by connected cars be used?  Who is the owner of such data?  There are several parties involved in the picture such as cars’ owners, users, dealers, OEMs and car manufacturers.  Who shall have the control of data generated through connected cars?  Who is the data controller?

Finally, in the case of non-European car manufacturers, there might be an additional data transfer issue.  Once manufacturers want the data collected through connected cars to be transferred outside of the European Union, will they need an additional consent from users or rely on legal tools such as the so called standard contractual clauses?  Will the data transfer be meant to be necessary for the provision of the service in case of purchase of cars from a non-European entity?

The answer to the above has to be given based on the peculiarities of the case also in absence of positions from local data protection authorities on the matter, save for the recent opinion of the Article 29 Working Party on the Internet of Things.

Telecom law obligations

I previously covered the telecom law issues affecting the Internet of Things and in relation to connected cars the issue is whether car manufacturers/OEMs fall under the scope of telecom law regulations.

Indeed, if they are meant to be providers of electronic communication services for the purposes of telecom regulations, the issue is whether they need a license/general authorization from telecom authorities.  This would trigger the applicability of telecom law obligations that are quite burdensome for an entity that is not a telecom operator.  Furthermore such obligations might be deemed to be disproportionate to the types of data that are transferred.

Also, since most of car manufacturers sell their cars globally, will they have to comply with the telecom laws of each country where their cars are sold?  The fregmentation of regulations in such sector might become a major barrier to the growth of such technologies.

These are the issues that the Italian telecom authority, AGCOM, and the UK telecom regulator, OFCOM, are facing as part of the consultations on the Internet of Things and, based on our discussions with them, they will try to adopt measures to overcome these hurdles.

Cybercrime risks

Given the amount of data collected through connected cars, the issue is how such data should be protected against cyber attacks.  Also, will this data be stored in the car or just transferred to a cloud database?  Which security measures should be implemented to protect connected cars from hackers?

As discussed with reference to the IoT, the answers to these questions cannot always be found in the regulations.  The Italian data protection authority in particular has often been quite detailed in prescribing the security measures to be implemented to protect data from an unauthorised access to them.  However, the level of security measures to be adopted will also increase with the level of sensitive data collected through connected cars.

Also, the new EU Privacy Regulations will extend to any type of data processing, the obligation to notify data breaches which will add a further obligation on car manufactures.

Liability for accidents

Current regulations prescribe that car owners are generally liable for accidents caused by their vehicles and are obliged to put in place an insurance coverage.  However, in the case of self-driving cars will there be a liability regime for OEMs?  Shall this matter be contractually regulated between the manufacturers and buyers?  Will these accidents fall under product liability regulations preventing any limitation?

Additionally, it will be interesting to see what kind of checks and approvals will be required by local authorities before allowing the sale of this kind of cars.  And this might be one of the main issues delaying the launch of devices like Google driverless car.

The above are just some of the legal issues that can impact connected cars and much further might arise depending on the developed technology.  It will be interesting to see how car manufacturers will face such hurdles.  And as usual feel free to contact me, Giulio Coraggio (giulio.coraggio@dlapiper.com) to discuss or partecipate to the consultation. Also follow us on Google+, in our IPTitaly group on LinkedIn and on Twitter.

Mobile apps – increasing privacy transparency is on top of your to-do list!

Posted in Behavioral Advertising, EU Data Protection, International Privacy, Mobile Privacy

Mobile apps: increasing privacy transparency is on top of your to-do list!

Patrick Van Eecke & Elisabeth Verbrugge

As previously announced, the Global Privacy Enforcement Network (GPEN) recently released the results of the global privacy sweep of mobile applications it conducted in May 2014.

More than 25 privacy commissions around the world examined a total of 1,211 mobile apps. The sweep targeted both Apple and Android apps, both free and paying apps, both public and private sector apps and covered a variety of different types of apps, ranging from games over health apps to banking apps. The privacy commissions’ reviews focused in particular on transparency and consent.

Key findings

GPEN’s key findings include the following:

  • Three quarters of the apps requested at least one permission from its users, usually relating to location, device ID, access to other accounts, camera and contacts;
  • Nearly one third of the apps appeared to request access to information which seemed irrelevant to the functionalities of the app;
  • In almost 60% of the cases, it was difficult to find any privacy related information before installing the app;
  • Over 40% of the apps’ privacy policies were not easily readable on small screens;
  • The majority of apps, 85%) fails to provide clear information on the collection, use and disclosure of personal data.
  • The report praises the use of pop-ups, layered information (putting important information up front with links embedded to more details) and just-in-time notification (informing the users of potential collections or uses of information when they are about to happen).

The most popular apps were among those that received the best ratings. This confirms the general conclusion of the sweep: clear, concise privacy language builds consumer trust and is good for business.

Top tips for your mobile apps

The Office of the Privacy Commissioner of Canada, which coordinated the sweep, released ten tips for communicating privacy practices to app users. They can be summarised in the following three commandments:

  • Be transparent

Privacy information should be specific, comprehensible and easily readable. In practice, this implies that rather than providing long legalistic privacy policies, specific notifications should be given at key decision points, e.g. the moment of purchase. Any information should be written in an understandable manner, taking into account the language and level of sophistication of your audience. Also, any information should be presented in a way that takes into account the mobile device context, including smaller screens.

  • Explain the data you are requesting and collecting

Secondly, sufficient information must be given to allow users to make an informed consent decision. Specific information should be given on how the app will use the permissions it seeks. Information should also cover data collected through social media logins such as Facebook, and the manner in which such externally collected data will be used. When asking permission, you should also make sure that you ask permission for all data usage envisaged: permission to access information does not as such imply permission to collect, use or disclose such information.

  • Make, and keep, privacy information accessible

Users should not be left guessing if and to which extent an app collects personal data. Even if your app does not collect any personal data, the user should be informed of this. You should also avoid users having to exit the app to access privacy information as this is an unnecessary and cumbersome extra step. It is indeed preferable to make privacy information available via integration with the app’s functions. When using pop-ups or similar mechanisms at key decision points, make sure you do not forget to include a functionality that allows users to re-visit the information after the pop-up is dismissed.

For more information, please contact patrick.van.eecke@dlapiper.com or elisabeth.verbrugge@dlapiper.com

 

Belgium: Gaming Commission calls for blacklisting of free gambling apps

Posted in Gambling & Gaming

Patrick Van Eecke and Antoon Dierick (DLA Piper, Brussels) discuss the Belgian Gaming Commission’s call for restricting the offering of free gambling apps.

By Patrick Van Eecke and Antoon Dierick

In today’s Belgian national media, the Belgian Gaming Commission has pleaded to restrict the offering of free gambling applications (“apps”) which allow persons to gamble for free on their mobile device. The Commission for example refers to free blackjack and poker games. According to the Gaming Commission, such free apps lower the bar for persons to participate in paying gambling services, which is deemed problematic in case the operator of the application does not verify the participant’s age. The Commission’s concerns thus seem primarily to be directed towards participation by minors. More specifically, the Commission asks for a blacklist to be adopted containing gambling apps, the offering of which is prohibited towards minors and to agree on the integration of age verification tools with the industry. The BGC thus seems to wish to repeat its already well-known blacklisting efforts, but applied this time to operators offering gambling apps (including several major app stores).

However, the call by the Gaming Commission is noteworthy, as Belgian regulations on games of chance (encompassing traditional casino and arcade games next to betting activities) only apply to games where participants need to make a stake in order to participate. In other words, free games of chance do not fall under the ambit of the Belgian Games of Chance Act. In case the user of the gambling app needs to pay for certain app upgrades, but does not have to make a stake to participate in the game itself, this game will likely not be qualified as a regulated game of chance.

In this sense, taking action against such applications seems to surpass the Commission’s regulatory competences as the Commission is competent only for regulating games of chance falling under the Games of Chance Act. This is probably also why the Commission has publicly appealed to other government institutions (e.g. those competent for the well-being of children) to take initiatives in this respect.

We will of course further report on any further developments on this issue, possibly from government institutions in Belgium or from other stakeholders in the industry.

For more information, please contact patrick.van.eecke@dlapiper.com or antoon.dierick@dlapiper.com

Internet of Things: European privacy recommendations

Posted in EU Data Protection, Mobile Privacy, Privacy and Data Security

By Patrick Van Eecke and Julie De Bruyn

Call it a coincidence or not: exactly one week after the Apple Watch was officially introduced by Apple CEO Tim Cook on 9 September 2014, the European data protection advisory body – Article 29 Data Protection Working Party (‘Working Party 29′) – adopted its Opinion 8/2014 on the Recent Development on the Internet of Things.

While the Working Party 29 acknowledges the potential of these ‘smart’ devices monitoring and communicating (in) our daily lives, it stresses that the privacy and security challenges generated by this should not be overlooked. The key to support trust and innovation – and to being successful on the market of the Internet of Things – is to keep the individuals concerned informed, free and safe.

Continue Reading

So You Think You Have a Point of Sale Terminal Problem?

Posted in Cybersecurity, Privacy and Data Security, Security Breaches, Technology and Commercial

Written by Tara Swaminatha and Aravind Swaminathan

If your company has a Point of Sale (POS) terminal anywhere in its infrastructure, you are no doubt aware from the active media coverage that malware attacks have been plaguing POS systems across the country.

Just within the past week, the New York Times has reported that:

  • Companies are often slow to disclose breaches, often because of the time involved in immediately-required investigations;
  • Congress is beginning to make inquiries of data breach victim companies; and
  • Even those companies who have conducted cybersecurity risk assessments still get attacked, often during the course of implementing new solutions to mitigate potential problems and protect their customers’ payment cards or other personal information.
  • Former employees can be a source of information to the media about your efforts to investigate and secure your POS systems.

No Quick Fix

Even the best intentions, most competent efforts and unlimited budgets cannot fix a problem such as this overnight.  These fixes take time, and have become an unavoidable symptom of having POS terminals.

What should your company do?

(1) Launch a cybersecurity risk assessment, if you have not yet done so.

(2) Protect your risk calculations by engaging outside counsel and qualified cybersecurity experts to provide legal risk advice protected by the attorney-client privilege.  Keep C-suite executives and Boards of Directors informed.  The outside counsel, together with experts, should:

  • educate and advise directors and executives on legal and business risks associated with your company’s particular threats and vulnerabilities;
  • engage a qualified, experienced external cybersecurity team to review technical infrastructure and identify vulnerabilities stratified and prioritized by risk, likelihood of being exploited, and costs and time involved in remedying each one;
  • review  operational procedures across a multi-disciplinary team in your company, which are often overlooked and can have the greatest impact on the overall health of your risk profile;
  • help identify the most sensitive categories of information in your organization and develop data governance procedures tailored to your organization to add yet another layer of protection for your most sensitive assets;
  • regularly remind your team members, including from your third-party vendors engaged by counsel, about privilege and confidentiality obligations.

(3) Treat cybersecurity risk assessments and remediation efforts as an iterative process.  Constantly review your multi-disciplinary team’s recommendations as they change week by week or day by day.  Re-evaluate the spend allocated based on updated information about your risk landscape as the investigation and assessment progresses.

(4) Stay informed about updated regulatory requirements and case law on cybersecurity and privacy.  Ensure stakeholders understand these updates and charge them with implementing appropriate changes in their domains.

(5) Recognize that there is no such thing as perfect security, but that there is a tipping point over which your company will move outside the category of high-risk operations and into a safe zone.

(6) Allocate the necessary resources to get the job done – and done well.  If your company goes an extra mile in building security policies, procedures and technology that are better than industry standard, you can use your low risk profile as a market differentiator.  In addition to reducing litigation and reputational risks, validated strong security will increase customer confidence and loyalty.

(7) Review your insurance policies for adequate coverage to address interim risks.  While reputational risk cannot be insured against, insurance can be very valuable in the event of a breach.

In the retail industry in particular, the widespread compromises in Point of Sale Terminals resulting in staggering amounts of payment card theft is a hallmark of 2014.   A decrease in brand reputation alone is too high a cost to ignore.   If your company is – very understandably – not equipped to tackle the daunting task of finding and prioritizing vulnerabilities and choosing the best cybersecurity governance and technical plans, find someone who is.

Back to Top of Page