Grasping for Green

By Shawn Dougherty March 17, 2014

Shawn DoughertyWillie Sutton, the infamous 20th century criminal, was once asked why he robbed banks. He replied simply, “Because that’s where the money is.”

In hindsight, it seems like such a simple idea and could explain, in part, why so many people now hack into company computer systems with the intent to steal data. Today, that’s where the money is.

For many technically skilled, albeit ill-willed, individuals, access to this treasure trove of valuable data is the low-hanging fruit for easy picking.

A data breach can come in many forms. It might occur through unauthorized access to a corporate retail payment processing system, as experienced by Target in 2013, or perhaps through stolen computer equipment, as experienced by California insurer Health Net in 2011. As a result of those data breaches, personally identifiable information (PII) and protected health information (PHI) of millions of people was exposed. Once obtained, this type of data can be made available for sale to the highest bidder on the cyber black market.

Hackers might also seek unlawful financial gain through the use of software such as CryptoLocker, a new type of ransomware that locks up and prevents access to a firm’s important computer files until a ransom is paid (see my February 24, 2014, post).

But it’s not only PII and PHI that companies need to worry about. Their own corporate intellectual property (IP) and trade secrets can be at risk as well and accessed by unauthorized intruders.

Last week, former Secretary of the U.S. Department of Homeland Security Tom Ridge stated in a keynote address that cyber crime will be an exposure that will challenge us for generations to come. This is certainly a foreboding warning, and, given the state of affairs today concerning the collection of PII and PHI by many businesses and the ease of electronic access, it’s one that’s difficult to disagree with.

Unlike St. Patrick, who, according to legend, banished all the snakes from Ireland, we may never be able to totally eradicate computer hackers. Companies need to do all they can now to protect themselves against unauthorized access to data they possess. Steps they can take include:

  • Ensure that computer systems are maintained with up-to-date software and firewalls
  • Train employees how to safeguard data and what steps to take if they suspect a data breach
  • Implement risk management procedures to minimize exposure to data loss
  • Invest in adequate cyber insurance protection

Though prophesied for several years, the “cyber hurricane” — what you might consider a catastrophic cloud-based data breach on a national scale — has not yet materialized. Nevertheless, many smaller cyber events are showing the warning signs.

Hackers are demonstrating that they’re vigilant, becoming more creative in their techniques and doing what they can to access computer systems and illicitly gain “green.” Don’t let your data be their pot at the end of the rainbow. Do what you can to protect your data.

Lá fhéile Pádraig sona dhaoibh! (Happy St. Patrick’s Day!)

If you would like to learn about cyber-liability insurance, feel free to e-mail me at sdougherty@iso.com. Also, make sure to follow me on Twitter @doughertyshawn.

Stay tuned for the next blog post in our Cyber Monday Series.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.