McGowanPRO Professional Liability Blog / Resources / Articles

As an insurance agent we deal with applications every single day, yet, when I have to fill one out, I have the same reaction as my insured’s, “I hate applications”.

However there are times when an application is a good thing, like a cyber-application.

The cyber application is designed to ask risk management questions that hopefully provide some insight on cyber exposures.

For example: How often do you change passwords?

The majority of answers is anywhere from 90 days to once a year by most applicants.

So what is the best answer? Monthly

We all get careless with passwords and we are never sure if they have fallen into the wrongs hands.

Changing passwords monthly insures a better risk management landscape it also makes employees responsible for managing their passwords and not used as afterthought.

The main reason for not changing passwords is “I have so many” and “I can never remember them” however in reality this is more consistent with passwords that you may only use once in a while. To help safeguard your business network, passwords should be used every time you log on. One common error when choosing passwords is the employee uses the same login as their personal bank account or Amazon account.

This now puts the business at risk when any other of their personal accounts are hacked and the hacker goes phishing for other easy computer systems connected to that individual.

Let’s look at a recent case of password hacking. Employee Alice, Facebook account was taken over without her knowledge and they used this information to gain access to her Amazon account where her credit card information was stored. Alice’s G-mail account was the next hacking opportunity using personal information they were able guess her password using a combination of personal information and birth date.

Alice had several work e-mails in her personal account so they now went after her work e-mail, the first password used on her employer system was her Gmail account password and instantly they are now in the company’s server.

Hackers know that people re-use or use one password for many applications (log-ins). With Alice’s work e-mail account accessible a series of e-mails were sent pretending to be Alice to capture additional confidential information. Think about a co-worker sending e-mail requesting information that appears to be a legitimate e-mail, most of us would respond. In this case human resources was sent e-mail asking for her personal banking information, explaining that her direct deposit account was hacked and she need to change the account prior to the next pay period.

Fortunately there was no theft of funds and the HR person called Alice and the jig was up. However that was not the end of the story for Alice’s company. The company was concerned that their data may have been compromised and brought in an outside forensic IT company to ascertain any data breaches. Calls were also made to their attorney to review if this was a reportable event to state regulatory agencies.

All company passwords were changed and remote access from outside employees was shut off. It was several long days before the business was back to normal. Although the company escaped any real threat, there were still significant costs incurred not including lost employee time and production.

Alice was able to notify all her credit cards and banking relationships and re-establish her social media accounts. Hundreds of fake e-mails were sent posing as herself to friends and family and several months later she is still monitoring all of her accounts closely.

The moral of the story, employers need to carefully monitor passwords. Passwords should have all of the following attributes:*

• At least 10 characters long

• A mix of lower case, upper case, and non-alphabetic characters and numbers

• No words found in the dictionary (English or a foreign language)

• No more than two consecutive characters

• No common names, terms

• No simple pattern

In conclusion: changing passwords every 30 days helps mitigate potential access. Establishing rules against employees using work passwords for personal use is strictly prohibited. Training employees to protect and secure passwords is one way to try and avoid hacking incidents. So when the cyber applications asks the question how often do you change passwords, and the first answer is 30 days, consider reflecting on the answer from a risk prospective position.

*Taken form the Cyber and Data Security Handbook written by Eric Hess, July of 2015 for NAPLIA

With an increase in Cyber exposures and cyber claims against CPA firms, CPAs need to be aware of the strategies to minimize these risks and ensure that the strategies are legal. There are both national and international laws governing the ways in which firms combat cyber exposures. The article below explains the added exposures that may result from not knowing the laws. 

http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attacks-has-high-risk 

Personal information can exist in either a physical or electronic form. Regardless of the form in which the information exists, the standard of protection remains, only the implementation of that protection changes.

Physical Information

Physical copies of personal information can be easily protected by simply storing the information in a locked storage area. This area can be anything from a filing cabinet to a safe to a third party storage facility. So long as access to the information is limited to properly trained employees, any of these forms of locked storage should be sufficient.

See more about File Retention Policy

Electronic Information

The storage and security of electronic personal information can be more complicated than the storage of physical personal information. The implementation of an electronic storage system can vary widely depending on the size of a company or firm, and the amount of information that must be secured. At a minimum, the WISP (Written Information Security Plan) must cover authentication protocols, including the use of user IDs and passwords and their security; secure and restricted access to the personal information records; the encryption of the electronic records; and the monitoring of the implemented systems.

Many electronic file systems and operating systems have a built-in function for the creation and maintenance of a user ID and password system. For larger firms and companies, a more robust system may be needed and can be found through third-party vendors.

Encrypted storage and transmission of personal electronic information can be implemented in many ways. Many manufacturers now sell USB drives and external hard drives with built-in encryption systems. For the encryption of current drives and file systems there are numerous programs available for purchase and comparable free programs as well.

State Security Breach Notification Laws

It is essential to be familiar with your particular State’s Security Breach Notification Law.  At this time, 46 States have unique Security Breach Laws in place.  NAPLIA provides you with a summary of each State Security Breach Law identifying:

• Date law was enacted
• Definition of Personal Information by State
• Notification Requirements
• Penalties
• Links to full State Statutes, and Laws

One of NAPLIA’s long-term clients recently received a competitive quote from another agency for their accountant’s professional liability insurance. The quote was $170.00 lower than their existing premium. Despite a discussion with the client regarding policy differences and the benefits of their existing program, the insured elected to go for the minimal premium savings.

They stated they were comfortable with the new agent’s representation of the coverage “being equal”.

Two months into the policy, one of the accountant’s laptops, which contained confidential client information, was stolen from their office. The theft occurred over a weekend and was not discovered until Monday morning.

The accountant called his new agent and was informed that there was coverage in place, but to a limited extent. The agent provided the accountant with the carrier’s toll free hotline to get additional information and support. The additional information amounted to a single piece of advice; secure local legal representation, at the accountant’s expense, to determine the extent of the security breach.

At a loss, our former client remembered the discussion with our office regarding Identity Theft coverage and called our office.

Although no longer a client, NAPLIA was able to assist the accountant with the following:

• NAPLIA provided the accountant with their specific state’s security breach laws.
• Upon review of the relevant state security breach law, NAPLIA determined that under the relevant circumstances, they were only required to notify any client whose personal information was not encrypted in a reasonable manner. 
• NAPLIA provided a sample security breach letter that the accountant could use to send to these clients.
• NAPLIA provided the accountant free access to our Attorney / CPA to assist him with additional questions.
• NAPLIA explained the difference between “first party” and “third party” liability relevant to a client data breach.
• NAPLIA reviewed their current policy and determined their first party coverage was limited to $1,000.

In hindsight, the accountant requested that we review the difference in coverage between the policy they had with NAPLIA and their new policy.

The policy they left with NAPLIA provided $25,000 for first party Cyber Liability in comparison to the $1,000 with their new policy.

The accountant had moved their coverage to save $170, and within two months realized that NAPLIA’s resources and service alone negated the premium savings. In addition, the new policy was not “equal” to their previous coverage leaving them with significant exposures.

The moral of this real story is to understand that not all polices are the same and coverage does indeed matter more than premium savings.

Many accounting firms have been receiving emails that reference their possible involvement in unlawful income tax activity and include the AICPA logo.  The AICPA has confirmed these emails are not from their office.  They further confirmed that after an extensive check, they are confident their systems have not been compromised.

These emails may be received by CPA’s, non-CPA’s, and members of the general public.

If you receive one of these emails do not open the attachments as they may contain viruses.  For more information, visit the AICPA website