Threatpost reports that Pinterest – the popular pin board social media site – released information about an old vulnerability that it fixed months ago. The flaw would have exposed user account information, but Pinterest's staff was able to patch it before any cyber criminals could break in and make headlines.
Pinterest's user account information is safe from prying eyes. In the security world, non-news is the best news of all.
What Can IT Professionals Learn from the Hack-that-Wasn't?
Why are we talking about a data breach that didn't happen? This story offers some important reminders for IT professionals:
- Security flaws happen all the time. In fact, Pinterest has paid for 47 bug bounties over the last year.
- Data breaches are only a small piece of the puzzle. The 2015 Verizon Data Breach Investigations Report shows that there are 37 times as many security incidents as there are data breaches.
- Prevention is important, as is repair and response. IT professionals need to be ready to repair and respond to security incidents quickly. After Pinterest was alerted to the breach, it took programmers two weeks to patch it.
- Security routines should become a regular habit. Your clients might think of a security as a set-it-and-forget thing, but it's more like fitness – something they need to keep up with regularly.
- Security risks are unavoidable. IT consultants should have a plan to deal with the cost of breaches.
While Pinterest handled this security incident well, IT professionals should never forget that data breach prevention is a 24/7 responsibility. Far too many companies don't take this responsibility seriously enough. Furthermore, smaller clients probably won't have the resources to set up bug bounty programs or invest in other security testing, which means that upkeep falls on the shoulders of its IT contractors and staff.
As you know from following our blog, you can be sued over your clients' data breaches. Let's look at how you can cover your business from the cost of data breaches and client lawsuits.
What Are Your E&O / Data Breach Insurance Options?
To understand your IT insurance options, we'll need to look at your data breach liabilities:
- First-party cyber liability– a data breach or security incident on your own computers, devices, or network.
- Third-party cyber liability– a data breach or security incident on your client's computers, devices, or network.
First party breaches may be covered by Cyber Liability Insurance. Also called Data Breach Insurance, this policy may help pay for many of the costs of the data breach response, including notification, investigation, and identity theft protection.
Professional Liability Insurance (aka Errors and Omissions Insurance) may cover lawsuits over third-party breaches – those on your clients' technology. After a breach or security incident, a client might sue– placing the blame for the failed IT on you. When that happens, E&O may cover your lawsuit expenses, lawyer fees, and the financial restitution you owe your clients.
By having these policies together, you'll have coverage for many of your data breach costs regardless of whether the breach happens on your own computers or your clients. With that said, every IT professional has different liabilities. The best way to know which coverage makes sense for you is to talk with an insurance agent who knows data liability.
It's important to remember that your client's data security risks are tied to your own. As we covered in "Yes, Your Client's Data Breach Could Get You Sued," breaches and lawsuits are beginning to go hand in hand. Make sure your IT consulting business has a plan to cover its lawsuit risk.
