We insure a number of accounting firms. There are a small number of software providers who own the market in providing tax and related software that accounting firms use to assist them in best providing their services.
We were recently advised by one of our CPA’s that the software provider they use had realized a data breach and such breach affected 68 of their client records. The software provider had known about this for months and advised all of their customers late. We first determined that coverage existed, and then discussed what to do. Choosing to do nothing means that you violate state and federal regulation regarding notification and make yourself more readily open to a lawsuit. If you notify, you incur cost. There are insurance policies to cover the cost, and also lawsuits, should affected record holders choose to take that action.
In this smallest of data breach cases, the total cost was $50,804. first year. This included attorney fee to draft proper notification, mailings, and credit monitoring / Experian costs. The last part is the biggest, generally costing about $200 per record, and here although there were only 68 records, there were additional family members on these documents, and they required ongoing credit monitoring also.
The market for this type of coverage is robust and competitive, and has some overlap with the accountants’ e&o market. Call me to get an assessment and discuss whether there may be worthwhile alternatives, whether you are an accountant or other type of organization.
Ping me on the calendar below and let’s talk. Thank you for reading.
Dan Gilligan, CEO Paradigm Insurance Services, LLC
Also, should you want to learn more about data breach stats, google Ponemon Institute and / or call me for more information. FYI, below is a summary of the applicable NJ data breach law. Each state has their own and so does the federal government.
May 13, 2019
Data breach reporting bill signed into law
A bill that amends current law in regards to the duty to report data breaches was signed into law by Gov. Phil Murphy on May 10. The new law, P.L.2019, c.95., requires entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information. Under the former law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers; driver’s license numbers; or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual’s financial account. The new law adds user names, email addresses or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account, to the list of breaches requiring disclosure. The law also provides that when a breach of security involves a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information, the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account. This amended law does not require disclosure of a breach of security to a customer if the business or public entity establishes that misuse of the information is not reasonably possible (i.e., if the data had been encrypted).
The new law will go into effect on Sunday, Sept. 1, 2019.