53 Frontage Road,
We insure a number of accounting firms. There are a small number of software providers who own the market in providing tax and related software that accounting firms use to assist them in best providing their services.
We were recently advised by one of our CPA’s that the software provider they use had realized a data breach and such breach affected 68 of their client records. The software provider had known about this for months and advised all of their customers late. We first determined that coverage existed, and then discussed what to do. Choosing to do nothing means that you violate state and federal regulation regarding notification and make yourself more readily open to a lawsuit. If you notify, you incur cost. There are insurance policies to cover the cost, and also lawsuits, should affected record holders choose to take that action.
In this smallest of data breach cases, the total cost was $50,804. first year. This included attorney fee to draft proper notification, mailings, and credit monitoring / Experian costs. The last part is the biggest, generally costing about $200 per record, and here although there were only 68 records, there were additional family members on these documents, and they required ongoing credit monitoring also.
The market for this type of coverage is robust and competitive, and has some overlap with the accountants’ e&o market. Call me to get an assessment and discuss whether there may be worthwhile alternatives, whether you are an accountant or other type of organization.
Also, should you want to learn more about data breach stats, google Ponemon Institute and / or call me for more information. FYI, below is a summary of the applicable NJ data breach law. Each state has their own and so does the federal government. May 13, 2019Data breach reporting bill signed into lawA bill that amends current law in regards to the duty to report data breaches was signed into law by Gov. Phil Murphy on May 10. The new law, P.L.2019, c.95., requires entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information. Under the former law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers; driver’s license numbers; or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual’s financial account. The new law adds user names, email addresses or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account, to the list of breaches requiring disclosure. The law also provides that when a breach of security involves a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information, the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account. This amended law does not require disclosure of a breach of security to a customer if the business or public entity establishes that misuse of the information is not reasonably possible (i.e., if the data had been encrypted). The new law will go into effect on Sunday, Sept. 1, 2019.
What would you do if you were sued by a person who wasn’t able to access your website? What would you do if you were advised in the lawsuit that this person’s inability to access your website is due to his being blind? Yep, we got this claim in to our office, and our client was simply flabbergasted and dumbfounded, not to mention thoroughly upset. As always, we first scoured the insurance program that we had structured to make a coverage determination, and whether the underwriter intended to cover this circumstance or had even known about this exposure, for this insured this is a covered claim. We had counsel assigned and in talking with the attorney, I learned that he is aware of over 600 similar plaintiff actions, with the plaintiffs’ position being that the same type of standard applicable under the ADA (Americans with Disabilities Act),which requires certain physical accommodations, should also apply to websites. The intent is to force website operators to add on software that provides audio to their website. Also, of the more than 600 actions so far, there is no specific type of industry targeted as defendants. What to do: 1. Assess your current program for coverage relating to this issue. 2. Consider actually making your website accessible, and a statement on your website stating that you are in that process may allow you to avoid being a target of this, or put you in an improved legal position should you not be so fortunate. We can help on both items. Unfortunately, and as a reminder, just because you don’t want or are unable to serve this plaintiff market is not a defense.
Cool story: an industrious man made a good buck and at the beginning of the 20th century bought a piece of land on an island in the Finger Lakes reachable only by boat, and on which there was a small community of the similarly newly successful.
The big house went up and was enjoyed by him and his family. And the question he chose to face was how to keep this going? You pass it down and who wants to sell it, who doesn’t want to pay upkeep, and the gift to your family becomes a magnet that serves to repel instead of attract.
Being a thinker, he foresaw this, and purchased a life insurance policy on him and his wife, payable to the upkeep and taxes of the island house, and life insurance premium payments for the immediate heirs. This has gone on for over 100 years, and everybody still gathers at the island home, and he gave his family space to thrive and appreciate.
If you plan, things can be made to work out in an elegant manner that can make things work. There are variations of this, and a number of ways in which life insurance can be applicable to elegantly facilitating business scenarios, along the lines of this Finger Lakes story.
Following is the email that we received from our insured reporting a fraudulent cyber-crime claim. With changes to provide anonymity, this is the notification that we received advising as to what happened: Hello Dan, We have initiated a fraudulent wire on 9/26/2019 for Euro 40,977 equivalent to $48,902.42 Here is the complete details, how it happened: Johanson Craneger, email address: email@example.com from Covatel Global sent an email to our account manager Sue Sykes email address: firstname.lastname@example.org on 09/05/2019 inquiring about their outstanding balance of Euro 40,977. To which Sue Sykes replied by email on 09/05/2019. On 09/06/2019 Sue Sykes received an email reply from Johanson Craneger, email address: email@example.com – this is the fraudulent email as the domain name is spelled ovationbmcm.com instead of ovationbmc.com and this fraudulent person is informing Sue Sykes in the email that their bank account information have changed. To which Sue Sykes replied back by email on 09/06/2019 asking him to send the updated bank information and she will work to send the payment there. To which the fraudulent person replied on 09/07/2019 with a fraudulent bank account details in the name of Covatel Global. Than the fraudulent person inquired about the payment on 09/11/2019 and 09/18/2019 On 09/18/2019 James Franks from Lonnectron email address: firstname.lastname@example.org replied back to the fraudulent person that he should direct all communications to Mark Zimmerman from Lonnectron email address: email@example.com regarding payment inquiry. To which the fraudulent person replied on 09/19/2019 once again with a fraudulent bank account details in the name of Covatel Global BMC to Sue Sykes, James Franks, Louis Fallon and Mark Zimmerman. (Attached is the complete email trail in the first attachment) On 09/24/2019 Mark Zimmerman from Lonnectron send an email wire request to Lucy Gonzalez to initiate the wire for Euro 40,977 to the fraudulent bank account. (Attached is the wire request email in the second attachment) On 09/26/2019 Lucy Gonzalez from Lonnectron initiated the wire in the amount of Euro 40,977 to the fraudulent bank account. (Attached is the wire confirmation in the third email) We need to file this insurance claim for $48,902.42 and get this money from insurance. Please let me know if you need any more explanations or supporting documents. Thank you for your help. Thank you,Mark This is an example of one basic technique used by bad actors to commit crime by use of computers and networks. The market for coverage for these and other cyber acts is robust and competitive, and we are considering such a policy to be a usual part of an insurance program. Please call and we can get this taken care of correctly and expeditiously.