Not all data breaches are acts of nefarious players
On Saturday July 22, 2017 The New York Times ran a story on a “Trove of Confidential Data” which was accidentally released by an attorney working for Wells Fargo. The magnitude of the data is enormous, and is estimated to contain financial information for “at least 50,000 individual customers” of Wells Fargo Advisors, which included client names, taxpayer identification numbers, investment information, dollar values of investments, and so on.
The manner in which this data was “exposed” is what may be most interesting part of the whole story and highlights the fact that data breaches are not always at the hands of nefarious underworld criminals. In its most simple telling, a subpoena for information relating to a defamation lawsuit against Wells Fargo was supposed to yield selected emails and documents directly related to the case. An outside lawyer defending Wells, instead, forwarded a compact disk (CD) with 1.4 gigabytes of data on it which included the confidential information mentioned above, as well as “copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them.” Obviously this was a significant error on the part of the lawyer and law firm defending Wells, but it points to a problem that we all face in professional life today. We accumulate and hold tremendous sums of private data on our networks, computers and devices. In many cases it’s our data, but as this article highlights some of that data can belong to others, and when it belongs to a client like a financial institution, our duty to safeguard it is heightened.
This breach was obviously a mistake, but it was made by a trained professional who probably knows the importance of how to handle confidential information, and the point I want to make is that if it could happen to this attorney – it could happen to anyone….. well, maybe not to this magnitude, but all the same, it can happen to anyone!
Now, to understand this a bit further, this breach or accidental release of data violates a ton of state and federal privacy laws. With 50,000 customers at play, it’s pretty safe to assume that all 50 states are going to be involved here which only adds to the complexity of compliance. Add to that is also the fact that some of these customers were also foreign; so that will trigger another set of overseas regulations which are often stricter than U.S. statutes!
At the very least the bank is facing an expensive notification process ahead of them; at worse it has further damaged its corporate reputation to the general public. If your name or personal data was released, how would you feel about Wells about now? No amount of insurance can repair that damage.
And the law firm that accidentally released the data – well they’ll be facing some significant legal and reputational damages of their own. It’s estimated that the average cost of complying with breach notification to customers is about $200 per record, so notifying 50,000 records is going to be in the ballpark of $10 million! Do you think this firm has cyber insurance limits that high? Probably not, who would ever think of that potential?
Summary: Professional service firms handle and store tons of private data which belongs to them, and often to others. While that data is in your possession you have a duty to protect and safeguard it. The potential liabilities associated with breaching that duty are significant and should be evaluated when considering what limits of liability you purchase when it comes to Cyber Liability insurance. One million dollars of cover is wholly insufficient in today’s world.
Would you like a second opinion on your protection plan? Give us a call and see if we might be a good fit for your business.