The right to privacy is well established in the legal system of the United States. As citizens of the United States, we expect that our right to privacy will be respected.
Virtually all businesses gather personal information about employees and customers that is private. For example, most camps gather names, addresses, social security numbers, phone numbers, driver's license numbers, driving history, dates of birth, financial information (bank account numbers, debit or credit card numbers, and security codes), personal images, e-mail addresses, and medical history.
Protecting this personal, private information has always been an obligation of the businesses that gather it. When the information was stored in paper format in file cabinets, protecting the privacy of customers and employees' personal information was easier than it is today.
Laws in the U.S. hold individuals and businesses responsible for the following types of invasion of privacy:
- Public disclosure of private facts
- Appropriation — the unauthorized use of a person's likeness or name
- Publicizing information that places a person in a false light
- Physical or electronic invasion of privacy
Complicating these basic legal issues are various state and federal laws protecting individuals' privacy. Examples of federal laws affecting privacy rights include, Fair Credit Reporting Act (FCRA), Drivers Privacy Protection Act of 1994 (DPPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Children's Online Privacy Protection Act of 1998 (COPPA), among others.
On top of these and other federal laws are a host of state laws addressing similar and other privacy issues. The proliferations of these laws create a compliance risk for camps, which mandates that camp directors/risk managers revisit the first step in the risk management process with respect to privacy — risk identification.
Managing the legal issues surrounding privacy became more complicated with the advent of notification laws. Forty-seven states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted laws that require public, private, or governmental entities to notify people when the security surrounding their personal information has been compromised. A breach of privacy is not limited to a compromise of computer systems or records.
A breach could also occur if paper files were stolen, or if a laptop were stolen from your office in a burglary. The individual notification laws vary from state to state, and it is not just a matter of complying with the law of the state in which your camp is located. If your camp business has customers across the country, then compliance with the laws of each state where your camper families reside is required.
Electronic Procedures Review
When personal information was in paper format a camp director might have had locking file cabinets, a deadbolt lock on the office door, and maybe even a burglar alarm as part of the protocol to protect customer and employee personal information.
The conversion of our paper files to electronic format and the growing dependence on computerized systems to conduct business has created another world of risk that is changing so rapidly that immediate, coordinated action is required.
Review the integrity of your camp computer network(s) at your winter office and at camp. Is your network wired or wireless? Are firewalls in place? If you are using a wireless router, has the password been changed? Often the passwords that are in place when the device is installed are a simple series of numbers or letters that could be easily discovered by someone seeking entry into your computer network.
Are passwords required on workstations? Are the passwords changed every 90 days? Do you instruct staff not to post passwords on monitors to reduce the risk of unauthorized use of the workstation by other staff? Are complex passwords required with upper and lowercase letters, numbers, and symbols? Are antivirus and malware protection installed on every desktop and laptop computer accessing the camp servers? Are regular back-up procedures in place?
Is staff instructed not to click on links from unknown persons? Are they trained to identify suspicious e-mail that might sneak through junk mail filters? Is your operating system secure? Is there a process that automatically updates the operating system and other vital operating software with the latest security patches and upgrades? Is encryption software in place that can be integrated with e-mail when communicating about personal information? Are your third-party credit card vendors in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS)?
A recent Verizon 2014 PCI Compliance Report indicated that 88.9 percent of businesses failed to maintain ongoing compliance with the standards (Bender, 2014).
Risk Management is a Good Start
Risk management procedure and good practice is the first line of defense against these rapidly mutating privacy risks. The second line of defense is diligence. Ultimately, the risk is changing so rapidly that risk management practice is finding it difficult to keep pace. Under these circumstances, consider transferring the remaining privacy and cyber liability/ electronic risks to an insurance company through the purchase of a cyber liability insurance policy.
Are these Risks Real?
Are these risks real for small and medium-sized businesses like camps? Aren't bigger companies the ones at risk?
The facts show that companies of all sizes are at risk when it comes to the theft or loss of customer and employee personal information. Following are some examples of real claims involving camps:
The username and password required to enter the sports camp's central database was left affixed to a sticky note on a monitor in the camp's front office. A camper who wandered into the empty office during lunch used this information to gain access to the personal information of camp guests, parents, and athletic counselors, and then posted the sensitive information in an online chat room. A class-action lawsuit was filed on behalf of the affected families against the camp for failure to protect their private information.
A violation of privacy in this manner would most likely not be insured under the camp's commercial general liability policy. Protection for the breach of security and publishing of the personal information in a chat room is most likely to be covered by a Cyber Liability insurance policy.
Privacy Notification Expense
The personal information of 3,500 campers and parents from across the U.S. was unintentionally distributed in an e-mail attachment. To comply with each state's laws governing notification, significant costs were incurred by the camp to notify and provide credit monitoring for each of the affected families. Privacy notification expense provides coverage to address first-party expenses to comply with privacy law notification requirement.
Notification expense costs following a breach of security and the loss of personal information are running about $188 per person on average. In this case, notification expense alone would cost the camp $658,000! What would this do to your camp budget? Insurance to handle these notification expenses is available in a Cyber Liability insurance policy.
Network Security Liability
A part-time student counselor was able to gain access to the camp's administrative computer system via a temporary password. Disgruntled over her inability to gain permanent employment and the director's decision not to renew her summer position, the counselor engineered a virus designed to wipe out the camp's entire database of guests, potential guests, and employees. The virus caused a significant delay in marketing mailings, invoicing, and payroll distribution.
Causes of Loss/Claims
According to the NetDiligence 2013 Cyber Liability & Data Breach Insurance Claims Study, following are the percentage of claims by cause of loss (2013):
As soon as you are able, take the time to identify the privacy risks at your camp. Consider a legal audit to help ensure you are not overlooking risk. Review how your camp gathers personal information. Evaluate your network systems and procedures for protecting your customers, prospective customers, employees, and other stakeholders' personal information. Change practices and upgrade systems' hardware and software as needed. Review the decisions and protocols regularly to ensure up-to-date risk management practices are in place.
Bender, H. (2014). Overwhelming majority fail to meet compliance standard. Retrieved from www.propertycasualty360.com.
National Underwriter. (2014, March). NetDiligence 2013 cyber liability & data breach insurance claims study, pp. 28.
Edward A. Schirick, CPCU, CIC, CRM, is senior vice president at Schirick & Associates Insurance Brokers, a division of Bollinger Inc. in Short Hills, New Jersey, where he specializes in arranging insurance coverage and offering risk management advice for camps. Schirick is a chartered property casualty underwriter, a certified insurance counselor, and a certified risk manager. He can be reached at 877.794.3113. Visit www.campinsurancepro.com.
Originally published in the 2014 September/October Camping Magazine.