When it comes to your customer and business data, who can you trust? There is no question that it is safer to store data offsite than keeping it on your premises. Most businesses lack the capital to privately store data at an alternate location, so they depend on third-party data storage companies.
A cannabis dispensary found out the hard way that third-party data storage isn’t always the safest bet. The dispensary contracted their data storage needs through MJ Freeway, a compliance solutions provider that offers point of sale and data storage.
Here’s What Happened
In November 2016, MJ Freeway experienced several outages. In January 2017, a cyber attack was discovered, and the ensuing investigation into the attack revealed that confidential client data had been breached November 2016. In November 2017, MJ Freeway notified customers via email and an online press release that the data breach had occurred.
It took MJ Freeway nearly a year to notify their customers of this breach. In that time, the data may have been disseminated to other parties, though it is unclear whether that has occurred.
Why This Is A Problem
In the event of a data breach, most states and the federal government require that consumers be notified “as soon as possible” of a data breach, and usually no more than 60 days after the discovery of said breach. Regulations may also stipulate that if a breach is in excess of $250,000 or exceeds 500,000 customers, website posting and media notification may be used.
So this begs the question: was the data breach that large, or was the notification of customers made too late, or both?
Who REALLY Stores Your Data?
What do you know about your third-party storage company? Where do they store your data, and how much can they store? How much insurance do they have to protect them in the event of a data breach? Does that insurance indemnify your business, or did you sign those rights away in your storage contract?
Data Storage Company’s Dirty Little Secret
What many data storage companies don’t tell you is that they aren’t really the ones storing your data. These companies, especially niche companies, farm out data storage to a company with deep pockets, someone like Google or Amazon.
Is that good news? Well, it depends. Google and Amazon may have the financial resources to handle a large cyber liability claim, but it’s a good bet you and your customers will never see a dime of it. The contract your data storage company signed with them likely waives any and all rights to protection or coverage in the event of a data breach.
Will your data storage company tell you that? Probably not.
The news gets even worse: you probably signed that user agreement without reading it, and missed the part where YOU waived any and all rights to protection or coverage from your storage company in the event of a data breach.
How You Can Protect Yourself
You probably thought you could avoid purchasing cyber liability insurance by hiring a third-party data storage company. Unfortunately, this isn’t the case.
Your data storage company likely won’t protect or indemnify you or your customers in the event of a breach, so that will fall on you. In most cases, there is no coverage under your General Liability policy.
A Cyber Liability policy is your best bet to protect yourself and your company against data breaches. This policy will provide both legal representation and financial indemnity in the event of a breach, as well as pay for costs associated with the notification, credit monitoring, forensic analysis and more.
Talk to your Hayes Broker to discuss the need for cyber liability, limits of coverage and more. Even if your data is stored by a third party, this coverage is still crucial for protecting your business.