Florida Insurance Network

Give it up, ladies and gentleman, for the marketing genius who coined the term “cloud” as a euphemism for remote server.

Cloud Computing Image (Photo credit: Wikipedia)

Who doesn’t want to be on a cloud? They’re so carefree, so fluffy and heavenly. No one on a cloud worries about bad motherboards, backups, hackers or hard drive failures. You just pull down data from the ether all day and never think twice.

I’ve met scores of small-business owners who fervently believe in this myth. Because they’re on the cloud, they assume data security is no issue or, at worst, someone else’s problem.

And plenty of cloud-service providers are content to perpetuate this fantasy in the name of sales. This will change when plaintiffs’ attorneys hit enough of them with damage claims of misrepresentation. But that’s a post for another day.

The essential question every customer should ask his or her cloud provider is simply this: Will you indemnify me for any or all costs associated with a breach of security involving data that I’ve entrusted to your care?

I’ve asked cloud providers this question. The answer boils down to one word: no. And I admit that it’s probably an unfair question. I only ask it to illustrate an ugly reality, which is that the cloud is a very hazy place in terms of your rights and the cloud providers responsibilities relative to data security and the fallout from privacy breach.

If you’re business collects personal data from its customers, such as addresses, drivers license numbers, account numbers and such, Florida law (and every other state but one) says you must notify each individual if you reasonably believe the security of their data has been compromised.

The law is designed to help consumers protect themselves from identity theft but it’s a nightmare for the business involved because it’s the business that bears ultimate responsibility for the breach, not the cloud provider. And that’s especially true in the eyes of the customer whose identity is now at risk.

Obviously, if it’s your business reputation on the line as a result of a privacy breach, you’re going to act as swiftly and effectively as possible to limit damage and clean up the mess. Your cloud provider, however, might have other priorities, bigger clients to worry about and even different laws to obey, depending on the location of its servers.

Does your cloud provider’s service agreement specify your rights and its responsibilities relative to hacker intrusions against servers that contain your customers’ data?

Does it specify in which jurisdiction your data will be housed and whose laws will apply? Does it mention data encryption schemes and hiring practices? Does it limit or identify which administrators have access to servers? Does it mandate timely investigation of breaches and allow access to its servers by independent IT investigators?

Does your cloud provider’s service agreement leave you, your business and your customers in a fog of doubt about what is supposed to happen when the security of your remote data is compromised?

If so, I suggest you revisit the agreement with a good lawyer and make a list of revisions that your current cloud provider will either accept or leave for its replacement to accept.  If you don’t know, I suggest you find the agreement, read it, rinse and repeat.

Related articles

• Cloud Security: Encryption Is Key (sys-con.com)

Image via Wikipedia

I wish I heard this question more often: Do I need business interruption insurance?

The answer is simple: No, unless you can’t afford to lose all your key employees, go indefinitely without income, pay all your ongoing expenses when your business isn’t making any money and go out of business as you wait for repair or reconstruction of your business premises. Otherwise, the answer is yes, you do need business interruption insurance.

Business interruption insurance (also known as business income insurance) is a form of property insurance. In this case, we’re referring to the property more affectionately known as your business revenues and expenses. As a concept this type of insurance is pretty straightforward. The main idea is to provide money for net income and ongoing expenses when your business can’t, usually because some form of covered loss makes it impossible.

For example, let’s say you operate a candle shop. One morning that temp you hired for the holidays moves a cinnamon-apple pillar candle beneath a silk bamboo plant that catches fire, which spreads to a nearby tapestry and quickly converts your entire business to a wax works before you can say, “Did someone burn an apple pie in here?”

Fortunately, your property insurance will pay to replace the tapestry, the silk bamboo plant, your inventory of candles as well as the cost of needed repairs and reconstruction. Your liability insurance will pay for incidental damage to nearby persons and property. But you’re still looking at an extended period of time during which you have no source of revenue to make your monthly loan installment, pay utility bills, equipment leases, your own salary and other expenses that don’t go away just because your business is down. That’s where business interruption insurance comes in.

Where all of this gets confusing, even for insurance representatives, is where you decide how much business interruption insurance you need. The answer really depends on your business financials. In fact, you might even want to consult a CPA before you decide. But the limit of coverage and the deductible are always expressed both in terms of time and money. For example, you could purchase a quarter of your annual qualified expenses to be paid over a period of 90 days with a deductible of three days.

Most insurance reps will carefully avoid suggesting or speculating about whether any given limit of coverage is “enough.” First, unless they’ve seen your books, they really don’t know. Second, plaintiffs lawyers make their bones on mistakes like that. What we can do is provide you with a worksheet that’s designed to help you separate qualified expenses from costs that don’t continue, such as non-essential services and payroll.

Here’s another question: Do I need business interruption insurance in Florida? The answer is the same. Yes, but if your property insurance does not cover losses caused by wind and hail (also known as hurricane coverage) your business interruption insurance won’t either. In other words, you get exactly nada if a Cat 3 forces you out of business for a while. Keep that in mind when your representative asks about “ex-wind” property insurance.

Keep this in mind, too. Business interruption insurance kicks in when your business premises goes down, as a result of a covered cause of loss, and takes your business with it. What happens if your business premises aren’t damaged but access is severely restricted or denied to a point where the material affect on your business is the same? For example, let’s say a flood cuts off all the roads to your shop. In that case, you will want to have made sure your policy included so-called civil authority coverage and ingress/egress coverage.

Be sure to ask your representative for details. And while you’re at it, ask about extra-expense insurance, too. This is especially true for service businesses, such as dentists and lawyers, which can operate from a different location as they wait for their original premises to come back on line. Extra-expense coverage pays the costs of relocating to a temporary location.

Give me a call (727-916-7429) if I can help. Meantime, keep those candles away from the silk plants, please.

Related articles

• Northeast power outages hit many businesses hard (hosted2.ap.org)

Image via Wikipedia

I’ll be blunt. There’s no excuse for this crap anymore.

And I don’t mean data theft. No, I’m referring to the very last paragraph.

“Almost three-quarters of the executives said they were already sharing or intending to share patient data for clinical studies, post-market surveillance of drugs or the development of new programs, while less than half had addressed privacy and security issues, the report found.”

Setting aside for the moment the federal law (see HIPAA Security Rule) that bloody well requires healthcare businesses and their partners to “address privacy and security issues,” what makes these executives think that it’s acceptable to ignore data security?

If you’re too callous, too busy bean counting, or just too oblivious to protect my personal data by 2011, I say you’re just plain negligent. And I say you right well deserve a very bad day when the court rules for the identity-fraud victims who sued your ass. I hope the judge trebles the damages as an example to your peers.

This is 2011, not 2001. There’s nothing new about data theft or identity fraud. In the last two years alone, according to the U.S. Department of Health and Human Services, more than 11 million people have had their medical data exposed. And it’s not like you have to go hunting to read about them.

If you ask me, any healthcare executive who ignores data security in this decade is no better than a coal company executive who ignores pollution laws or workplace safety rules. People are going to get hurt as a result and those executives damn well should be held to account for it.

And as long as I’m spitting fire, and you continue to read it, I’ll go you one better.

Any healthcare company CEO who hasn’t ordered up an analysis of data-risk exposure, implemented best practices to mitigate it and quantified the residual risk to determine whether insurance is required, probably deserves to lose his job for negligently exposing his customers and his investors to unnecessary risk.