Cyber Liability - can it affect you personally?

[DebAmstutz]

I was in a CE class at the Big I conference and it was concerned with cyber liability policies on the commercial side of business.  I have been wondering since then about personal cyber liability.  I'm not talking about Facebook stuff, I'm thinking of phones that have people's names, addresses, birth dates (reminders to send birthday cards), and other possible personally identifiable information stored on phones or tablets.  If yours is lost or stolen, is the information on the phone or tablet at risk for being used for identity theft?  People use their phones for work-related purposes all the time.  Who would be liable if that person lost their phone with the business' contacts/information on it?  What about the tablets and laptops kids get from schools to use?  I'm just curious as to who is actually liable for the information on the device.

[Jeff Zylstra]

I was in a CE class at the Big I conference and it was concerned with cyber liability policies on the commercial side of business.  I have been wondering since then about personal cyber liability.  I'm not talking about Facebook stuff, I'm thinking of phones that have people's names, addresses, birth dates (reminders to send birthday cards), and other possible personally identifiable information stored on phones or tablets. 

You need more than just name, address and DOB to have a "breach".  You would need either private health information (this person takes a beta blocker  prescription for has a heart condition), or Social Security number or bank or other account numbers to be released in conjunction with a name and/or address.  Something that would tie a person to that private information.

If yours is lost or stolen, is the information on the phone or tablet at risk for being used for identity theft?  People use their phones for work-related purposes all the time. 

Probably not.  It would take more than just name, address and driver's license number for identity theft.  I could most likely look up where you live on Whitepages.Com and get your phone number as well.  That information would likely be used for "fishing" for more information on you, however.

Who would be liable if that person lost their phone with the business' contacts/information on it?  What about the tablets and laptops kids get from schools to use?  I'm just curious as to who is actually liable for the information on the device.

The business.  If the employee were doing it with the knowledge and consent of the business, I think they're safe.  I even think that their Homeowners and/or Umbrella policy might respond to at least defend them in that case.  Not sure on that one.

[Mark]

Jeff,

I'd argue with some of your comments a little.

From what I recently learned, a policy number is considered an account number.  An account number is considered identifiable information.

A drivers license number IS most undoubtedly protected identifiable information.  It is not PHI (health) but it is PII (possibly excluding states with DL# is public - that I do not know).

Anytime a name is connected to any ONE piece of the data mentioned above, that is when it becomes issue.

Also note that this kind if information is valuable À la carte as criminals will use it to gain or match to the missing data until they have a full identity or whatever else it is they are looking for.

As far as Deb's original question, I do not think a personal device should have any protected customer information on it.  As far as a personal device storing names and birth dates of family and friends - that is an interesting though, though I do not thing regulations can effect an individual like that... unless your family member or friend is also a customer and your phone storing that information is lost and the data is used. 

Edit: Forgot to add that a "breach" is not only related to health information.  Maybe I missed some context before replying to the post?

[Jeff Zylstra]

Jeff,

I'd argue with some of your comments a little.

From what I recently learned, a policy number is considered an account number.  An account number is considered identifiable information.

A drivers license number IS most undoubtedly protected identifiable information.  It is not PHI (health) but it is PII (possibly excluding states with DL# is public - that I do not know).

Anytime a name is connected to any ONE piece of the data mentioned above, that is when it becomes issue.

Also note that this kind if information is valuable À la carte as criminals will use it to gain or match to the missing data until they have a full identity or whatever else it is they are looking for.

As far as Deb's original question, I do not think a personal device should have any protected customer information on it.  As far as a personal device storing names and birth dates of family and friends - that is an interesting though, though I do not thing regulations can effect an individual like that... unless your family member or friend is also a customer and your phone storing that information is lost and the data is used. 

Edit: Forgot to add that a "breach" is not only related to health information.  Maybe I missed some context before replying to the post?

If someone knew your homeowners or auto policy number, what would that be worth to them, and how much damage could they do with it?  I'd argue that a good lawyer could swat that down pretty easily.  A bank or credit card number is more of a gateway bigger and better things, I think.

And although I agree with you about drivers license numbers, at least our city and state does not consider to be private.  I got a parking ticket about a year ago, and they printed my name, address, driver's license number and VIN on the ticket!  Our rating system will even "calculate" an accurate drivers license number of you know the full name and date of birth!  Apparently it is some kind of mathematical algorithm.   I agree that a DL number is a gateway to other information that can be used to steal identities, etc....  And having the VIN number can help a slick car thief make a key for your car. 

[Mark]

I'm not saying someone could do damage with your policy number at all.  What I learned on Tuesday is that, as far as regulations are concerned, a policy number is an account number and account numbers are protected.

Drivers license numbers are calculated based on an algorithm, yes, but the algorithm requires your birth date.  You can take a Wisconsin drivers license number and calculate the birthday from it as well.  That can be used to prove a fake ID!  Bouncers usually know this (good ones at least). 

There was something in the news about parking tickets containing drivers license numbers and privacy, too.  Might have been Wisconsin, I can't remember.

[Jeff Zylstra]

I'm not saying someone could do damage with your policy number at all.  What I learned on Tuesday is that, as far as regulations are concerned, a policy number is an account number and account numbers are protected.

Drivers license numbers are calculated based on an algorithm, yes, but the algorithm requires your birth date.  You can take a Wisconsin drivers license number and calculate the birthday from it as well.  That can be used to prove a fake ID!  Bouncers usually know this (good ones at least). 

There was something in the news about parking tickets containing drivers license numbers and privacy, too.  Might have been Wisconsin, I can't remember.

That's entirely possible, but that doesn't scare me nearly as much as something that has dollar amount damages at risk like health information, bank accounts, etc....   I've come to the saturation stage where I can't worry about or protect from every single silly government regulation, so I try to address the ones that are most important and most likely at risk, and tend to give short shrift to the more esoteric regulations.  I probably shouldn't be that way, but there's only so many hours in a day.