Why a Cyber Breach as a Small or Medium-Sized Service Firm is an Extinction-Level Event, Pt III

If you'd like to discuss this or other risk issues, please set up an appointment with my Calendly link.

In the first post in this series, I argued that a cyber incident was an extinction level event for a small to medium sized professional service firm.  The second post explained why: professional service firms utilize confidential client information, stored in electronic format.  The unauthorized release of this information harms clients, who then sue the service providers.

The ISO cyber policy defines the primary way for the data to be released as a “security breach” which is:

“… the acquisition of “personal information” held within a “computer system” or in non-electronic format while in the care, custody or control of the “insured” or “authorized third party” by a person:

a. Not authorized to have access to such information, or
b. Authorized to have access to such information but whose access results in the unauthorized disclose of such information.

Please see the previous post for a discussion of personal information.

“Care, custody, or control” is a legal term of art referencing bailment, which occurs when one person or entity entrusts their property to another.  The law imposes a duty of care on the property-holding party while the property is in their “care, custody, or control.”  This duty of care applies to professional service firms who hold client data.

The ISO policy defines a “third party” as “any entity that you engage under the terms of a written contract to perform services for you.”  This definition encompasses cloud computing companies and contracts, which is another potential area of vulnerability.

According to the ISO definition, covered property can be held in electronic or non-electronic format.  This data is then wrongfully acquired in one of two ways. 

1. An unauthorized third person gains access, almost always by hacking,
2. A person authorized to have access allows an unauthorized person to access the information.

The method of unauthorized access is unimportant.  The definition’s breadth allows it to apply to new and as of yet unknown threats.
Key to this situation is that confidential information leaves the service firms’ “care, custody, or control.”  It then goes to a third-party who is not authorized to access it.  This transfer will cause irreparable harm to the service firm’s client, who will then sue for damages.