The maximum amount of time you have to respond as required by HIPAA is 60 days from the time that a breach is discovered. However, time frames may be shorter depending on the laws of your state and other laws that may apply to your company and your data.

You should be concerned about Cyber Risk if you answer “yes” to any of the following:

• Does your business have a website, email account, or social media presence?
• Do you store or keep any of the following?
  • Bank Account Numbers
  • Wiring Instructions
  • Credit Card Numbers
  • Social Security Numbers of Employees And Or Customers
  • Personal Health Information
  • Confidential Information
  • Trade Secrets

A general rule of thumb is to multiply the number of records you have by $200. For example:

5000/records x $200/record = $1,000,000

Maybe. But in most cases, cloud services cap the amount that they will indemnify any one customer. For example, Salesforce will cover you up to what you paid them the past 12 months.

Secondly, if your cloud provider were breached, would your provider be able to afford the cost of reimbursing every customer for every record at $200 a piece? Most likely the answer is no because the cost would be in the 100’s of millions or even in the billions of dollars.

Finally, consider these questions:

• Whom did the customer give their data to? You
• Did they decide where or how to store the data? No.
• Therefore, if it is lost or stolen, whom will the customer come after? You.

Depending on the policy it can cover a range of things like:

• Lawsuits
• PR
• Lost Revenue
• Cost for recreating damaged or lost data
• Government and PCI Fines
• Identity Protection
• Ransom Payments To Gain Control Back Of Your Data, Website, Or Social Media Accounts

It may but usually no or an insignificant amount far less than you will need. Also the exclusions could effectively make your policy worthless depending on the crime.

Do you think they understand technology and do they ask the right questions? The questions they need to be asking are not on the application. They need to know what types of data you have, where the data is located, and what are the most likely ways in which a hacker would gain access and financially gain from your data.