New York Towns Weigh Cyberinsurance Options

Unlike the preventative approach of information technology security systems, cyberinsurance is designed to help protect municipalities from the costs associated with a data breach.

(TNS) -- Northport, N.Y., officials are reviewing an insurance policy that would protect the village from the financial fallout of cyberattacks -- putting them at the threshold of a new trend for local governments.

The policy would help cover "the expense of meeting our obligations to the people and entities whose information may have been compromised and any of the liabilities having to do with that," trustee Henry Tobin said.

Cyberinsurance is a relatively new product for insurance companies, and unlike the preventative approach of information technology security systems, it is designed to help protect municipalities and businesses from the costs associated with a data breach.

Tobin said cybersecurity insurance would complement the village's IT security system, which is charged with protection or recovery of data and freeing up computer systems under attack.

It's unclear how many municipalities on Long Island have seized on cybersecurity coverage. Islip officials said the town has a policy covering cyberattacks, but Huntington, Babylon and Oyster Bay do not have specific coverage.

Towns statewide have been increasingly interested in what cyberinsurance can offer, particularly in the past year, Sarah Brancatella, an attorney for the New York State Association of Towns, wrote in an email.

"Municipal records hold a wealth of personal information, and data breaches can occur in a variety of ways -- it can be as simple as a virus unwittingly being transmitted through a thumb drive/outside drive, email, social network, cloud storage data, etc.," she said.

Northport has no specific timeline for purchasing a policy, but Tobin said, "we would like it done as quickly as we can."

In January 2014, a hacker gained control of documents and files in the Northport Police Department. When officials tried to open the files, a message would appear demanding a $700 ransom to release the data. No charges were brought in the case. "Unfortunately, this is something new," Northport Police Chief Eric Bruckenthal said. "We have to protect our zeros and ones."

In that case, the department had to wipe computer systems and restore the information from an off-site server that is constantly backed up, said Brian Bratchi, president of Brentwood-based B&L PC Solutions, which handles the village police department's IT security.

That hack was resolved in a matter of hours and didn't result in costs that an insurance plan would have covered, but it has made the issue more real for Northport officials.

"We're going to . . . evaluate our exposure so we can better understand what kind of policy we need," trustee Ian Milligan said. "We're a relatively small-risk entity, but we still have to look into it."

New York's technology law requires municipalities to adopt policies or a local law regarding notification requirements when a computerized data breach occurs.

In the case of a breach affecting hundreds -- or even thousands -- of residents' information, the cost of notifying everyone affected and paying to monitor their credit data to avoid identity theft could add up significantly, said Cynthia Augello, a partner at Garden City-based Cullen and Dykman, who consults with clients on commercial litigation. Augello said municipalities have been slower to purchase cyberinsurance policies than businesses.

"A lot of the small-town municipalities are thinking, 'It can't happen to me,' or they don't necessarily have the budget in place to do what they need to," she said.

©2015 Newsday, Distributed by Tribune Content Agency, LLC.