Do you have an action plan in place in the event one of your company’s email accounts is hacked? A recent incident with a Midwest-based title and settlement agent is prompting us to alert our clients to this issue.
The particular company had several email addresses that handled a large number of files, for example, email@example.com. Unbeknownst to the title company’s tech team, and their third-party managed service provider, this email address had been hacked. Every time an email was sent from this account, a BCC (blind carbon copy) was also sent to an out-of-network email address. For several months, all the closing and banking information sent from the main account was also sent to an unsecured, unknown account. Once the title company discovered this breach, they were required, by state law, to notify each person whose information was unknowingly sent to this unsecured email address.This notice was required for everyone in the company’s database who could have been affected, whether or not the leaked information had been used, and was required to be completed within 30 days of the data breach being discovered. The title company never found out who received the unsecured emails—or if the responsible parties ever made any attempt to profit from the stolen information.
The cost for these required notifications is $336 per person/record, on average, for the financial services industry and $274 per record for the generic services industry (according to the 2017 Cost of Data Breach Study by Ponemon Institute). Bear in mind, for any given closing, there can be at least two persons/records affected, more if multiple buyers and sellers are involved. This particular title agency paid more than $50,000 to notify all the potentially-affected parties. In addition, you should also be aware that in addition to notification by mail, many states require a free credit-monitoring service be made available to the affected parties for a specific period of time.
Is your title company prepared to pay an expense of this size out of your savings or operating account? If the answer is no, you should consider purchasing insurance coverage for this type risk. Contact me, or another member of the Merriam team, to learn about the options available to protect you.