Data breaches spark new forms of insurance coverage
The spiralling number of high-visibility data breaches has prompted some insurers to offer innovative coverage aimed at helping businesses cope with network and privacy breach liabilities. The question is: Will they buy it? Dugie Standeford reports.


News Story by Dugie Standeford

When news of the TJX Companies data security breach broke in January, Texas law firm Scott & Scott LLP took the opportunity to remind businesses that “there is no such thing as a completely secure network”. Instead, it warned, companies must put proactive processes and controls in place to “minimise the risks of legal liability and damage to the corporate brand as a result of a data security breach”.

Alongside the usual litany of technical and administrative security measures, the firm recommended that businesses explore network security insurance coverage on offer by “forward-looking” providers. Although it is a new form of insurance, a range of coverage is available, including inside job, service provider, employee claimant, regulatory and third-party handling, says partner Robert J. Scott of the software compliance practice group.

The average costs associated with a data intrusion can exceed $10 million in expenses, services to customers and legal fees, Scott says – not to mention the incalculable costs of harm to the corporate brand. Since 2005, US businesses and government agencies have seen more than 100 million consumers compromised because of lost or stolen data, at an estimated cost per person of $180. Insurance can “go a long way towards helping to mitigate these costs”, Scott says.

But traditional insurance is not designed to cover the specific damages corporate security failures cause, such as protection for privacy-related risks, the financial impact of complying with breach notification laws, or issues related to government data compliance regulations that penalise firms that cannot effectively defend their information, Scott says.

PRIVACY AND NETWORKSECURITY COVERAGE MERGING
When the internet took off around five years ago, the business community awoke to the fact that it had exposures not covered by traditional insurance, says Nancy Callahan, Vice-President of the American International Group, Inc. (AIG) identity theft and fraud division. Recognising that commerce had moved online, AIG pioneered “cyberliability” and network security insurance to protect the new electronic dependencies between companies. Those years also saw the evolution of ID theft from the consumer perspective, and AIG created new coverage for that as well.

Since then, consumer concerns over ID theft and business network security fears have merged, Callahan says.
 

Some 35 US states have enacted data breach notification laws to help consumers better manage risk, but the business community is just coming to grips with the consequences of mandatory notification, she says. There is also a growing belief that companies should help consumers manage the threat of ID theft. And firms are coming to realise they could be subject to oversight from state attorneys-general as well as to civil liability from lawsuits.

In response, AIG developed a suite of products aimed at companies that hold personal information on customers and staff. “Security and privacy insurance” policies address consequences of data breaches arising, for example, from stolen laptops or thieving employees as well as from technological or system risks that compromise personal information, Callahan says. There is a policy for small and mid-size enterprises and one for larger companies or those with more complex information management issues. Limits range from up to $5,000,000 for the former to as high as $25,000,000 for the latter.

Both policies pay for claims arising from data breach, legal fees from regulatory actions, and crisis management costs – lawyers, public relations consultants, notification costs and customer access to credit counsellors.

INDUSTRY SLOW TO ADOPT
The highly-monitored financial and health industries were the first to buy into such coverage, Callahan says: “The interest follows where the regulatory actions have taken place.” Now, the emergence of state and, possibly, federal breach notification laws and the Federal Trade Commission’s beefed-up anti-ID theft activities are driving takeup of the policies among other sectors. Firms at the heart of the information society – websites, portals, e-commerce firms and the like – are also more likely purchasers, she says. However, AIG’s products are not currently available in Europe.

“In the privacy area, takeup is still in growth stages,” Callahan says. The coverage is still viewed as a “discretionary buy”.

“Executives are embracing this with more fervour than in years past,” says Scott, but they continue to take reactive, rather than proactive steps to protect their enterprises. He adds: “As we continue to see more advanced attacks on corporate networks, such as the recent T.J. Maxx incident, I think businesses will begin to take advantage of the insurance options being made available to them.”