Data breaches expose businesses while highlighting need for coverage
New data compromise coverage helps businesses respond when data loss occurs
The breach of personal data stored in business files and computers is a serious risk for any company that controls the information. Customers and employees may become the victims of identity theft and fraud. With so many incidents of data loss being reported, companies are looking for solutions that include new insurance protection.
All companies are responsible for personal information. Even a small business may have data on a large number of customers, clients and vendors. That information can be lost, stolen, or inadvertently disclosed. But the result is the same — anxious victims, unexpected business costs and damage to a company’s brand and reputation.
Laptop thefts increase risks
The breach of personal information is a serious problem in the United States. In the past two years alone, data breaches have affected approximately 100 million Americans, a consumer watch group reports. Some people may have been affected more than once and not all of them were victims of identity fraud, of course, but the growing number of data losses points out the continuing exposure to consumers and businesses.
Personal data may be stolen from physical records, or obtained by fraud such as the sale of information to a sham company. It might be hacked from computers, mistakenly released or published, even posted to a Web site. A key factor in many of the recent high profile data breaches has been the theft or loss of laptop computers. In fact, about a quarter of all reported data breaches may involve missing laptops.
It’s not surprising since laptops are a target of thieves. CyberAngel Security Solutions, a national security technology firm, reports that 10 percent of all laptops are stolen in the first 12 months and 90 percent of those computers are never recovered. Half of U.S. companies had laptops stolen in the last year and almost 60 percent of all corporate crimes are linked to stolen laptops.
Data breaches spur new laws
To fight identity theft, 35 states have passed laws that require businesses to respond to the breach of personal information under their control. Federal legislation is pending. Most of the laws require businesses to warn victims about potential ID theft and fraud. In many cases, the warning must be issued within days and include the news media. Businesses may have to pay to monitor personal credit.
Even without a legal requirement, consumer sentiment is pressuring businesses to take responsibility to safeguard personal information. They want victims to be notified and informed about the scope of the damage. They also demand the company provide personal assistance including identity restoration case management when a data breach occurs.
A data breach can seriously harm the brand and image of a business. Although it can be expensive to notify and assist victims of a data breach, the risk of not notifying people affected can be far worse. In today’s environment, a business that experiences a data breach must protect itself from both the risk to its reputation and the cost of providing services to those exposed to identity theft and fraud.
Data compromise coverage offers protection
A new insurance product — data compromise coverage — is starting to appear in the market. This commercial lines coverage addresses the issue of data breaches by helping a business or institution respond. This is important, since ID Analytics’ National Data Breach Analysis found that early notification of breached personal information may significantly lower the rate of misuse. The findings suggest that breach notification could serve as a deterrent to ID fraud.
Several forms now available
At this time, there are a few data compromise coverage forms being offered. At least one monoline form appears aimed at large accounts, and at least one packaged form is designed for middle market and Main Street accounts. One of these combines first and third party coverages and one is first party only.
With corporate managers citing data breaches as their No. 1 concern in a recent poll, data compromise should be an area of further development and innovation in the coming months.
Smaller companies can be vulnerable
Small businesses can find it most difficult to respond to the breach of personal information. Yet it is particularly challenging to offer broad and affordable coverage for smaller businesses. Unlike larger companies, they may not have the knowledge, staff and resources to inform and protect potential victims. Smaller businesses might not recover as easily from the extra expense and bad publicity. They should look for data compromise coverage that will arrange and pay for:
- The cost of notifying individuals;
- Legal reviews and forensic information technology services;
- Personal services for eligible insureds such as a help line, credit checks, and case managers for the victims of ID fraud.
Treating claim data carefully
Data compromise coverage raises sensitive issues for insurance professionals as well. One is the extreme sensitivity of claim data. How will a claim be adjusted? How much information do you need? The personal information of potential identity theft victims can’t simply be faxed and dropped inside an inbox. It requires special handling and careful security procedures so that insurers are part of the solution, and not the problem.
Another issue is for the insurance industry to take action so that we are not fooled ourselves. It can and does happen that insurance companies issue policies to people who are not who they claim to be. Worse yet, insurers may issue claim payments to imposters. Identity verification is not always easy, but our industry must take steps to protect personal information and prevent claim-related identity fraud.
Insurance professionals can help
It is difficult enough just to keep up with developments. As technology continues to advance, personal information becomes increasingly exposed and new coverage options for data breaches are evolving. The pain of being an identity theft victim is driving public reaction to data breach incidents. The insurance industry can help by taking good care of the data in its own control, offering high quality services to ID theft victims, and developing new insurance programs for data breach exposures.
Mark MacGougan, vice president for new strategic products with The Hartford Steam Boiler Inspection and Insurance Co., manages the company’s identity recovery and data compromise programs. The program designs and reinsures homeowners and business coverage for other property/casualty carriers so they can include identity recovery services and identity theft insurance in their policies. The data compromise program reinsures coverage included in the small business policies of other carriers to help commercial policyholders respond to the loss, theft or public disclosure of personal information for which they are responsible.