Defending Data
Data security represents both a new market opportunity to sell insurance coverage and a new risk — especially for independent insurance agencies unable to comply with data security laws or have plans in place to protect their own companies from data breaches.
Data security is an evolving issue, and failing to protect data can have a huge financial impact on a company. The average total per-incident cost of a data security breach was $6.65 million, compared to an average per-incident cost of $6.3 million in 2007, according to the “U.S. Cost of Data Breach Study” conducted by data protection company PGP Corp. and information management research firm The Ponemon Institute.
According to the study, data breach incidents cost U.S. companies $202 per compromised customer record in 2008, meaning that companies incur additional costs with an abnormal churn in lost customers. More than 84 percent of data breach cases in 2008 involved organizations that had more than one data breach. More than 88 percent of all cases in the study involved insider negligence. The cost of lost business continued to be the most costly effect of a breach, averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007 and 54 percent in 2006.
“U.S. businesses continue to pay dearly for having a data breach,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy.”
Understanding the Exposure
There are many types of data security breaches. Over a five-year period, Kroll Inc., a risk consulting operating unit of Marsh & McLennan Cos. Inc., found that in data security breaches, 4.8 percent occurred in disposal of documents on computers; 1.8 percent occurred with e-mail; 20.8 percent occurred because of hacking; 22.4 percent occurred because of lost, missing or stolen laptops; and 15.3 percent occurred via the Web.
Since January 2005, the Privacy Rights Clearinghouse has identified more than 250 million records of U.S. residents that have been exposed due to security breaches, according to the PGP/Ponemon study.
Data security breaches are often the result of not having the appropriate procedures in place to prevent employee mischief. “Typically, we find that technology people doing the work don’t have security background checks but they’re given access to the systems. So we find that a lot of security breaches are done by insiders,” said Thomas Katona, president and managing member of Apogee Insurance Group. “We don’t do background checks on IT people, but we give them the keys to the castle.”
Prevention Plan
One hurdle to ensuring data security is that a lot of companies don’t understand the exposure, according to Leslie Lamb, global risk and insurance manager for Cisco Systems Inc. “Cyber liability is fairly new, and we’re all fairly vulnerable,” Lamb said. Companies may not have the right protocol in place to prevent data security breaches, and they might not have clear guidelines to handle a breach if one occurs.
It’s important for business owners to get up to speed about how to handle a breach. “If a breach occurs, the ability to respond must be timely,” said Shena Crowe, Infragard Coordinator for the Federal Bureau of Investigation. “Companies only have about 30 days or less.”
“After a breach, a lot of companies don’t know what to do,” said Adam Sills, underwriter for Darwin Professional Underwriters Inc. For instance, companies do not have to send out a notice to customers for every sort of breach — but if they do, that will incur costs. And although it may not be required by law, many consumers expect the company that has had a data breach to offer them credit monitoring, which can be a huge additional cost for a business.
Notification costs $1 to $2 per individual; credit monitoring costs $10 to $20 per person per year, said Nicholas Economidis, an underwriter for Beazley USA. Regulations in 44 states, the District of Columbia, Puerto Rico and the Virgin Islands require that individuals (customers, employees, citizens, students, alumni, etc.) be notified if their confidential or personal data has been lost, stolen, or compromised.
“The costs can go off the wall in terms of remediation when there are secure data claims, and without a contingency plan in place, quite often there is a knee-jerk reaction to how companies deal with claims, how they deal with notifications, how they stop the security breach, and how they remedy how much data was breached,” Apogee Insurance’s Katona said. “Most companies will have a disaster recovery plan, and no contingency plan in place for data security breaches. It is imperative that they do it.”
The top priorities for a company, if a breach occurs, should be to protect its brand, protect its customers and improve its products and security, Sills and Economidis said. Because once a company’s reputation is tarnished and customers don’t trust the brand, it can lead to the demise of the business.
Business owners have a false sense of security about data breaches, according to a recent national survey of more than 1,500 business leaders conducted by Zogby International on behalf of Identity Theft 911. Nearly two-fifths of those surveyed did not have an incident response plan in place, and that one-third did did not encrypt customer or employee data.
Culling Through Coverages
Even if business owners are concerned about the risks, they may not be aware of the insurance coverages available to help protect their livelihoods.
“The vast majority of people are not aware that insurance can be bought on the back end. It’s surprising how many don’t know the coverage exists, and that the CGL (commercial general liability policy) and GL (general liability policy) don’t cover electronic data,” said Apogee Insurance’s Katona. Bodily injury and tangible property damage don’t exist with identity theft, he explained.
When seeking coverage for data breaches, security and privacy insurance can provide coverage to help with liability defense costs and damages; notification costs; credit monitoring expenses; and first-party losses. Primary limits available go up to $25 million, and excess limits go up to $150 million or more. Sublimits often apply or notification credit monitoring, Katona said.
Agents should advise customers to be careful about what insurance coverages they purchase, Sills advised. There is no standard application that ISO puts out, so insurance companies have different approaches to what risks they will insure.
“Policies have changed in the past four to five years. A lot of people are now buying coverage because of privacy and for notification costs, which is new,” Sills added. The number of carriers offering coverage also has increased from a handful five years ago to about 25 to 30 carriers today.
“People tend to confuse cyber insurance with data security and data breach insurance,” Katona added. He explained that cyber insurance is typically what happens with viruses or malicious code, and there is damage that occurs with systems being down. Data security coverages are available for almost every component of the business, and are designed to help with notification, crisis management, etc.
Because the technological environment changes rapidly, agents should go over forms carefully with customers because the forms are providing coverage for a moving target, Katona said. “In a form that says, ‘cyberspace activity,’ what does that really mean?” he asked. “The vast majority of old coverages are insufficient or incorrect today, because of new technology.”
Agent Opportunities
This is a great time for independent insurance agents to be selling coverages to help protect their clients.
“A lot of legislation has been passed( in the last few years), and data security breaches have become a main street type exposure,” so clients are a little more aware that a breach could occur, Economidis said. And with the world doing business on the Internet and the presence of Wi-Fi (wireless Internet access), “it’s virtually impossible to secure all of that information,” he said.
“Agents, in a soft market, should be paying attention to the emerging coverages. This is one of those coverages, and one that most of their clients probably do not have,” Katona added. “I think when they talk to their insureds, they will find that they are concerned about it.” Customers often are unaware of rules and regulations — and costs — when a breach occurs, so “it’s a wonderful opportunity for agents and brokers to educate their insureds and sell.”
“Insurance agents and brokers, obviously, capture a lot of information to write coverage for their insureds,” Katona said. The Gramm-Leach-Bliley Act requires companies to have certain security measures in place. For smaller agencies, absorbing the costs of securing doors or having password protection and certain security measures in place can be difficult. But “98 percent of the agents we deal with are not Gramm-Leach compliant,” Katona said. “As a group of insurance agents and brokers, we have a responsibility to protect that data.”