Defending Data

March 23, 2009 by

Data security represents both a new market opportunity to sell insurance coverage and a new risk — especially for independent insurance agencies that may not be compliant with data security laws or have plans to protect their own companies from data breaches.

While data security is an evolving issue, failing to protect data can have a huge financial impact on a company. The average total per-incident cost of a data security breach was $6.65 million, compared to an average per-incident cost of $6.3 million in 2007, according to the “U.S. Cost of Data Breach Study” conducted by data protection company PGP Corp. and information management research firm The Ponemon Institute.

The PGP/Ponemon study indicated that data breach incidents cost U.S. companies $202 per compromised customer record in 2008, meaning that companies incur additional costs with an abnormal churn in lost customers. More than 84 percent of data breach cases in 2008 involved organizations that had more than one data breach. And, more than 88 percent of all cases in the study involved insider negligence. The cost of lost business continued to be the most costly effect of a breach, averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study.

“After four years of conducting this study, one thing remains constant: U.S. businesses continue to pay dearly for having a data breach,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy.”

Understanding the Exposure

There are many types of data security breaches. Over a five-year period, Kroll Inc., a risk consulting operating unit of Marsh & McLennan Companies Inc., found that in data security breaches, 4.8 percent occurred in disposal of documents on computers; 1.8 percent occurred with e-mail; 20.8 percent occurred because of hacking; 22.4 percent occurred because of lost, missing or stolen laptops; and 15.3 percent occurred via the Web.

Since January 2005, the Privacy Rights Clearinghouse has identified more than 250 million records of U.S. residents that have been exposed due to security breaches, according to the PGP/Ponemon study.

Oftentimes, the breaches are a result of not having the appropriate procedures in place to prevent employee mischief. “Typically, we find that technology people doing the work don’t have security background checks but they’re given access to the systems. So we find that a lot of security breaches are done by insiders,” said Thomas Katona, president, managing member of Apogee Insurance Group. “We don’t do background checks on IT people, but we give them the keys to the castle.”

Forming a Prevention Plan

One hurdle to ensuring data security is that many companies don’t understand the exposure, said Leslie Lamb, global risk and insurance manager for Cisco Systems Inc.

“Cyber liability is fairly new, and we’re all fairly vulnerable,” Lamb said. Companies may not have the right protocol in place to prevent breaches, and they might not have clear guidelines to handle a breach if one occurs.

Nevertheless, it’s important for business owners to get up to speed about how to handle a breach. “If a breach occurs, the ability to respond must be timely,” said Shena Crowe, Infragard Coordinator for the Federal Bureau of Investigation. “Companies only have about 30 days or less.”

“After a breach, a lot of companies don’t know what to do,” said Adam Sills, underwriter for Darwin Professional Underwriters Inc. For instance, companies do not have to send out a notice to customers for every sort of breach — but if they do, that will incur costs. And although it may not be required by law, many consumers expect the company that has had a data breach to offer them credit monitoring, which can be a huge additional cost for a business.

Notification costs $1 to $2 per individual; credit monitoring costs $10 to $20 per person per year, said Nicholas Economidis, an underwriter for Beazley USA.

Regulations in 44 states, the District of Columbia, Puerto Rico and the Virgin Islands require that individuals (customers, employees, citizens, students, alumni, etc.) be notified if their confidential or personal data has been lost, stolen or compromised.

“Having a response plan in place can save a lot of money,” Sills said.

“The costs can go off the wall in terms of remediation when there are secure data claims, and without a contingency plan in place, quite often there is a knee-jerk reaction to how companies deal with claims, how they deal with notifications, how they stop the security breach, and how they remedy how much data was breached,” Apogee Insurance’s Katona said. “Most companies will have a disaster recovery plan, and no contingency plan in place for data security breaches. It is imperative that they do it.”

The top priorities for a company, if a breach occurs, should be to protect its brand, protect its customers, and improve its products and security, Sills and Economidis said. Because once a company’s reputation is tarnished and customers don’t trust the brand, it can lead to the demise of the business.

Despite the gravity of the issue, business owners have a false sense of security about data breaches, showed a recent national survey of more than 1,500 business leaders conducted by Zogby International on behalf of Identity Theft 911. In the study, most business owners indicated data breaches were not the highest priority. Nearly two-fifths did not have an incident response plan or outside vendor management procedures in place. Another third did not encrypt customer/employee data that contains personally identifiable information.

Culling Through Coverages

Even if business owners are concerned about the risks, they may not be aware of the insurance coverages available to help protect their livelihoods.

“The vast majority of people are not aware that insurance can be bought on the back end. It’s surprising how many don’t know the coverage exists, and that the CGL (commercial general liability policy) and GL (general liability policy) don’t cover electronic data,” said Apogee Insurance’s Katona. Bodily injury and tangible property damage don’t exist with identity theft, he explained.

When seeking coverage for data breaches, security and privacy insurance can provide coverage to help with liability defense costs and damages; notification costs; credit monitoring expenses; and first-party losses. Primary limits available go up to $25 million, and excess limits go up to $150 million or more. Sublimits often apply or notification credit monitoring, Katona said.

Agents should advise customers to be careful about what coverages they purchase, Sills advised. There is no standard application that ISO puts out, so insurers have different approaches to what risks they will insure.

“Policies have changed in the past four to five years. A lot of people are now buying coverage because of privacy and for notification costs, which is new,” Sills added. The number of carriers offering coverage also has increased from a handful five years ago to about 25 to 30 carriers today.

“People tend to confuse cyber insurance with data security and data breach insurance,” Katona added. He explained that cyber insurance is typically what happens with viruses or malicious code, and there is damage that occurs with systems being down. Data security coverages are available for almost every component of the business, and are designed to help with notification, crisis management, etc.

Because the technological environment changes rapidly, agents should go over forms carefully because they are providing coverage for a moving target, Katona said. “In a form that says, ‘cyberspace activity,’ what does that really mean?” he asked. “The vast majority of old coverages are insufficient or incorrect today, because of new technology.”

Agent Opportunities

While it may be challenging to keep up with evolving technology, it is a great time for independent insurance agents to sell coverages.

“Data security has become a hot topic in the past three or four years. A lot of legislation has been passed, and data security breaches have become a main street type exposure,” so clients are a little more aware that a breach could occur, Economidis said. And with the world doing business on the Internet and the presence of Wi-Fi (wireless Internet access), “it’s virtually impossible to secure all of that information,” he said.

“It isn’t a matter of an exposure might occur, it will occur,” Katona said. “Ninety-eight percent of the time, companies have voids in their secure data information that will expose them, with things like HIPAA (Health Insurance Portability and Accountability Act) information, credit card information and people’s home addresses. … I would guess that 5 percent of the world has coverage for secured data. That’s only a guesstimate, but it’s an enormous market, even for main street businesses that are doing credit card transactions.

“I think agents, in a soft market, should be paying attention to the emerging coverages. This is one of those coverages, and one that most of their clients probably do not have,” Katona added. “I think when they talk to their insureds, they will find that they are concerned about it.”

Customers often are not aware what the rules and regulations are when a breach occurs. They also often are not aware of the costs associated with a breach. “It’s a wonderful opportunity for agents and brokers to educate their insureds and sell,” Katona continued.

Of course, that means agents and brokers must educate themselves. “Our major challenge as an industry right now is educating agents and brokers as to what kind of questions they need to ask their insureds, to get their arms around what kind of information their clients have,” Katona said.

Among questions to consider are:

  • Does the client transacts business over the Internet?
  • Does the client move information to another party over the Internet?
  • What are the underpinnings of the client’s technology?
  • Does the data environment have a firewall?
  • What processes and procedures are in place for things like encryption?
  • What processes and procedures are in place for people accessing company computers?

“Spend time to manuscript coverage to match the client’s exposure,” Cisco’s Lamb said. And above all, agents and brokers should take steps to ensure they’re covered themselves.

“Insurance agents and brokers, obviously, capture a lot of information to write coverage for their insureds,” Katona said. The Gramm-Leach-Bliley Act requires companies to have certain security measures in place. For smaller agencies, absorbing the costs of securing doors or having password protection and certain security measures in place can be difficult. But “98 percent of the agents we deal with are not Gramm-Leach compliant,” Katona said. “As a group of insurance agents and brokers, we have a responsibility to protect that data.”

Web Resource:

More information on state data breach laws is available from the National Conference of State Legislatures at www.ncsl.org/programs/lis/cip/priv/breach.htm.