Data breaches can cost a company both money and customers. Some businesses are protecting themselves with special liability policies.
Cyber thieves are notoriously cunning, smart and industrious. Think of the good they could do if they'd focus on world peace or curing cancer.
Instead, 77 million PlayStation customers learned in April that hackers stole their personal and financial information from Sony Corp.'s videogame network. A few days later, 24 million customers found out their data was stolen from Sony's Online Entertainment division's servers.
There's more. A lot more.
In May, 210,000 Citibank customers had their names, account numbers and contact information exposed. Michaels Stores was a victim of PIN pad tampering at 80 stores in 20 states, including Ohio, compromising customer credit and debit card data. And in December, Ohio State University alerted 760,000 individuals that hackers had infiltrated a server that stored personal information.
From 2005 through July 2011, 2,625 known data breaches affecting more than 535 million personal identifiable information (PII) records occurred, according to the Privacy Rights Clearinghouse.
"It's so easy to lose data today. Hackers are ever present. Employees and vendors are negligent. Portable devices are lost or stolen. A computer malfunctions. Whatever the cause, data security breaches definitely cause businesses a big headache," says attorney J. Kevin Cogan, a partner at Jones Day.
"A loss impacts the company's balance sheet, not to mention the damage to your reputation. Even with great effort to plug the holes, sometimes you can't imagine the next creative way your system will be infiltrated," says Andrew Mehrhoff of Britton-Gallagher & Associates Inc.
The growing frequency and ingenuity of data security breaches has caused a sharp increase in companies seeking cyber liability insurance. These policies cover the security risks and costs associated with the Internet, information technology (IT) networks, onsite and third-party data storage systems, computers and portable devices.
"Businesses absolutely have to have this coverage if they collect, store or transmit data in any way. And today, what company doesn't have, at a minimum, employee data, health insurance data and customer data? All that's PII, so every company has exposure. Why wouldn't you transfer that risk?" says Ken Goldstein, vice president of the Chubb Group of Insurance Companies, who's based in Connecticut.
"Companies can't outsource their liability, even if they outsource some of their IT functions. The fact of the matter is that financial harm and bad press go to the company where the breach occurred," Mehrhoff says.
Ponemon Institute research, sponsored by Symantec Corp., found that the average organizational cost of a data breach totaled $7.2 million in 2010, up 7 percent from $6.8 million in 2009. On average, U.S. companies paid $214 for each compromised record in 2010.
Lose 50,000 PII records? 500,000 records? 10 million? Do the math. The price tag can be overwhelming.
Wise companies acknowledge and actively address the pitfalls that accompany the benefits of technology. Doing so could help a business survive the devastating financial, regulatory and competitive impact of a data security breach.
The Ponemon Institute found that 31 percent of American data security breaches were caused by malicious and criminal attacks, at a cost of $318 per compromised record. System failure accounted for 36 percent of breaches ($210 per record), while negligence caused 41 percent of breaches ($196 per record).
Despite the omnipresent threat of attacks, 73 percent of companies don't have cyber liability insurance, according to a 2011 survey by Towers Watson, a global professional services firm.
That could be a costly omission.
"Most businesses carry a commercial general liability policy [CGL] and a commercial property-casualty policy. The problem is that those two policies leave a big gap in data and cyber coverage," Cogan says.
"CGL policies were never intended to cover cyber breaches, so any cyber-related claims or liability fall through the cracks," says John Walker, senior vice president of Willis of Ohio Inc.
The media spotlight may come from PII security breaches at large companies, but small firms are vulnerable, too. "We're talking to our Main Street clients about it, because one breach easily could take them out. Insurance is there for catastrophic risk, and more businesses of all sizes see this as a catastrophic exposure," Walker says.
"Big guys buy the protection, because they have the most to lose. Small and medium-size companies are becoming targets, because the bad guys know they don't have the same level of IT security as larger companies," says William Kientz, owner of Kientz Risk Management.
"Small businesses think hackers are targeting only big firms. That's not true. A hacker wants to get his hands on credit card numbers. If he can get hundreds of them easily instead of thousands, he will," Mehrhoff says.
And while email addresses currently aren't considered PII in the same manner as Social Security numbers or financial data, compromised email addresses are a concern.
About 2,500 companies rely on the Dallas-based firm Epsilon to email customers on their behalf. On March 30, the names and emails of 20 of Epsilon's clients were hacked. Among the affected clients: JPMorgan Chase & Company, Kroger and Walgreens.
"At first, people thought it didn't matter. Spam filters weed out fake addresses, but now that hacker has real email addresses with real full names to phish for personal information, with a good chance of getting a response. The email recipients have every reason to believe the email was legitimate," says Thomas Srail, senior vice president of Willis Executive Risks in Cleveland.
About four in 10 recipients will open such an email and one in 10 will respond, according to the Center for Strategic and International Studies. For the hacker who scores 10,000 email addresses, that means 1,000 phishing victims.
The cyber risk policy application process closely scrutinizes the business.
"The insurer wants to see how well your data is protected, so you'll be asked about your security procedures. You'll go through an independent audit that reviews your data, how it's stored, access to it, security policies and the vendors the company uses. The audit usually identifies IT gaps to be plugged," says Carl Bara, commercial line specialist with Thomas-Fenner-Woods Agency.
Cyber risk premiums vary widely based on a company's industry, revenue, nature of the data, number of records, number of financial transactions, internal IT controls and policies, as well as a review of the company's IT partners.
The Towers Watson survey found that of the 27 percent of businesses that carried cyber liability policies, the median amount of coverage was $10 million. "Make sure the limits are sufficient to cover the number of records you currently house. As your database grows, revisit your policy to make sure it's still adequate," Bara says.
Cyber policies tend to be modular. "Companies may not need to buy all of the types of cyber coverage that's available, and the carrier may not be willing to offer all of it to you," Mehrhoff says.
Once a breach occurs, it's much tougher to get coverage. "It won't cover past breaches. Cyber security is a claims made policy, meaning it must be in force when the loss occurs and the claim is made," Bara says.
Cyber risk policies cover "first party" liability that occurs when the firm's own information is breached. "First party issues impact who sustained the breach, which is the actual business. If you have a breach, you want first party coverage to pay for the notification expenses and credit monitoring for the people whose data is compromised," Cogan says.
"The company is hit with first party privacy breach expenses right away, such as mandatory credit monitoring, the cost of a call center for consumers to call in and accept the monitoring, forensic IT experts to investigate the breach and crisis PR costs," Srail says.
"Coverage also can cover reward fees to find the bad actors that hacked the system. It's a specific amount that pays for leads that result in arrests," Goldstein says.
First party coverage can encompass expenses related to e-vandalism, so damaged data and defaced websites can be restored. It also can include threats of extortion. "Say you learn that someone has hacked into your employee database and is demanding to be paid or they'll harm the data. The policy covers the cost of negotiation and ransom," Goldstein says.
Third party liability occurs when a company fails to protect the information of its business partners. "Your company's negligence caused trouble for me. That's the basis of third party liability lawsuits," Kientz says.
For example, third party coverage can kick in when credit and debit account numbers are compromised. "The credit card networks and banks bear the costs of reissuing credit cards. Instead of eating all of those costs, they're filing liability claims against the breached company to help recover some of those costs," Srail says.
Thirty party policies also can include system-to-system issues, such as virus transmission. "If a virus is implanted into your system and then you unknowingly transmit it to your customers or website users, you're liable for that," Goldstein says.
Content liability resulting from copyright infringement on a company website and social networking sites can be insured against, too.
Legal and Regulatory Requirements
Current federal law requires only health-care providers and financial institutions to notify victims of data security breaches. Legislation may change that, however.
"Several current proposals would broaden the federal definition of personal information and the notification requirements," says attorney Craig Hoffman, an associate at Baker Hostetler.
Ohio is among 46 states with their own notification procedures. "After a breach, the laws that apply are in the state or states where the affected people are. If you do business across the country, you potentially have 46 different state regulations to comply with," Srail says.
Enacted in 2006, Ohio's law applies to individuals, businesses and not-for-profit entities that conduct business in the state and collect or maintain electronic PII about Ohio residents. It also applies to those who do business with governmental entities.
Ohio defines PII as an individual's first name or first initial plus last name in combination with a Social Security number, a driver's license number or state identification card number, or an account number or credit/debit card number with the necessary access code. The law isn't triggered if the PII is encrypted.
"If the owner of PII of an Ohio resident learns that their electronic information was accessed without permission, they must notify the resident within 45 days of the breach," Hoffman says.
If a breach resulted in compromised PII, all affected Ohio residents must be notified, generally by mail or telephone. Electronic notice is permitted if it's the primary method that the company used to communicate with a person. The three major national credit reporting agencies must be alerted when a breach involves more than 1,000 Ohioans.
Offering credit monitoring to victims isn't required under Ohio law, but it's become standard to provide it free of charge, usually for one year, to those whose PII was compromised.
There are some breaches for which notification isn't required. "Determine what the hacker had access to. Did they take any information out? That matters because of the ‘risk of harm' trigger. If the hacker got in, but didn't take anything out, there's no risk of harm to the consumer and so notification is not required," Hoffman says. "Often, though, forensic experts can confirm the system was breached, but can't confirm what was taken. It's best to err on the side of caution, because the penalties are not to be ignored."
Ohio imposes a daily noncompliance fine. "The fine is $1,000 per day for the first 60 days you're found not to be in compliance. After 60 days, it's $5,000 per day. After 90 days, it's $10,000 per day. The fines apply only if the attorney general finds reckless or intentional failure to comply," Hoffman says.
Individual Ohioans can't file a lawsuit against offending organizations, even if they weren't properly notified that their PII was breached. "The law provides no private right to sue. It only allows the state attorney general to sue," Hoffman says.
"A significant impediment to individual claims is that a data breach doesn't necessarily mean the person was damaged. If the breach was caught quickly, notification occurred, credit monitoring offered and the credit card number is cancelled and changed, what are the true damages?" Cogan says.
Individuals can participate in class action lawsuits, though. "In large national breaches, class actions are filed almost immediately. But almost 100 percent of them are thrown out, because it's very difficult to show the direct harm. To have standing, you have to show direct harm and actual damages, and then prove it was because of that specific data breach," Hoffman says.
That low threat of litigation may bring at least some solace to executives who are wrestling with a data breach that leaves their company--and their customers--feeling exposed.
Lisa Hooker is a freelance writer.
Reprinted from the October 2011 issue of Columbus C.E.O. Copyright © Columbus C.E.O.