With high-profile cases such as ChoicePoint and TJX acting as alure, plaintiffs' attorneys are increasingly interested ingenerating class-action lawsuits for data security breaches.Coverage for data breaches is more popular than ever but is stillevolving.

In a panel discussion at the international conference of theMinneapolis-based Professional Liability Underwriting Society heldin Chicago last year, five experts discussed the exposureenvironment for data and the best ways for businesses to protectthemselves against losses.

Data breach insurance, popularwith businesses, will change in response to frequency of loss,federal legislation, attention from the plaintiff's bar and marketcompetition, according to Bradley S. Gow, senior vice president atZurich North America, based in Schaumburg, Ill.

He added, however, that five years of pricing in a soft markethas resulted in policy rates that are “probably light.”

“While carriers are hoping losses won't occur, there has beenfrequency in some industries,” Mr. Gow noted. “Based on thepotential of risk, we're probably whistling past thegraveyard.”

Today's data breach insurance coverage goes beyond basiccoverage to provide the “bells and whistles” most businessesexpect, added Patrick Donnelley, managing director of ProfessionalRisk Solutions, a division of Aon.

In early policies, a breach response fund of $25,000 to $50,000was built into most insurance policies to help minimize liability.Because of competition and evolution of the line of business,today's funds have gone into the $1-to-$10 million range, hesaid.

Other variations include policies with time rather than dollardeductibles, as well as business interruption coverage.

ANATOMY OF A BREACH

Two of the biggest and most notorious data breach cases involvecredit scoring bureau ChoicePoint Inc. and TJX Companies Inc.,owner of discount retailers Marshalls and T.J. Maxx.

The ChoicePoint breach occurred in 2005, when swindlers stolethe personal financial records of more than 163,000 consumers bysetting up fake business requests. In the subsequent lawsuit,ChoicePoint ended up paying $10 million in civil penalties and $5million in consumer damages.

In the TJX case, hackers stole 45.7 million credit and debitcard numbers in 2005 and 2006, resulting in a class-action lawsuitand a $200 million settlement with consumers and TJX's bank–FifthThird Bancorp.

According to published reports, TJX has spent more than $20million investigating the breach, notifying customers and hiringlawyers to handle dozens of lawsuits from customers and financialinstitutions.

THE EXPOSURE ENVIRONMENT

Although data breach lawsuits can be attractive to plaintiffs'attorneys, lawyers know they must have their ducks in a row beforeseeking a class-action certification, according to attorney SherrieSavett, shareholder and chair of the securities litigationdepartment at Berger & Montague in Philadelphia.

At the very least, the breach should affect millions of users,result in an actual misuse of data, and involve sensitiveinformation such as Social Security numbers or credit card numbersand expiration dates, she noted.

Successful cases also result in statutory damages, sheadded.

Under the Fair Credit Reporting Act, companies determined tohave been reckless in storing their customers' data–includingmedical information–could be liable for $100 to $1,000 per victimin a case settlement.

Potential defendants include not only credit scoring bureaus butbanks, lending firms and other financial institutions. Damage isthe big issue and the exposure to a company can be huge, Ms. Savettwarned.

In a recent class-action case involving credit card numbersstolen from Hannaford Brothers Company–an East Coast supermarketchain–the courts are determining whether the time and money aconsumer spends to restore their credit is compensable damage. Thetrend in the courts now is to consider data as real property, notjust information, she noted.

For defendants, the lawsuit is only half the story, explainedTheodore Kobus II, chair of the technology, media and intellectualproperty practice group at Marshall, Dennehey, Warner, Coleman& Goggin in Philadelphia. State attorneys general are trackingdata breaches and requiring they be reported to them, he noted.

Mellon Bank, Countryside and others have been fined by state AGsafter audits, and state departments of insurance and others canaudit if a breach is reported, he said.

Nevada and Massachusetts have especially stringent rules onresponsibility to breach. On the federal level, H.R. 2221–the DataAccountability and Trust Act–would require “reasonable securitypolicies and procedures to protect computerized data containingpersonal information,” as well as nationwide notice in the event ofa security breach, according to Mr. Kobus.

RESPONSE PREPAREDNESS

The good news arising from high-profile cases such asChoicePoint and TJX is that businesses are taking a more cautiousapproach to data breach risk management, Mr. Gow observed. Banksare now making retailers responsible for breaches, and specificallyputting this responsibility into their contracts withretailers.

Because the expenses of a breach can be mitigated by prevention,and time is critical in reacting to a breach, a written responseplan is essential, advised Kendall Walsh, director of Direct Group,a direct marketing firm based in Pennington, N.J.

This should include written documentation approved bymanagement, and a list of team members who will respond if a databreach occurs, he said.

This includes legal representation, marketing representativesfor brand protection, information technology experts, and outsidevendors knowledgeable in state and federal privacy laws to handleforensics and customer notification, he added.

Having such experts available is key in underwriting data breachrisks, according to Mr. Walsh.

Laura M. Toops is Editor In Chief ofAmerican Agent & Broker, part of the Summit BusinessMedia P&C Magazine Group, which includes NationalUnderwriter.

A version of this article originally appeared as a Web exclusiveon the AA&B Web site, www.agentandbroker.com