As data breaches proliferate, organizations are under pressure to protect their customers, their reputations and their bottom line.
Challenges for risk professionals are growing as malicious and criminal attacks soar, with human error found to be a big contributor.
In fact, the average cost of a data breach event has risen to $2.7 million, according to the Ponemon Institute’s U.S. Cost of a Data Breach report, released in March 2011.
Forty-six states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands have passed laws mandating the timely notification of individuals affected by a data breach.
As enforcement accelerates, notification costs are on the rise—now estimated by Ponemon at $73 per record—along with fines and penalties. Federal lawmakers also have imposed new notification rules on health care providers, including doctors and dentists, and there are growing calls for more broad-based consumer protections.
If a data breach occurs, companies may face adverse publicity and anger from customers left to deal with possible identity theft and fraud. Customers may end their relationship with a business when it experiences a breach of personal information. The result could be lost sales.
INSURANCE MEETS GROWING NEED
The insurance industry is responding with new coverage and services. These products are designed to help organizations of all sizes comply with reporting laws and protect their business and reputation.
They can help customers provide a timely response to a data breach, including services to help individuals prevent identity theft from happening.
Despite the uptick in breaches—more than 3-million records have been breached in just the first quarter of the year, according to consumer rights advocates—not all companies believe they are at risk.
Small businesses, for example, may think they are unlikely targets. But common factors that contribute to a breach can occur in any size organization with employees, customers or vendors.
Nearly half of data breaches involve insiders, and nearly one-quarter of those involve individuals who were fired, demoted or resigned, according to the 2010 Data Breach Investigations Report from Verizon Business and the U.S. Secret Service.
Human error also accounts for many breaches. These errors include losing a laptop or leaving it in a car where it can be stolen; posting confidential information on a website; or selling it mistakenly to a sham company which misuses the data.
Although any breach can be expensive, malicious attacks are the most costly. The 2010 cost per compromised record of a data breach involving a malicious or criminal act averaged $318, nearly double the cost in 2009, according to the Ponemon benchmark study of 51 U.S. companies in 15 industry sectors.
GENERAL LIABILITY NOT ENOUGH
Organizations may mistakenly believe they’re covered for data breaches under a general liability or other commercial insurance policy.
Covered damages under these policies usually result from bodily injury and property damage. The courts, however, have generally ruled that electronic data is not considered tangible property.
In recent years, it has become easier to get coverage, as more carriers offer insurance specifically designed for data breaches. These programs can be simple, affordable and include loss prevention information. Sometimes the coverage is added as an endorsement to a commercial lines policy and may not require any additional underwriting application.
Since most companies are unlikely to know what to do in the event of a breach, insurance coverage is invaluable. Responding to a breach requires a broad range of specialized knowledge, from forensic information technology skills, to tracking down the source of the breach, to mobilizing notification and monitoring services.
Data breach insurance can also be important if the company faces legal action from consumers, banks, state and federal regulators, or shareholders. Lawsuits have become more prevalent and data breach policies can provide legal coverage.
When data is compromised, data breach coverage should include:
▪ A legal review of statutory obligations, which vary by state and circumstance.
▪ Forensic information support to determine the nature and scope of the breach, identify the individuals affected and the means available to notify them.
▪ Preparation and production of notifications and call-center support.
▪ Credit monitoring for persons affected.
▪ Identity restoration case management and other personal services for victims of identity theft and fraud occurring as a result of the data breach.
▪ Legal defense and liability costs.
LOSS PREVENTION CRITICAL
Loss prevention takes a number of forms. At the most basic level, companies should know what confidential data they hold, where it is stored and who has access to it.
They also should create a coordinated effort to protect that information among risk management, Internet technology, legal and company executives.
Employee training is important and needs to include changing passwords regularly, encrypting information on laptops and other mobile devices, and properly disposing of paper records. Many cases of data loss, in fact, are the result of carelessness, such as throwing confidential documents out in the office trash.
Another effective risk management strategy is to limit access to computer systems, giving employees access only to the information and other resources they need to do their jobs. It’s also a good idea to continually purge unneeded information.
Monitoring is a key strategy. The report by Verizon Business and the U.S. Secret Service recommends auditing user accounts and monitoring privileged activity; filtering outbound traffic; and monitoring and mining event logs. It’s also critical to vet the security policies and procedures of vendors.
Even as consumers, businesses and organizations become more aware of the frequency and severity of data breaches, the thieves who misuse personal information are getting more sophisticated.
The best defense is to be proactive, with loss prevention measures and a response plan ready in the event of a breach. That defense should include data breach insurance coverage with professional services that are available at a moment’s notice.
Mark MacGougan is vice president, The Hartford Steam Boiler Inspection and Insurance Company in Hartford, Conn. He can be reached at Customer_Solution_Center@hsb.com.