By Garrett Koehn, regionaldirector and president of Northwestern U.S., CRC|Crump InsuranceServices

Back in the mid-1990s, in the early stages of the Internet whenwe were working with Yahoo and other startups, there wasn't onepolicy in place that we could use to insure our clients. TheInternet was so new we had to show underwriters what we were tryingto insure.The operations for most of these companies were in thepublic space. Because there was no precedent, very little was knownabout what liabilities they actually faced.

When we first started insuring technology startups, we had toeducate underwriters about browsers, search engines and theInternet. As agents and brokers asked us to provide insurance fortheir clients, it was our job to fully research the company andunderstand what they were doing. Only by asking lots of questionsand using their sites could we determine their probable risks andprovide enough information to the underwriter so they coulddetermine the cost for the insurance policies.

Adding to this confusion was the fact that many companiesprovided their services for no cost. Consider Yahoo—a companyproviding a service for free! That was unheard of at the time. Wehad to determine whether there were risks and if there were, whatwere they? Can someone be held accountable if the service is free?We realized that the public part of Yahoo and other companies waslike the risks associated with the media—newspapers, TV andradio.

As a result, the first policies for these Internet companiescombined language from several different policies. We startedwith the information included in media policies because theyprovided coverage for copyright infringement, libel and slander.But we also added E&O coverage because of the services thesecompanies provided. If a company provides a service, E&Oinsurance provides protection for that service, whether or notthere was a cost for that service. The media policy was thesolution for the intellectual property and public informationaspect of these companies. The E&O policy covered the serviceaspect. These two pieces became the cornerstone for futuretechnology policies.

Read related: “5 Steps toMitigate Social Media Liability.”

Other coverages were eventually added—for viruses, hackers,privacy issues and possibly even contingent liability. Viruses andhackers were in the news often enough that underwriters wouldsometimes want to look at the systems, carefully utilizing outsidevendors to see how they were designed. Eventually, hacker concernsbecame secondary when other issues surfaced, such as privacy andcontingency—if I publish something and there is a bad result,will Iget blamed? Then came slander and trade dress issues. Some carrierstargeted the privacy issue fairly early, recognizing the risks acompany faced when working with customer databases. Another issuethat emerged earlier in the industry was contingent liability. Ifsomeone goes online and finds out how to build a bomb, carries outa plan and someone gets injured, is the company liable?

In time, more companies and individuals began to publishmaterials on their websites. More sites were designed so anyonecould add information. Public posting led to the question ofself-regulation and liability. Do we need to self-regulate sites,and if so, how? Can someone legitimately ask a company to take downsomething that was posted? Slander became an issue, and the privacyissue grew larger. Since media policies addressed these risks, mostcarriers borrowed more information and contract wording from thesepolicies. Especially today, privacy continues to be a growingissue.

Since then, the technology insurance market has grownsignificantly. And although cyber security and privacy are stillrelatively new in the marketplace, these issues continue to evolve.Although coverage varies greatly from carrier to carrier, at itscore it's designed to help protect the information assets acompany maintains, the infrastructure through which the informationis accessed and the implications of a breach of either.

Numbers alone justify the need for cyber insurance. In the U.S.between 2005 and 2012, 545 million records were at risk because of3,002 breaches. And in 2011, nearly 600 breaches put more than 31million records at risk, according to a 2010 study by Chubb.

Today, most U.S. companies have an exposure to liabilityfrom privacy breaches or its activities on the Internet. In a WallStreet Journal article from March 2012, top leaders on cybersecurity paint a grim picture:

• According to Shawn Henry, the FBI's top cyber cop, “the currentpublic and private approach to fending off hackers is'unsustainable.' Computer criminals are simply too talented anddefensive measures too weak to stop them.” FBI agents areincreasingly coming across data stolen from companies whoseexecutives had no idea their systems had been accessed.
• James A. Lewis, a senior fellow on cyber security at the Centerfor Strategic and International Studies, said that he doesn'tbelieve there is a “single secure, unclassified computer network inthe U.S.”
• Richard Bejtlick, chief security officer at Mandiant, acomputer-security company, testified before Congress that “the mediannumber of days between the start of an intrusion and its detectionwas 416, or more than a year.”

Read related: “MaliciousCyber Attacks Could Cost U.S. $100B Annually:McAfee.”

Key Exposures and Costs

Cyber security exposures are generally twofold. The first isprivacy exposure, the failure to prevent thedisclosure of confidential information, whether it's in-houseor outsourced to a third party. First-party claims relating toprivacy exposure can include notification costs, call center costs,credit monitoring, investigation and crisis management costs.Third-party claims may include consumer claims, regulatory claims(defense costs and fines), charges by the credit card issuers andfines. The second exposure involves security—thefailure to prevent a security breach resulting in denial ofservice, proliferation of viruses, theft of confidentialinformation and damage to a third party's network. First-partyclaims include business interruption, data restoration and cyberextortion. Customer and other third party claims can also resultfrom a security exposure.

Although cyber security has been regulated by the states, thereis increasing discussion and legislation that is more federal innature. The FTC recently issued a report detailing best practicesfor protecting consumer privacy. This report calls on Congress topass a new law that would allow consumers to access and dispute thecollection of their personal and financial data and allowindividuals to opt out.

What is the cost of a data breach?

According to the Ponemon Institute, the cost of an average databreach increased to $7.2 million in 2010. This is based on theactual data breach experiences of 51 U.S. companies from 15different industries. This cost of these data breaches averages outto $214 per compromised record, compared with $204 per record in2009. It is the need for companies to respond quickly to any databreach that is driving associated costs higher.

Although notification costs increased in 2011, the cost of adata breach decreased for the first time in 7 years. Lost businesscosts due to a breach also declined sharply. The average totalorganization cost was $5.5 million in 2011, down from $7.24 millionin 2010.

The cost of lost devices

Data breaches involving lost devices like laptops and othermobile devices containing confidential data usually costs more.Lost devices were involved in 39 percent of breaches. Companiesface a variety of costs after a data breach: direct costs withspecific line items and indirect costs including expenses like lostbusiness due to the data breach and new customer acquisition costs.Indirect costs are uninsurable, but purchasing insurance withrobust first party coverages can help minimize those indirect coststhat may result from response to the breach.

Today, the primary cause of data breaches is simple negligence,but malicious and criminal attacks are on the rise. Attacks thatare criminal in nature are usually more harmful, compromising manymore records than insiders and third party partners. Approximately87 percent of compromised records result from external attacks.

Read related: “Top5 Questions Clients Ask About Cyber Liability.”

Privacy vs. Security

Although leaks of confidential information are most often heardin the news, it is possible for companies to experience a securitybreach without a privacy breach. These may include viruses, denialof service attacks and extortion.

Insurance coverage

Insurance products can help cover both the direct and indirectcosts associated with data and security breaches. Insurance oftenprovides access to experts who can help minimize costs in the eventof a breach. And by incorporating best practices for IT securityand data protection, a company can further help reduce costs.