What do Sony Corp.'s PlayStation Network, Zappos.com, Hannaford Brother Co.'s grocery stores, and South Carolina's Department of Revenue all have in common?
Each has been the victim of a serious data breach. Data breaches can occur in a variety of ways, some by accident, some motivated by profit or political belief, and some simply for the sport of it. A breach can result from a malicious attack designed to destroy or disable a network or to steal private, competitive or proprietary information; from a disgruntled employee out for revenge; from the negligence of a vendor handling data; or from a laptop or thumb drive being left accidentally in a cab or airport. Paper documents also are involved in a significant number of data breaches.
While some data breaches are caused by cyberattacks carried out by zealots (so-called "hacktivists") for political or other non-monetary reasons, a large black market exists where stolen personal and financial information is bought and sold. Stolen medical information can be particularly lucrative because of its use in Medicare fraud.
As all entities, particularly health care providers, law firms, financial institutions, and retailers, continue to gather and store more and more personal and protected information every year, the risk of a data breach grows in turn. Cyberassaults are continuously taking place, with ever increasing levels of sophistication. In fact, the Ponemon Institute's "Second Annual Cost of Cyber Crime Study" reports that the 50 organizations participating in its survey experienced 72 successful attacks per week.
Data breaches can have serious financial effects, including business interruption losses, regulatory and credit card company fines, legal defense costs, and civil damages. Further complicating the situation are federal and state laws imposing fines for and/or mandating public disclosure of data breaches to the affected parties and law enforcement. The Health Information Technology for Economic and Clinical Health Act (HITECH), the Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley, among other federal laws, can be implicated by a breach. Beginning with California in 2003, 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information. In addition, in October 2011, the SEC issued cybersecurity guidance, noting that cyber-risks should be disclosed "if these issues are among the most significant factors that make an investment in the company speculative or risky." International companies must be particularly attuned to breaches involving private information, because foreign privacy laws, especially in Europe, can be more inclusive and onerous than those in the United States.
Reputational damage resulting from a data breach can be devastating as well. Recent studies report that significant numbers of customers said they will terminate their relationships with companies after being notified of a data breach. "The Reputational Risk of a Data Breach," Advisen Insurance Intelligence, September 2012.
An astronomical number of people can be implicated by a single data breach. The Sony hackers allegedly gained access to personal identification and financial information of over 100 million users. Zappos' hacking incident affected 24 million customers. 2.4 million credit card numbers reportedly were stolen in the Hannaford cyberattack. The South Carolina breach implicated 3.6 million unencrypted Social Security numbers.
Not surprisingly, the costs associated with data breaches also are astronomical. Sony's costs related to the PlayStation breach are reportedly over $170 million. In a March 2012 report, the Ponemon Institute estimated the 2011 average per capita cost of a data breach to be $194 per compromised document.
Given this environment and the exponential growth of electronically stored information, the necessity of implementing, monitoring and updating systems and practices to safeguard sensitive data cannot be overstated. But what else can entities do to protect themselves from the fallout of a data breach? How can this risk be managed?
Traditional insurance policies may or may not provide coverage for data breach incidents. For example, although a court recently held that the shoe retailer DSW had coverage under a computer fraud rider to its corporate crime policy for the theft of customer credit card and checking account information from a hacking attack in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, PA, No. 10-4608 (6th Cir. Aug. 23, 2012), an insurer is denying any coverage obligation under a general liability policy for Sony's PlayStation data breach claim. Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011 (NY Sup. 2011).