Why Risk Data Breaches?

Judy Selby

Law Technology News

What do Sony Corp.'s PlayStation Network, Zappos.com, Hannaford Brother Co.'s grocery stores, and South Carolina's Department of Revenue all have in common?

Each has been the victim of a serious data breach. Data breaches can occur in a variety of ways, some by accident, some motivated by profit or political belief, and some simply for the sport of it. A breach can result from a malicious attack designed to destroy or disable a network or to steal private, competitive or proprietary information; from a disgruntled employee out for revenge; from the negligence of a vendor handling data; or from a laptop or thumb drive being left accidentally in a cab or airport. Paper documents also are involved in a significant number of data breaches.

While some data breaches are caused by cyberattacks carried out by zealots (so-called "hacktivists") for political or other non-monetary reasons, a large black market exists where stolen personal and financial information is bought and sold. Stolen medical information can be particularly lucrative because of its use in Medicare fraud.

As all entities, particularly health care providers, law firms, financial institutions, and retailers, continue to gather and store more and more personal and protected information every year, the risk of a data breach grows in turn. Cyberassaults are continuously taking place, with ever increasing levels of sophistication. In fact, the Ponemon Institute's "Second Annual Cost of Cyber Crime Study" reports that the 50 organizations participating in its survey experienced 72 successful attacks per week.

Data breaches can have serious financial effects, including business interruption losses, regulatory and credit card company fines, legal defense costs, and civil damages. Further complicating the situation are federal and state laws imposing fines for and/or mandating public disclosure of data breaches to the affected parties and law enforcement. The Health Information Technology for Economic and Clinical Health Act (HITECH), the Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley, among other federal laws, can be implicated by a breach. Beginning with California in 2003, 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information. In addition, in October 2011, the SEC issued cybersecurity guidance, noting that cyber-risks should be disclosed "if these issues are among the most significant factors that make an investment in the company speculative or risky." International companies must be particularly attuned to breaches involving private information, because foreign privacy laws, especially in Europe, can be more inclusive and onerous than those in the United States.

Reputational damage resulting from a data breach can be devastating as well. Recent studies report that significant numbers of customers said they will terminate their relationships with companies after being notified of a data breach. "The Reputational Risk of a Data Breach," Advisen Insurance Intelligence, September 2012.

An astronomical number of people can be implicated by a single data breach. The Sony hackers allegedly gained access to personal identification and financial information of over 100 million users. Zappos' hacking incident affected 24 million customers. 2.4 million credit card numbers reportedly were stolen in the Hannaford cyberattack. The South Carolina breach implicated 3.6 million unencrypted Social Security numbers.

Not surprisingly, the costs associated with data breaches also are astronomical. Sony's costs related to the PlayStation breach are reportedly over $170 million. In a March 2012 report, the Ponemon Institute estimated the 2011 average per capita cost of a data breach to be $194 per compromised document.

Given this environment and the exponential growth of electronically stored information, the necessity of implementing, monitoring and updating systems and practices to safeguard sensitive data cannot be overstated. But what else can entities do to protect themselves from the fallout of a data breach? How can this risk be managed?

Traditional insurance policies may or may not provide coverage for data breach incidents. For example, although a court recently held that the shoe retailer DSW had coverage under a computer fraud rider to its corporate crime policy for the theft of customer credit card and checking account information from a hacking attack in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, PA, No. 10-4608 (6th Cir. Aug. 23, 2012), an insurer is denying any coverage obligation under a general liability policy for Sony's PlayStation data breach claim. Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011 (NY Sup. 2011).

Recently, however, insurance companies have begun to offer policies specifically designed to provide coverage for data breaches, cyberattacks and similar incidents, so-called "cyberinsurance." This line of coverage is relatively immature, and has been evolving over the years. In general, coverage can be obtained for a variety of costs, such as crisis management and public relations expenses, notification to affected parties, credit monitoring services, call centers, computer forensic investigations, as well as losses attributable to an interruption in business and network failures. Coverage for the restoration or recollecting of lost or damaged data is available. Some policies also provide access to "breach preparedness" information to help to alert policyholders to potential issues.

Mike Donovan of the Beazley Group, a leader in the cyberinsurance market, notes that most companies who experience a breach have never dealt with anything similar before, and decisions must be made quickly and correctly to mitigate reputational damage, satisfy regulators and limit potential liability. Beazley's coverage includes providing access to its panel of experienced privacy and data breach lawyers, computer forensic consultants, crisis management professionals, notification companies and credit monitoring companies to spring to action in the event of a breach.

Coverage under cyberpolicies can extend to violations of privacy laws, including (where permitted under law) payment of fines. Some policies provide cyber-extortion expense coverage, which covers expenses in connection with an extortion threat to cause an actual interruption, suspension, or failure of the company's computer system, including the failure to prevent unauthorized access or unauthorized use of the computer system. Although not limited to cyber-risk situations, coverage also can be obtained for proactive costs incurred to avoid or minimize the potential impact of a "Reputational Threat" and for response costs to minimize the impact of a "Reputational Attack."

Cyberinsurance can be especially attractive to entities that utilize cloud computing. When entering into cloud computing contracts, customers typically have little leverage in negotiating data security issues and the ramifications of the provider's liability for breaches and failure to comply with privacy and other relevant laws. Cloud customers may not be able to contractually transfer the risk of data breaches to the provider. In fact, they may not even be permitted to conduct a forensic investigation of a breach affecting their own hosted data. Cyberinsurance that covers networks controlled by third parties may provide otherwise unavailable protection for cloud-dependent entities.

According to Ben Beeson, Partner and head of the global technology and privacy practice of insurance broker Lockton Companies, it is estimated that there are now sixty specialist insurers underwriting cyber-risks between the U.S. and the London insurance market. Gross written premium to date is thought to be approximately $800 million and to grow to $4 billion over the next few years. Because the policies currently on the market are varied in their scope and provisions, and the risks at issue and coverage provided may not be well understood across the board, prospective buyers should consider seeking out the advice of experienced professionals in order to select the right policy with the right coverages based on the needs of the potential insured.