Insurers can expect increasingly frequent and severe data breach claims, a panel of data and privacy breach experts told the Professional Liability Underwriting Society’s International Conference in Chicago, November 7-9, 2012.
According to a recent study, incidences of data breach have nearly doubled over the last 12 months, as regulators, insurers and institutions struggle to respond to security risks and the proliferation of shared data storage (so-called “cloud computing”). It can take a hacker or malicious computer virus minutes to gain access to stored data, leading to months or even years of costly remediation. Lost laptops and storage drives present another risk. At a cost of about $194 per record, the price of remediation is high and claims can easily run into the millions. Loss due to data breach includes the cost of credit monitoring, ID restoration, investigatory costs, repairing damage caused by the breach, and the costs of notice and reporting.
Currently, federal guidelines require health care companies to notify the public and the Federal Trade Commission (FTC) of a data breach within 10 to 60 days of its discovery (the deadlines vary depending on the number of consumers involved). Violators face fines and public rebuke by regulators. In June, the FTC filed a lawsuit against the Wyndham Hotels chain, alleging that the chain failed to take sufficient security measures to avoid the repeated loss of customer credit card data.
Not every attack on a computer network causes a data breach. Determining whether private information has been purloined is an important task, according to attorney Ted Korbus, an expert in the area of privacy breach. Korbus told the panel that state Attorneys General are exerting increased pressure on companies to react quickly to any breach of data, no matter how severe. Determining whether an incident should be reported is critical, because an unnecessary report can be expensive, whereas a late report can be costly from a regulatory perspective. A close relationship with state and federal regulators is critical to a company successfully resolving a data breach incident, Korbus said.
All of the panel members agreed that “cloud” computing presents the greatest threat to insurers and their policyholders. Cloud-computing vendor agreements are often heavily weighted in favor of the host company, but provide little assurance to customers. Cyber-risk insurance policies do not always cover a data breach that occurs on another (non-insured) computer network. When insurers try to evaluate an insured’s cyber-risk, the use of cloud computing should be closely examined, technology E&O underwriter Michael Carr said. “From a business standpoint, the cloud is very compelling and may be safer. It’s here to stay.” Carr cited examples of online data storage companies that were shut down by regulators as a result of users exchanging copyright-protected materials on the cloud. Innocent users lost all of their data when the servers were shut down, with no recourse in their own cyber-risk policies.
Panel members agreed that the application and vetting process was critical to underwriting. “Ultimately, you have to understand the culture of your insured [when underwriting],” Carr said. Other concerns for insurers include aggregation of multiple claims, and coverage for regulatory investigations. Korbus expects that insureds will closely analyze their cyber-risk and privacy policies. All of the panel members emphasized proactive measures to prevent data breach in the future. Educating workers and providing anonymous tip lines are two examples of how to lower the risk of a data breach event.