In recent years, there has been a dramatic increase in the frequency and severity of data breach incidents, resulting in the growth of the cyber-liability insurance industry.
A “data breach” occurs when personal information held by an organisation is lost or subjected to unauthorised access, modification, disclosure or other misuse or interference.
Data breaches raise privacy concerns and may result in significant financial loss for businesses and their customers. They also carry significant reputational risk.
The following case studies serve as warnings to organisations of the need to be aware of and respond to (including by insuring against) new and evolving cyber risks. Businesses should check their current insurance coverage to ensure that any loss to the business through data breaches will be recoverable. Care should be taken to ensure that the policy selected is appropriate for the business’s needs because the available policies are largely untested in the Australian market.
Australia: Optus “White Pages” data breach
In February 2013, Optus made a coding change to its website that changed the preferences of approximately 122,000 Optus customers who had elected not to have their details published in the White Pages from ‘No’ to ‘Yes.’ As a result the name, address and mobile phone numbers of these 122,000 Optus customers (whose preference was to remain unlisted) were published without their consent.
Optus was only made aware of the data breach in April 2014 as a result of a customer complaint, meaning the data was publically available for over one year. Optus notified the Office of the Australian Information Commissioner of the data breach in June 2014. As a result of this breach (and two other separate incidents) in March 2015, the CEO of Optus signed an enforceable undertaking agreement with the Australian Privacy Commissioner.
The enforceable undertaking requires Optus to engage an independent third party auditor who is tasked with carrying out reviews and making recommendations regarding Optus’ information storage processes and IT systems. Within 18 months of entering into the enforceable undertaking, Optus is required to obtain certification by the auditor that Optus has implemented the auditor’s recommendations. Optus is required to pay its compliance costs of the enforceable undertaking.
The enforceable undertaking agreement represents the first enforceable undertaking made under reforms to the Privacy Act 1988 which gave the Privacy Commissioner a new power to accept an enforceable undertaking from an organisation or agency.
United States: Target Corporation Data Breach
In 2013, 40 million credit card numbers and 70 million addresses, phone numbers and other personal records of customers of the US retail chain Target were stolen by hackers. The Target hackers gained access to the customer information by installing malware in Target’s security and payment system which was designed to capture the details of every credit card used in Target’s 1,797 US Stores. This sensitive customer information was then stored on a Target server that had been misappropriated by the hackers.
Target only became aware of the breach in December 2014, when it was notified by the United States Department of Justice. Target was widely criticised for failing to detect the data breach, in particular because at the time of the data breach it had already invested heavily in cyber security and malware detection software.
The Target data breach has resulted in more than 90 proceedings being filed against Target, including class-action proceedings on behalf of individual consumers and claims by banks for negligence and compensatory damages. MasterCard Inc brought a claim against Target associated with the costs of reissuing cards that were compromised as a result of the breach. In April 2015, Target agreed to settle the MasterCard claim for $19 million.
Cyber risk awareness and insurance
The above cases and other data breaches reported by the media typically involve disclosure of significant volumes of information. However, data breaches are common occurrences in organisations both big and small, and potentially carry significant reputational costs. They may also undermine consumer confidence in a brand.
It is therefore crucial for boards, executives and compliance professionals to understand data breach risks and any industry- or organisation-specific risks they may face so that they may effectively mitigate and manage them, including by selecting appropriate insurance coverage. Some general liability or business interruption policies may have sufficiently elastic policy wording to cover loss suffered as a result of a cyber-attack. However, in many instances traditional insurance policies will not cover these new and evolving cyber risks. For example, business interruption insurance policies are often drafted to cover losses caused by a tangible, physical event and would therefore be unlikely to cover any losses caused by a cyber-attack. Businesses should therefore consider obtaining advice regarding the scope of their existing policies and whether additional, specialised cyber liability coverage is necessary.