Not only is the overall number of data breaches increasing but the size of the “mega breaches” is on an upward trajectory. This article considers potential trends arising from the mega breaches and the issues they give rise to for cyber risk insurers.

For the purpose of this article we have considered three relatively recent mega breaches:

  • eBay (2014 – 150m records)
  • Target (2013 – 70m records)
  • Adobe (2013 – 152m records)

Common factors

Are there any factors which link these massive breaches?

  • It remains the case that significant numbers of security breaches are caused by human error or insider fraud. However, one unifying factor of mega breaches is that they involve conduct by third party hackers (taking recent data breaches involving over 250,000 records, with the exception of the Korean Credit Bureau breach – caused by insider fraud)
  • The data is generally sold on the dark web. Holden security recently reported that approximately 360m newly acquired details are for sale. It is often not clear what the origin of stolen data is. However, following the Target breach batches of up to 1m credit cards were available for sale for between $20 and $100 per card. There is no evidence that the eBay data has ended up for sale, but an enterprising fraudster has reportedly been attempting to sell a fake database for 1.5 Bitcoins – about $770
  • A number of thefts have been blamed on underinvestment in security technology. It was found that the Sony Playstation hack in 2010 resulted in part from Sony’s failure to properly update its security systems and take adequate steps to encrypt password data. Similarly, Adobe has been criticised after it was discovered that much of the stolen data was, according to industry experts, relatively weakly encrypted. In particular, Adobe failed to use stronger, “salted hash”, one way encryption
  • The breaches generally take place over a long period of time. The eBay breach was discovered after between 84 and 98 days. A recent Madiant report suggests that the average time before a data breach is discovered is 229 days
  • The weakest link: The eBay breach appears to have involved a sophisticated spear phishing/ social engineering scheme aimed at extracting login details from eBay employees via   social media. The Target breach appears to have involved a more traditional email infected with malware which was sent to a third party air conditioning vendor and subsequently compromised the Target system via a data connection for electronic billing contract submission and project management. Both breaches illustrate hackers’ ingenuity in finding and exploiting weak-points in companies’ data security protocols.

Insurance issues

Most readers will be familiar with the legal liabilities and associated costs arising from data breaches. However, below we consider some of the implications which are of greater relevance in the case of very large breaches:

  • Adequacy of security measures: Even large and sophisticated companies fail to take all appropriate steps to protect sensitive data and/or properly update security. This places additional focus on the questions regarding security measures asked by the underwriter on placement and the adequacy of any policy terms regarding the measures an insured should be taking
  • The human factor and third parties: Human error is inevitable and one of the reasons insureds purchase insurance. However, it is important that proper consideration is given to understanding the steps taken to protect and monitor employees and third parties to try to identify possible security breaches – such as behavioural analytics
  • Reputational implications: The potential effect on an insured’s business arising from a high profile breach, before taking into account the cost of dealing with a breach, regulatory investigations and third party claims, is huge. Target suffered a 40% drop in profit in the fourth quarter of 2013 compared with the year before. This illustrates the potential importance of coverage traditional costs of mitigation such as identity theft insurance and web monitoring but also the potential value of coverage for additional marketing expenses or compensatory credits to customers.

Regulatory  implications

In the case of a UK domiciled insured, the prospect of an ICO investigation and investigations by US regulators are relatively well known consequences of a big breach.

However, the eBay breach illustrates the way in which large multinational breaches are likely to be handled by national regulators with the Luxembourg regulator taking the lead in the European investigation (eBay having its main European domicile in Luxembourg) and the US investigation being led by the Federal Trade Commission. That is not of course to say that national/state regulators will be bound by the findings of the lead investigations or will not impose additional fines once those investigations are concluded.

In addition, mega breaches potentially enter deeper regulatory waters in that they can involve the additional regulators. In particular, where they involve financial institutions and/or publicly listed companies:

  • Financial Conduct Authority (FCA): enforcement for breaches of PRIN 3, SYSC 3.2.6R and SYSC 3.1.1R require regulated entities to have adequate systems, controls procedures and policies in place to maintain the security of confidential customer information. In 2010, a well-known international insurance company listed in the UK was fined £2.27m as a result of the loss of unencrypted data
  • Listing Rules: listed companies must comply with the FCA’s Listing Principles which would potentially be infringed by a data breach, or the failure to promptly disclose a breach, involving sensitive data, including:
    • Principle 2: taking reasonable steps to establish and maintain adequate procedures, systems and controls to enable it to comply with its obligations;
    • Principle 3: acting with integrity towards holders and potential holders of listed shares; and
    • Principle 4: communicating with holders and potential holders of shares in a way which avoids creation of a false market.

The Listing Rules also include additional disclosure requirements including DTR2.2.1r, which requires notification to the market if price sensitive information is lost.

Legal Liability Issues

Clearly a large data breach may give rise to typical third party claims such as claims for breach of contract by customers either as a direct result of loss of client data or due to an inability to fulfil client obligations.

However, big breaches give rise to additional exposures such as:

  • The increased risk of claims by data subjects for damage and distress under section 13 of the Data Protection Act. Whilst these claims are rare due to the relatively modest amount of loss individuals are likely to have suffered, a mega breach is in principle exactly the sort of claim which might form the subject of a group litigation order allowing claims by large numbers of data subjects to be consolidated into a single action
  • In addition, although a derivative action by shareholders is more associated with data breaches in the US, there is the potential for claims by investors in the UK under sections 90 and 90A of the Financial Services and Market Act 2000 if published information is materially misleading or contains omissions or the publication of that information is delayed. This provision may be of particular relevance if a company inadvertently or deliberately fails to disclose a breach which has a material effect on the price of the company.

In terms of future regulation, it is well known that the proposed EU Data Protection Regulation will impose fines of 2-5% of turnover. The largest breaches are likely to bring with them a real risk of fines up to that level.