Personal and corporate information stored digitally in a company’s network offers tremendous value, both as a business asset – and when (mis)used in identity fraud. A network or data security breach is often the starting point for identity and corporate fraud incidents. In fact, some 13.1 million Americans were the victims of identity fraud in 2013, up from 12.6 million in 2012 and 11.6 million in 2011, according to Javelin Strategy and Research.
While it is clear that protection of such a valuable asset should be paramount, practice shows that information loss can impact even the most tech-savvy business. The financial impact of an information loss can be tremendous, ranging from internal costs for assessing the nature and extent of the breach to government fines or third-party claims.
The following discussion offers options for helping structure an insurance program to mitigate the financial impact stemming from an information loss event.
Defining the Financial Exposures
“Information loss” as used in this article refers to the accidental or intentional exposure, disclosure or unauthorized access or use of personal or corporate information held in a digital format. Regardless of the cause of an information loss, there will likely be financial consequences to the company suffering the data breach.
The final costs will vary depending on the type of data lost, the circumstances of the loss, the company’s mitigation and response efforts and any third-party losses arising from the incident. Regardless of the final sum, the exposures will usually include: internal costs for managing the loss, regulatory compliance costs and claims from those directly impacted.
Responding to an Information Loss
There are many ways a company may learn of a network breach or resulting information loss.
Ideally, it is best when the company discovers a security weakness or breach before information is lost. Unfortunately, such awareness is usually triggered by a breach. Some are private extortion attempts before the information is disseminated widely, but more often the information loss is discovered when the data is out in the public domain. Regardless, immediate action is required.
A well-rounded program targeted to unique exposures facing the company will help to protect its assets and assist in mitigating losses.
Once an information loss is suspected or discovered, a company must determine the scope of the information loss – how much information, the type of information, the duration of the incident and the identities of those directly impacted. The answers will inform the steps required by law and how to mitigate the impact to all affected parties. First-party coverage can be tailored to address these efforts.
Responsive coverage should respond to the company’s use of experts in identifying the scope of loss and possible exposures including: forensic experts to analyze the breach and information exposed; legal counsel to identify the company’s legal obligations under any privacy regulations; and public relations efforts to coordinate and communicate information to the individuals whose information was lost.
Coverage should also include notification costs and various communications targeting both those affected by the loss and government agencies, along with associated vendor expenses. More robust coverage also handles the costs to implement fraud alerts, credit monitoring and assistance in rectifying credit and other financial records damaged by the information loss.
A related and equally necessary coverage addresses the reputational impact the information loss may have on the company. Often, the manner in which a company communicates to the public about the loss will mitigate future losses, lessen government ire and bolster the company’s goodwill. Additionally, if the information has been lost, but not yet disseminated, there may be an opportunity to prevent an ultimate loss. While responding to an extortion demand is not ideal, having coverage for that contingency offers a level of flexibility.
Finally, an information loss is often accompanied by damage to the data still stored by the company. Coverage should respond to the company’s expenses in identifying the level of data corruption and recreating, repairing or restoring any information lost.
Responding to Resulting Claims
No matter how extensive the remediation and public relations effort, it will not completely eliminate claims exposures. Coverage for information loss claims must be broad enough to ensure protection to the company and prevent exposure gaps.Coverage typically applies on a claims-made basis.
There are several types of third-party coverages applicable to network and data security issues and losses. A traditional errors or omissions (E&O) policy provides coverage for losses arising from actions, or inactions, that led to the network breach or security violation. Such coverage typically includes the cost of defending claims seeking compensation. But there are limitations to E&O coverage. It may only cover the losses associated with specifically named activities, services or products.
More comprehensive coverage will address the defense of, and damages awarded in connection with, claims specifically arising from an information loss. Such coverage should be broad enough to encompass the claims from the information loss itself and those arising out of the any related network security breach. In this way, claims alleging loss from potentially exposed data tied to a breach, without any actual information loss, may remain within coverage.
Finally, the policy should include coverage related to the regulatory exposures arising from the information loss.
Better to Be Protected than Sorry
Hackers are getting smarter while companies increasingly rely on digital methods to store and conduct business. Properly safeguarding this critical asset requires having well-documented – and practiced – protocols governing data security. But if the unfortunate were to occur, having a comprehensive and well-structured insurance program will not only mitigate financial loss, but can also ensure that public perceptions and trust remain strong both during and subsequent to a data breach incident.