Like A Virus

Technology and Information Risk Infect Traditional Businesses

Following the “burst” of the dot-com bubble in 2001, business consumers of information technology have become more demanding of the technology resources, services and products they use. Information management, information assets, and the integration of technology into business operations and infrastructure create areas of professional, information, and technology risk typically reserved for “technology providers.” Technology and information risk are moving at an infectious pace into traditional businesses. Are your clients prepared?

Pervasive digitization
The value and scope of information assets have increased dramatically. And the negative impact of technology and information-related errors and omissions is now a reality for businesses in every market segment. Exposures such as malicious codes, hackers, identity theft, theft of intellectual property, and network outages (to name a few) have, in fact, become mission-critical exposures for the information-intensive, information-dependent modern company.

As of 2004, Forrester Research cited that more than 70 percent of the value of Fortune 500 companies is attributed solely to their information assets. Information productivity now defines success or failure. Businesses, whether large or small, and their customers are raising the bar for higher quality software, hardware and professional services.

Consider the following trends. Techno-logy is pervasive and growing. Technology already represents 11 percent of the U.S. gross domestic product, up from 3 percent in 1992, reports IDC. There is a shift in value. In-tangible assets account for more than 87 percent of the value of U.S. businesses, up from 38 percent in 1982, according to Brookings Institute’s “Unseen Wealth.”

Cyber crime has increased. CIO magazine reported a 38 percent increase in 2004, with identity theft as the number one leading crime.

Forbes magazine reported that 77 percent of Fortune 500 companies now measure information productivity, and 73 percent have created a chief security officer position for data protection. There is a reported lack of technology-provider accountability. Software quality problems cost the United States $60 billion per year, and users bear two-thirds of the cost, according to NIST ’03. Additionally, new information protection standards have emerged during the past three years for health care, financial services, government support agencies, and any business storing personal or consumer information.

In addition to the economic and business trends spurred on by technology, several new data privacy standards have emerged in addition to regulatory standards such as HIPAA (Health Insurance Portability and Account-ability Act of 1996) and GLB (Gramm-Leach-Bliley Act of 1999). Among other areas of compliance, those standards address the acceptable behaviors for processing, automating, and storing business and personal information. At both the state and federal level, government officials are addressing the in-creased importance of data protection standards.

The bottom line is simple. “Technology risk” and “information risk” pose a significant threat to any business that accesses, aggregates, automates, or in any way, shape or form, “touches” financial, personal, health, or government information. However, the professional liability market has not fully caught up to the latest realities of technology and information risk.

The convergence of technology and in-formation risk makes it virtually (pun intended) impossible to isolate each in separate professional liability policies–an approach taken by many carriers. It is clear there is a growing market need for more mature professional liability products to mitigate new areas of technology and information-related business risks.

Technology risk vs. information risk
Technology and information risk are often misunderstood. There are distinct differences, and knowing the differences is an important step in helping clients understand where they may be exposed.

The primary focus assessing information risk is to understand the nature of the data being hosted and the degree to which that data falls under data privacy laws and standards. In parallel, the primary focus of technology risk is to understand the degree to which the technology is mission critical in the delivery of professional services. Are there alternate means of services delivery for system outage? Are there dependencies of business partners that are interrupted, etc.?

As a risk manager begins to understand the dependence on technology and the potential liability of aggregating third-party data, targeted coverage can be placed based on the degree of exposures. The most common view is that technology policies today are insufficient in embracing the information risk piece of the puzzle, especially for traditional firms that “dabble” with technology as an enabler, as opposed to a primary line of business.

Exposures encompassing today’s technology and information risk might include: technology E&O (failure to perform); network security (unauthorized access, ID theft); data privacy (unauthorized use, invasion of privacy); HIPAA, GLB, California Database Security Breach Information Act (SB 1386) compliance; media and online content (libel, slander, defamation, virus transmission); third-party business interruption; third-party loss of data; hackers and malicious code; and technology and information IP (copyright, trademark, patent).

So, how did we get here?
Businesses formerly operating in a paper-based business model have now become virtually paperless. The speed at which a company can process information and the degree to which it can protect that information have become new survival traits. An entirely new population of IT professionals has been born as a result. Information “architects,” data “engineers,” Web “designers,” and network security “officers” now hold the keys to the success, or failure, of being digital. This professional responsibility–and now emerging liability–for predictable and secure technology management is no longer just the burden of providers of technology solutions.

Digitization of everything including health records, bank accounts and consumer buying preferences is no longer the exception; it is the norm. Information has become the new, sought-after currency. Information thieves, buyers of data and data brokers are definitive reference points to suggest that information has surged as an important business resource.

Those companies that store data are new targets of opportunity for those that know how to distill information into more valuable, sellable and actionable data. Such an information-based environment has clearly created new liabilities for companies that aggregate data about their customers, employees, partners, suppliers and patients.

Irreversible trend
As compliance regulations and the economic value of information assets continue to increase, the U.S. economy can expect to realize new exposures by both providers of technology solutions as well as those companies that are increasingly dependent on technology. Any organization collecting data, automating information and providing broad access via one or multiple Web sites is a prime target for “cyber liability.”

Today, most professional liability insurers recognize that a company’s evolution in its use of technology is a key factor in assessing its technology and information risk profile. At each stage of technology evolution, new professional liability exposures are manifested. According to a recent article in the ABA Law Journal, cyber crime, technology negligence, and data protection liability will become significant growth areas for litigation given the absence of established case law around technology and information errors and omissions.

Liability of maintaining third-party data
According to recent statistics, identity theft is the fastest growing crime in America. A Federal Trade Commission report said that more than 27 million Americans have had their identities stolen in the past five years. The cost of those thefts was estimated at $5 billion.

Although most recent ID theft headlines stem from privacy mistakes at national banks, other industries that collect personal data are equally at risk. Studies of companies that lose their data in a disaster, conducted by the University of Texas and the Small Business Administration, have shown that 50 percent never reopen and 90 percent are out of business within two years. Information risk and liability clearly goes beyond large financial institutions.

The health care sector also is undergoing rapid digitization and centralization of third-party data storage. Although there are clear standards of care for protecting patient data under HIPAA, medical organizations are increasingly concerned about the perils of aggregating data, automating responses, and allowing access to data by a growing number of employees, business partners and customers.

Exposures today and in the future
The exposures of technology and information are real, and they are growing. Technology providers will continue to seek coverage for growing areas of exposure related to the products and services they provide to businesses. However, and perhaps more important, market trends are raising the necessity of technology and information E&O policies for the masses. Traditional firms that depend heavily on the use of technology and possess information assets must consider the necessity of technology and information E&O coverage.

For the foreseeable future, the market will continue to see high-profile errors where the once clear line of professional errors has been blurred by the pervasive nature of technology. Most professional liability insurance carriers will continue to wrestle with the fundamental question of, “Where does human error end and technology or information error begin?”

Drew Bartkiewicz is assistant vice president andhead of technology E&O at Darwin Professional Underwriters. He can be reached at: drewb@
darwinpro.com.

Topics Cyber USA InsurTech Tech