Understanding network risk insurance

Competition heats up as insurers begin to gain market experience and underwriting know-how

The total number of data breach victims in 2006 exceeded the $100 million mark — one record for roughly every three Americans. ID theft occurrences, which result from a portion of such daily breaches, have recently been in the spotlight. For example, millions of records were hacked at TJX (parent company of TJ Maxx). And, at Stop & Shop, over 1,000 shoppers’ debit information was “skimmed,” or obtained from fraudulently replaced point of sale systems. ID theft has now become the single largest complaint to the Federal Trade Commission (FTC).

The complex issue of commercial insurance coverage for liability from ID theft of a customer, prospect, partner, employee, student, or even from patient data, begins with the misuse of personally identifiable information (PII). PII is generally defined as the name, address and birth date of an individual, plus their: (1) social security number, (2) driver’s license number, (3) state ID, or (4) financial account, debit, or credit card number, in combination with any required security code or password (i.e. mother’s maiden name).

Two recent surveys found that companies that lose PII and other sensitive data to misuse incur an average cost of $5 million to $14 million per breach incident, with costs ranging as high as $50 million.

TJX has taken an initial hit of $4.5 million.

BJ’s Wholesale Club has a $16 million reserve to cover the costs related to any breaches.

Discount Shoe Warehouse has set aside $6.5 million to cover such costs, noting that they could rise to $9.5 million.

ChoicePoint settled their data security breach charges with the FTC for $15 million.

Adding ID theft options
Elements of insurance coverage for PII breaches may be included in a number of different lines of insurance coverage, such as general liability, crime, errors and omissions, media and property. However, changes in 2004 to the Insurance Service Organization’s standard forms, as well as two precedent-setting cases, have rendered those options dangerous.

The foremost ID theft coverage is evolving in network risk insurance, also known as cyber liability insurance.

Network risk insurance is coverage used to address the unique “e-risk” exposures associated with electronic processes, interactions and digital assets arising from computer-dependent business activities that may affect an entity’s financial statements. A well-constructed network risk policy will include a comprehensive coverage grant to address ID theft — both online and offline (where the majority of ID theft emanates). Such policies may address first party only risks, third party only liabilities, or both.

Claims experience
Other than individual lawsuits, where the amount of damages is typically very low (average $2,000), entities can be held liable in two primary ways: (A) by the FTC and (B) by consumer class actions brought by private parties or state attorney generals. The costs of complying with the 35 state disclosure laws, which mandate notice of data breaches to affected people, have not been material to date.

In 2006, the FTC settled with CardSystems for the 2005 security breach that caused millions of dollars in fraudulent purchases. Also in 2006, the FTC settled with ChoicePoint for a total of $15 million, which included $10 million for civil penalties and $5 million for consumer redress.

Courts in other data breach cases in 2006, such as those in Forbes v. Wells Fargo Bank, Bell v. Acxiom Corporation and Key v. DSW, have dismissed similar litigation based on plaintiffs’ lack of ability to demonstrate damages stemming from the theft or loss of their PII.

However, the trend is clear: consumers, government actors and legislators are all pushing for greater liability for those responsible for ID theft. Entities that deal with consumers’ PII should prepare themselves for the prospect of increased regulation and enforcement by the government, as well as private enforcement through consumer class actions.

Is network risk insurance being purchased?
Unlike more established lines of business insurance, there is not yet a set standard for a good ID theft underwriting submission. Presenting your company in the most favorable light requires a bit of effort, such as pulling together information from various disciplines within the firm, including risk management, legal, privacy officer, information technology, IT security, sales and marketing, product development and human resources.

Multi-layer programs with elements of network risk coverage have been written with total limits in excess of $150 million. Carriers that place primary policies offer limits between $5 million and $25 million for the first layer, with an average maximum primary layer limit offered at $10 million. Some carriers require a lower sub-limit for certain coverage related to data breaches.

Competition is increasing as carriers continue to gain experience with loss history and underwriting metrics in this area. While the average premium is $10,000 to $25,000 per million dollars of limits, the range of premium is $5,000 to $50,000 per million dollars of limits. Various sources estimate that total premiums written by the entire industry for network risk coverage are between $100 million to $350 million per year (compared to less than $100 million in 2005).

Different insurers approach coverage for IT theft in various ways — ranging from covering the exposures uniformly in network risk policies, regardless of the insured’s industry, to providing different coverage for professional services companies, financial institutions, health care, retailers and media companies. Regardless, the most comprehensive policies provide customized coverage and terms to meet the unique circumstances of each potential insured.

Kevin P. Kalinich is co-national managing director of professional risk solutions for Aon Financial Services Group. He assists companies in identifying exposures and solutions associated with electronic processes and interactions arising from business activities. Kalinich can be reached at kevin_kalinich@aon.com.