View this article online: https://www.insurancejournal.com/news/national/2009/10/29/104878.htm
Cell phones, smart phones, MP3 players, computers, e-mail, the list goes on and on of technological inventions that are part of our everyday lives.
The observation that electronic data density doubles every 18 months—was first conceived in the mid-60’s by Gordon Moore, a co-founder of Intel. Today’s IT experts say this theory will continue to hold for at least another two decades.
The pace of technological change over the last decade has been nothing short of breathtaking, and begs the question, “what’s next?”
Technology reaches into every corner of our lives, personal and professional. All of our social institutions are deeply affected by it: governmental, educational, religious and charitable. Every aspect of modern business is entwined with technology, no matter the size or scope of the enterprise. With the onslaught of technological progress, the very nature of operational risk for all of these entities has fundamentally changed.
We are in a knowledge-based economy, where information is available to almost anyone, instantaneously. As such, the keepers of that knowledge have enhanced powers and obligations. The concept in tort law of “duty owed” to another has been broadly expanded. Entities that possess private information about someone are required to protect that information. The standard of care has been increasingly augmented by legislation over the last several years, and is likely to increase much further.
This trend causes great concern to any bank or business that deals with customers’ credit information. Identity theft is rising. From financial institutions to medical offices to ordinary retail shops, the problem of hacking and data breach just keep growing.
More than half of the “Fortune 2000” companies have experienced a material data breach in the last five years.
The problem is not just limited to these large organizations; small businesses are victims too. Any business that has information on their customers is at risk. This would include any insurance agent or broker, no matter the size. Think about all of the personal information obtained on any insurance application.
Recently, a Florida man who was already in jail was indicted for a third time by a federal grand jury in New Jersey. He is accused of stealing data involving more than 130 million credit cards used by customers of five retailers including the 7-Eleven chain. At the time of this writing, the scope and breadth of this unprecedented crime is still unfolding in the media, heightening the concerns for the safety of identity information in our 24/7 connected world.
This news story is by far the most dramatic one to date. But let’s be clear: media reports of data breach incidents have been steadily on the rise for the last several years. There is an entire cottage industry now devoted to tracking and reporting this segment of cybercrime.
Traditional insurance products are inadequate to cover the new types of events that can result from privacy invasion or misuse of technology. Neither standard property/business interruption policies nor the commercial general liability policy have provisions for losses arising out of the wrongful breach of data held by the insured. The risk of experiencing a data breach pervades all of modern society. Simply stated: all institutions that hold any sort of confidential data regarding any of their constituencies—are now held to this higher standard of care to protect their confidentiality. This obligation will only continue to increase in the coming years.
Over the last decade, the government has stepped up regulatory activity to try and deal with the new realities of data vulnerability. The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. The regulations became fully operative by 2003. A key element of the HIPAA law is to protect privacy. Title IV of the law defines the rules for protection of patient information. All healthcare providers, health organizations and government health plans that use, store, maintain or transmit patient health care information are required to comply with the privacy regulations of this law.
Embedded in the American Recovery and Reinvestment Act (the “stimulus bill”) signed into law by President Obama on Feb. 17, 2009 is the Health Information Technology for Economic and Clinical Health Act (HITECH Act) which significantly expands the scope of HIPAA. Many of the law’s provisions take effect at the beginning of 2010, so health care providers should already be planning their compliance strategy now.
The Federal Trade Commission began to enforce a data safeguard rule effective August 1, 2009 that requires businesses to develop identity theft programs. Under this “Red Flags Rule,” financial institutions and creditors are required to implement programs that detect warning signs of identity theft and these programs must be updated regularly. Failure to comply with Red Flags could result in fines and other penalties.
The current economic downturn is another culprit fostering data hacking. Angry employees, both former and current, are an increasingly worrisome source of data breach risk.
Cyber security experts are in agreement that this heightened regulatory climate should be a “wake up” call to those charged with risk management to reevaluate their security programs in order to comply. Part of this review process should include a risk tolerance evaluation, and the cost/benefits of purchasing insurance.
The insurance industry has been developing products over the last few years to meet the challenges of this new reality. Robust coverage is available in the surplus lines market.
Some of the types of coverage available are: coverage for unauthorized access by employees; reimbursement coverage to bring the system back up to speed; extortion; loss of copy write and trade secrets; cost to notify harmed parties; public relations and communication (damage control) and cost of credit monitoring. These are just some of the many coverages available in the market today.
In addition, insurance carriers are continuously updating and enhancing their coverage offerings, in response to the burgeoning demand.
Insurance agents and brokers should be sitting down with their clients, regardless of their size or sophistication, and doing a stress-point evaluation of their vulnerability to data breach. A good starting point is to review all of the systems with the head of IT. But it should not stop there. The bulk of the risk emanates from human behavior—ignorance; carelessness; error; and malice. Any or all of these can result in data being compromised.
Some “what if” scenarios should be identified, including the potential costs to the organization under each scenario. The organization’s tolerance for absorbing the different levels of cost (not just hard dollars, but also cost to productivity; potential litigation; cost to reputation; among others) should then be considered.
Obtaining quotes for data breach insurance from excess and surplus brokers and underwriters is key in addressing this critical risk management issue. With this information in hand, the client (and potential insured) can then make an informed decision as to the best course to follow.
Donovan is vice president for Product Development at Burns & Wilcox. She can be reached at 248-539-6090 or at mldonovan@burns-wilcox.com. This article originally appeared in Insurance Journal magazine, Oct. 5, 2009.