Insurance insecurities: Data-breach policies touted as way to protect businesses from cyber-related losses

March 3, 2008

Several local entities, ranging from St. Vincent Indianapolis Hospital to the state of Indiana to Indianapolis Public Schools, last year experienced wellpublicized electronic security breaches involving confidential data.

While the victims of the lapses and those at fault emerged relatively unscathed, such incidents underscore the ease in which personal information can be lost or stolen in today's computerized world.

With roughly 165 million people tapping into to the Internet nationally, the opportunities for security breaches are plentiful. Throw in the growing number of portable data-storage devices, from flash drives to cell phones, and chances for data-security mishaps become almost limitless.

None of the three aforementioned local organizations carried (and still don't) what's known as data breach insurance-policies that can protect employers in the event of many data-security disasters.

The fact they had no such safety net, however, is hardly unusual. Data breach coverage is still in its infancy, and its value still in question. A few major insurers such as Chubb, AIG and CNA began rolling out policies early in the decade. But it's been in just the past two to three years that carriers have fine-tuned their efforts to market the products.

Even so, Jeff Webster, a senior vice president at local agency Gregory & Appel Insurance, thinks cyber insurance ultimately will rival employment practices liability insurance. The rise in discrimination claims has helped demand for the coverage soar since its introduction in the mid-1990s.

"It's not an easy sell," said Webster, who's sold only one data breach policy. "But I believe in the next 10 years it will be standard coverage."

A 2007 survey from the San Francisco-based Computer Security Institute found the average annual loss reported by U.S. companies suffering a data breach was $350,424. Credit and debit card fraud overtook virus attacks as the source of the greatest financial loss.

Cyber insurance typically covers identity-theft claims, network damage and business-interruption costs, plus emergency response and public relations support, among other expenses. Traditional business insurance policies usually don't cover such incidents, insurers say.

Not inexpensive

Premiums can cost as little as $500 annually for losses up to $100,000 to hundreds of thousands of dollars for millions of dollars in coverage. The average premium is $10,000 to $25,000 per $1 million of limits. Deductibles can run between $100,000 and $500,000 for $1 million to $10 million in coverage.

Financial institutions with scores of customers and health care providers with sensitive patient information are natural candidates for the coverage, experts say.

The Gramm-Leach-Bliley Act requires financial institutions to safeguard customers' records against unauthorized access. And the Health Insurance Portability and Accountability Act does the same for the health care industry.

But do the benefits of the insurance outweigh the costs? Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, is unsure.

"Honestly, who knows?" he said. "The cost surrounding a cyber event can be very significant. Insurance can only protect against a certain amount of that."

High premiums and deductibles, and the incorrect assumption that general-liability and commercial-property policies offer protection from privacy breaches are a few factors impeding growth of such insurance, industry experts said.

But increased competition and a longer loss history that could drive down rates should help the coverage become more prevalent, they said. Roughly a dozen carriers provide privacy-protection policies.

Bookkeeping firm Foster Results LLC in Westfield obtained the insurance early this year. The firm purchased a policy that is cheaper than its general-liability insurance, company President Jennifer Foster said.

Information from a growing clientele stored at the company and on an off-site file server prompted her to seek the additional safeguard.

"They're using names and passwords for their bank accounts," Foster said of her clients, "so, obviously, we have a huge liability when it comes to protecting their information."

Other companies don't seem to see the need for the coverage.

St. Vincent inadvertently made available last July the personal information of 51,000 patients. The security lapse occurred when Verus, a subcontractor that was developing a medical-billing site, made a change to an Internet server, revealing the patient data from a test Web site through Internet searches.

The site was not up and running yet, and the information was available for only a brief time, St. Vincent spokesman Johnny Smith said.

To ease patients' fears, the hospital provided one year of free identity-theft insurance coverage and a free credit report. Still, St. Vincent has no plans at this time to invest in cyber insurance, Smith said. Neither does IPS nor the state government.

In the case of IPS, an Indianapolis Star reporter discovered thousands of confidential student records through Google searches. The data included medical information and Social Security numbers. The breach appeared to result from a careless network setup.

An IPS spokeswoman said the school system remains without the insurance and referred questions to another IPS official who didn't return phone calls.

A security breach of a state government Web site in February 2007 exposed thousands of credit card numbers. About 5,600 numbers were compromised when someone figured out how to access them while they were stored at www.in.gov.

A public relations hit was the only damage sustained, said Brian Arrowood, director of delivery services at the Indiana Office of Technology.

"I can't quantify the costs of those types of issues," he said. "If you sold product, and it had a very direct impact on cost, it may be appropriate to buy it."

Subject to violations

Entities that expose personal information can face penalties from the state. A law that applied to just state agencies was amended in 2006 to include private companies. It stipulates that businesses must disclose a breach to both customers and the state Attorney General's Office.

A penalty of $150,000 per violation also can be assessed. The office has yet to dole out any fines, spokeswoman Staci Schneider said. The first step is to ensure the company is complying with the law and issuing the proper notifications, she said.

Whether cyber insurance will alter the way companies conduct business remains to be seen. But Sean Murray, a principal at Conor Patrick Insurance Services in Westfield, which sold a policy to Foster Results, thinks it will.

If enough companies fall victim to cyber attacks and subsequent lawsuits, the market will demand products be provided by every insurance carrier, he predicted.

Ruth Miles, senior vice president of Aon Risk Services in Indianapolis, part of Chicago-based Aon Group, takes a more cautious approach. She urges companies to take inventory of exposure risks and what they can do to mitigate exposure before seeking coverage.

Insurance isn't always the solution, she said, but noted breaches are the types of events that can "put people out of business."
Source: XMLAr01500.xml

Recent Articles by Scott Olson

Comments powered by Disqus