Larger Firms Tend to Have More Data Security Resources
The theft of personal and private data — from credit card information, to Social Security numbers, to health information, is a thriving global crime — and it is fed by data security breaches that cost companies millions. The number of reported data breaches increased dramatically in 2008, up 47 percent from the prior year, according to the Identity Theft Resource Center. And network security breaches are notoriously under-reported.
With human and financial resources stretched thin, a company is more susceptible to lapses in procedures intended to keep personal and private information secure. Smaller and privately held companies are especially vulnerable. Hackers know that larger companies are likely to have a cadre of risk management, IT and network security experts guarding against data breaches. Smaller companies often have a fraction of the IT infrastructure and budget. They also don’t have the financial viability to sustain the steadily rising financial impact of data breach incidents.
The High Price of Cyber Risk
The Ponemon Institute’s Fourth Annual U.S. Cost of Data Breach Study showed the cost per data breach incident was $6.65 million in 2008, up from $6.3 million in 2007. That translates to $202 per compromised customer record. For the e-tailer ringing up 10 sales a day, that’s $700,000 if a year’s worth of records are breached. For the MRI facility logging 15 scans daily, the cost can exceed $1 million for every year of patient records compromised. Litigation can push costs even higher.
The Veterans Administration famously settled for $20 million a case involving a single laptop stolen from an employee’s home, though there was no evidence that the thief misused any data from the laptop.
A company whose data is breached can face substantial expenses just to notify affected customers. Forty-six states require businesses to alert customers when “personally identifiable information” is compromised. (State-specific notification regulations are available at http://www.beazley.com/databreachmap.)
When customer credit card information is involved, victimized business may be subject to claims from banks for the cost to issue replacement credit cards to customers, which can run $10 to $20 per card, according to America’s Community Bankers. Businesses targeted in cyber incidents often incur costs for credit monitoring expenses for those whose data is compromised, as well.
State and federal governments now are calling on U.S. companies to do more than ever to protect the information entrusted to them. Massachusetts, for instance, requires all businesses that hold personal information on state residents to do everything from developing a data security program, to monitoring employee access to information, to encrypting personal information on laptops.
Effective Nov. 1, 2009, the Federal Trade Commission’s Red Flag Rules require financial institutions, health care providers and other businesses extending credit to customers to implement programs supporting early detection of identity theft.
What’s a Small Business to Do?
Prevent and protect is the mantra for any business that holds or maintains personal or private information of any type. As with any serious business risk, proactive risk management and loss prevention is paramount to avoid losses and mitigate damages.
Still, even the best risk management practices and state-of-the-art network security will not make a company impenetrable. As awareness of cyber threats to smaller, private businesses has grown, so has support from the insurance community. Cyber insurance programs can serve a dual purpose, supporting a company’s loss prevention and compliance efforts and mitigating the financial impact of a breach. For optimal protection coverage should encompass, among other things:
- Legal liability for: Theft, loss or unauthorized disclosure of personally identifiable information; Failure to comply with state data breach notification laws; and Content the insured publishes on its Web site.
- Fees and penalties arising from failure to comply with privacy policies and/or administer a government-mandated identity theft prevention program.
- Costs to defend regulatory proceedings arising from violations of privacy laws due to a covered theft loss or unauthorized data disclosure.
- Expenses to comply with state notification regulations, plus fees for legal counsel.
- Credit file monitoring for victims.
- Services of computer security experts to authenticate and determine the cause of a security breach incident.
Companies can also look to their insurer and insurance broker to ease the complex burden of managing cyber risks by providing access to information and resources to help mitigate exposure.
Topics Cyber Legislation Commercial Lines Business Insurance
Was this article valuable?
Here are more articles you may enjoy.
What Happened to Reinsurance ‘Class of 2023’? Hard Market Defies Age-Old Patterns. 
Hard Market Conditions Expected to Ease in 2025 as Claims Inflation Softens: Swiss Re 
FM Global Rebrands As FM 
Study Urges Rethinking of Disaster Management in Era of Compounding Events From This Issue
