Dark Day Planning: Insuring Against Data Loss

As the financial penalties and risks associated with potential data incidents continue to mount, enterprises are seeking out insurance policies that will help them when something goes wrong.

The list of data breaches involving sensitive personal information maintained by the Privacy Rights Clearinghouse achieved a significant milestone Dec. 13, as the nonprofit group saw the total number of records exposed in such events crest the 100 million mark.

Since the PRC first began tracking data losses in February 2005, when consumer data aggregator ChoicePoint reported that fraudsters had gained access to 163,000 consumer records, most states have passed legislation forcing companies to inform individuals when their information may have been lost. The laws also essentially compel companies to admit their mistakes publicly.

Threatened by financial losses related to data leakage events, which now include potential payouts to consumers and regulators as well as revenues lost because of damage done to their corporate reputations, enterprises are turning to their insurance brokers seeking new levels of protection.

"The impact of those breach notification laws is just starting to permeate through business because of all the press given to the events and the growing expectation for companies not only to notify customers but also [to] pay for services such as credit monitoring," said Nancy Callahan, vice president of the Identity Theft and Fraud Division of insurance giant American International Group, in New York.

"The costs for informing and supporting affected consumers can be expensive, and theres also the additional cost of regulatory investigations and civil lawsuits."

As a result of the widening impact of data losses, AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another growing driver for new forms of insurance is the many government data compliance regulations that threaten stiff penalties for companies that cannot effectively defend their information, such as the Sarbanes-Oxley Act, according to Callahan.

The parameters of these newly crafted insurance policies are determined by the size of the company, the volume of data it handles and the level of protection it has established to protect IT infrastructure.

At an Information Technology Association of America conference in Virginia in November, U.S. Rep. Tom Davis, R-Va., told security experts that he believes private companies and government agencies are failing to report all their data losses, partly out of fear of the financial repercussions.

As an example of the potential fallout of a serious breach, researchers point to the Department of Veteran Affairs laptop theft incident in May, through which the agency exposed the records of an estimated 28.6 million former servicemen and servicewomen.

If the class action lawsuit currently pending against the agency in Washington—which seeks damages of $1,000 for every person listed in the missing files—were to win a settlement for every veteran affected by the information breach, the government would be on the hook for $28.6 billion.

More recently, on Dec. 12, the University of California, Los Angeles reported that a database loaded with the personal information of current and former students, faculty and staff was hacked by outsiders. The massive breach is the type of event that will push more states to put strict data protection laws on the books.

/zimages/6/28571.gifResearchers warn of security expertise shortage. Click here to read more.

"In next two years, all 50 states will have similar laws in place patterned after Californias 1386 law," said Robert Scott, attorney with Dallas-based Scott & Scott, which specializes in IT compliance law. "As a result, there are a lot of companies doing assessment of insurance coverage right now. Many dont even know what their existing coverage for these events may be or whats available."

Researchers say the majority of identity fraud is still carried out by traditional means, such as dumpster diving and credit card schemes, but indicated that the perceived risk of ID theft via the loss of electronic records will likely continue to present businesses with new financial liabilities.

However, the proliferation of state data-handling laws and compliance regulations should actually make it easier for enterprises and their insurers to prepare for potential mishaps, said Larry Ponemon, chairman of Ponemon Institute, in Elk Rapids, Mich.

Information losses cost U.S. companies an average of $182 per compromised record in 2006, compared with an average loss of $138 per record in 2005—an increase of about 31 percent, according to a report published by the Ponemon Institute in October.

"Im not surprised at all that the insurance industry is starting to take advantage of this, only that its taken this long for the market to develop," Ponemon said.

"But without the automatic penalties created by the laws, it was hard for them to underwrite the risk. Business executives are troubled by the idea of how you define the risk of a catastrophic system blowup or breach involving millions of customers, so insurance companies are seeing the potential for a fairly serious market for policies that help mitigate these risks."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.