Insuring Against Data Loss

Companies look for financial protection in the event of security breaches.

The list of data breaches involving sensitive personal information maintained by the Privacy Rights Clearinghouse achieved a milestone Dec. 13, as the nonprofit group saw the total number of records exposed in such events top the 100 million mark.

Since the PRC first began tracking the events in February 2005, when data aggregator ChoicePoint reported that fraudsters had access to 163,000 consumer records, most states have passed laws forcing companies to inform individuals when their data may have been lost. The laws also compel companies to admit their mistakes publicly.

Threatened by financial losses related to data leakage events, which now include potential payouts to consumers and regulators as well as revenues lost because of damage done to their corporate reputations, enterprises are turning to their insurance brokers seeking new levels of protection.

"The impact of those breach notification laws is just starting to permeate through business because of all the press given to the events and the growing expectation for companies not only to notify customers but also [to] pay for services such as credit monitoring," said Nancy Callahan, vice president of the Identity Theft and Fraud Division of insurance giant American International Group, in New York. "The costs for informing and supporting affected consumers can be expensive, and theres also the additional cost of regulatory investigations and civil lawsuits."

AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another driver for new forms of insurance is the many government compliance regulations that threaten stiff penalties for companies that cannot effectively defend their information, such as the Sarbanes-Oxley Act, Callahan said. The parameters of these newly crafted insurance policies are determined by the size of the company, the volume of data it handles and the level of IT protection it has established.

At an Information Technology Association of America conference in Virginia in November, U.S. Rep. Tom Davis, R-Va., told security experts that private companies and government agencies are failing to report all their data losses, partly out of fear of the financial repercussions. An example of the potential fallout of a serious breach is the Department of Veteran Affairs laptop theft incident in May, through which the agency exposed the records of an estimated 28.6 million former servicemen and servicewomen. A class action lawsuit pending against the VA in Washington could cost the government $28.6 billion if successful.

More recently, on Dec. 12, the University of California, Los Angeles, reported that a database loaded with personal information of current and former students, faculty, and staff was hacked by outsiders. The massive breach is the type of event that will push more states to put strict data protection laws on the books.

"In the next two years, all 50 states will have similar laws in place patterned after Californias [SB 1386] law," said Robert Scott, an attorney with Dallas-based Scott & Scott, which specializes in IT compliance law. "As a result, there are a lot of companies doing assessment of insurance coverage right now," Scott said.

Data losses cost U.S. companies an average of $182 per compromised record in 2006, compared with an average loss of $138 per record in 2005—almost a 31 percent increase, said a report published by the Ponemon Institute in October.


The story "VOIP: 10 years of lowering costs" in the Dec. 11 issue incorrectly identified Echopass Corp. Echopass is an independent company and is not part of Sprint.