Business owners have long protected company
assets through property and casualty insurance that covers bricks and
mortar, but they now face danger from another corner "” cyber and privacy
breaches.
"The number one trend that I'm seeing right now is
companies facing cyber exposures and addressing cyber risk," says Todd
Belden, president of the Cincinnati office of Hylant Group. "The
definition of assets is really changing. Ten years ago, you would not
have thought of data as an asset. It's really a company asset that needs
to be protected."
Cyber or privacy breaches occur when sensitive data,
such as employee Social Security numbers or patient health information, are lost or stolen. Traditional insurance against theft does not cover
data breaches from hackers who steal digital information, and most
insurance plans do not cover the costs incurred from misplacing or
losing sensitive data.
"These policies are purchased as standalone
products," says Spencer Timmel, privacy liability and network security
specialist for Executive Risk Practice at Hylant Group. "Companies with
Personally Identifiable Information and protected health information
should purchase standalone products to transfer this risk and protect
their balance sheet."
Lost or stolen data can cost millions of dollars if
not protected. The TJX Companies, the parent company of T.J. Maxx and
other retail stores, suffered data breaches in 2005 and 2006 that
compromised approximately 94 million credit cards and cost the company
an estimated $250 million. In 2009, the largest breach to date occurred
when 130 credit card numbers were pilfered from Hartland Payment
Systems, with damages already numbering $200 million and still ticking.
As individual information online becomes more and
more public, so, too, is sensitive business information becoming more
open to exposure.
"If you're doing anything online, you're risking
this exposure," Belden says. "Obviously, the size of your online
activity dictates your exposures. If you sell products online and you're
capturing credit card information, any type of personal information at
all, then that's an exposure as well."
COMBING FOR COVERAGE
Businesses need property and casualty insurance, but
often face the daunting task of deciding what type of insurance product
to purchase, the amount of risk retention to assume, and the right
broker to hire. Specialty insurance products can be purchased for farm
crops, equine mortality, ocean and marine packages, as well as cyber
liability.
"You have to truly hire a broker who understands
your exposure, understands your products, understands the markets to be
able to tailor the product that best fits your needs," Timmel says.
Choosing the right coverage is highly industry
specific and varies based on the company's type of risk and level of
exposure. A local retailer processing less than 25,000 credit cards per
year does not face the same risk as a national retailer with hundreds of
store locations and a large
e-commerce website.
"Primarily, it is geared toward how much information
you're storing," according to Timmel. "If you're a smaller
organization, you certainly have less exposure, less risk to your
balance sheet, but that should not undercut your responsibility to
manage the risk, to understand it."
When a privacy or cyber breach occurs, companies are
obligated to notify the affected parties. Notification requirements
vary by industry: Health care is regulated by the HIPAA and HITECH Act,
but companies handling credit cards must comply with the Payment Card
Industry Data Security Standard.
Regulations for notifying affected individuals also
vary state by state. So, if a customer from Georgia has a credit card
number stolen at a store in Ohio, the store in Ohio has to comply with
Georgia notification regulations. When thousands of records are
compromised, managing notifications across state lines and responding to
potential lawsuits becomes a difficult task.
"It's time consuming and not very easy for the
company going through the breach to figure out "¢ without spending a lot
of money," says Craig Hoffman, an associate with Baker & Hostetler
law firm.
Companies must notify thousands of individuals, hire
legal counsel, protect their brand name and preserve consumer trust. So
the financial fallout piles up quickly, costing $214 per compromised
record and an average of $7.2 million per data breach event, according
to the Ponemon Institute's 2010 U.S. Cost of a Data Breach report.
RISK MANAGEMENT
"It's not a matter of whether you will be breached,
but when you will be breached," Hoffman says. "And not having a plan in
place makes the first time you get breached a nightmare, if you're not
ready.
Timmel says that while data breaches perpetuated by
hackers against large corporations make headlines, about 40 percent of
breaches are the result of misplaced files or lost mobile devices such
as laptops. In 2006, Starbucks Corp. misplaced several laptops that
contained approximately 60,000 employee files with Social Security
numbers and addresses.
"You lose a laptop, you lose a flash drive, you send
an email that has an attachment and you try to send it internally and
it gets sent externally. Those types of mistakes are a significant
exposure," Timmel says. "Just because you lose that information and it's
a mistake, does not exempt you from complying with federal and state
laws."
Cyber risk can be mitigated by performing risk
assessments, managing data safely, and having plans in place to respond
to a breach.
"It's kind of one part technology, one part diligence and effort," Hoffman says.
Companies need to decide from the outset how much
protection they need and how much risk to retain. Purchasing property
and casualty insurance will not be enough for a company handling large
amounts of sensitive data: They need separate cyber liability coverage,
because lost or stolen data can quickly become more expensive than
buring down your storefront.
"Bricks and mortar is easily replaceable: It's
something you can put a hard dollar on," Belden says. "With [cyber risk]
there are far-reaching expenses." -