What do you think it would cost your institution if a laptop with 10,000 customer records went missing? ChoicePoint was said to put the price tag at $100 per record. Ponemon Institute estimates $182 per record. Forrester Research gives a range of between $90 and $305-with the top end involving high-profile breaches in highly regulated industries such as banking. For the curious, a new online calculator created by Darwin Professional Underwriters puts the cost at $166 per record (www.tech-404.com/calculator), and shows the cost breakdown among internal investigation, notification and crisis management, and regulatory costs.
Not to say that C-level executives are panicky when they consider numbers like these, but every time there's a major data breach insurance companies that write policies to cover the technical side of breaches and privacy-protection policies prepare for a deluge. "Demand for netAdvantage has been outstanding," says Nick Economidis, vp and product manager at National Union Fire Insurance Co., a wholly owned subsidiary of AIG, which has offered a security-risk policy called netAdvantage for years. "We've seen a significant uptick in interest and a significant uptick in buying as a result of data-disclosure events, most notably in the last couple of months," he says.
Cyber-security policies typically have a range of coverages that have evolved over the past few years as individual states have enacted a patchwork of laws on privacy and consumer notification. The latest version of AIG's coverage includes Internet-media liability coverage, security and privacy liability, and crisis management, which includes hiring an emergency public-relations team, notifying affected customers, and monitoring credit, which may be offered as a goodwill gesture to customers.
Darwin, which created the data-breach cost calculator, says its new offering is different from AIG's and other products. "We've come with a different take on the market," says Adam Sills, lead underwriter for Darwin's Tech 404 insurance policy. "Others come from a network-security perspective. What we've done with our product is really focused on the data-privacy aspect."
Despite the recent interest in data breach insurance, the future of the product-and who exactly will need to buy it-is uncertain. A data bill in Congress would require the company at fault to cover associated costs. Since the majority of the major breaches thus far are attributable to retailers, banks may see less of a need to insure this risk if retailers will be compelled to pay for the breaches attributed to their Swiss-cheese security. Similarly, if the banks that have filed a class-action lawsuit against TJX prevail, retailers may routinely begin to foot this bill.
Meanwhile, skeptics of this insurance note that insurance companies require data-protection and security in place in order to reduce the chance institutions must make a claim. That makes sense from an insurer's point of view, but it also implies that the money spent on premiums might be better spend on beefing up security. "You always have to get the security processes in place before you even qualify," says John P. Pironti, chief information-risk strategist at Getronics. "The reality is: If you do all of those things right, you shouldn't need the insurance in the first place."
Lisa Sotto, an attorney who heads the privacy practice at Hunton & Williams, says few of her clients have sought out these policies. And that might be just as well. Sotto's review of several available policies found that firms retain much of the risk associated with data loss, and that coverage limits wouldn't come close to covering the liability an institution might face in a major breach.
"It may be a good idea for a smaller company to get that insurance and protect itself against wiping out an entire business in the case of a data breach," says Khalid Kark, a Forrester analyst. "On the other hand, it may not cover every kind of loss the company might have in the event of a data breach."
(c) 2007 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com
