Data Breach Risk Management

Data breaches have been an all too common topic. Recent breaches at Target, Neiman Marcus and Yahoo have impacted millions of consumers. These recent examples are high-profile incidents but there are many more experienced by small and mid-sized businesses every day. For example, the Massachusetts Office of Consumer Affairs was notified of 1,555 data breaches reported by businesses in 2013, a 30% increase over the previous year.

Forty-six states have passed data breach notification laws. In order to understand fully what is involved in a data breach, one can review resources like https://www.fortinet.com/resources/cyberglossary/data-breach. While the specifics of these laws vary, a common theme requires businesses to notify individuals who have been potentially affected by a breach exposing their personal information as well as state regulators. Examples of personal information include name, social security number, date of birth, driver’s license number, and credit card number. Some of these laws will require that the business offer credit monitoring services to the impacted individuals in addition to the notification. Failure to comply with data breach laws could result in sizable penalties.

There are many risk management approaches that businesses can take to reduce the threat of data breaches. Best practices regarding how digital and paper records are handled to safeguard from a cyber threat should be developed. Consultation with a firm specializing in computer security is critical. The Ponemon Institute (www.ponemon.org) is an excellent resource for cyber security issues. Ponemon and Symantec have developed an online Data Breach Calculator (https://databreachcalculator.com) to help you evaluate your exposure to loss.

Cyber Risk Insurance is an important consideration for the risk management process. These policies can provide first and/or third party coverage. First party coverage addresses expenses associated with customer notification, credit monitoring and public relation expenses. Third party coverage would respond to litigation that results from a breach. Businesses with a particular need for this type of insurance include medical, legal, financial and retail operations.

Those of us impacted by the Target breach have seen components of Cyber Risk Insurance first hand. The public relations initiatives and credit monitoring services are both examples of first party coverage available through Cyber Risk insurance policies. Credit monitoring services can cost $50 per customer and is often required by state regulations. Target’s third party exposure will be responding to the litigation that is likely to come their way as a result of the breach. The third party component for a Cyber Risk policy will defend the law suits and pay damages if awarded.

Please click here to view an example of a Traveler’s application for this product. In most cases we can obtain premium information when you provide a few pieces of basic information. Please feel free to contact your representative to explore possible insurance solutions relating to data breach or cyber issues.