The Benefits and Limitations of Cyberinsurance
The Information Age. The Digital Age. The Computer Age. Whichever name you use, we’re in an era where many companies’ most valuable asset is information, from consumer buying habits to patient diagnoses to scientific data. At the same time, this asset also comes with a burden: companies are responsible for safeguarding the information they hold. Given the almost immeasurable amount of information produced today—something often called “Big Data”—the task can become overwhelming.
Data privacy laws such as the Gramm–Leach–Bliley Act in the financial sector and the Health Insurance Portability and Accountability Act (HIPAA) for health care are designed to protect customers in the event their information is compromised, most often during a data breach. Data breach notification laws, starting with California’s SB1386 in 2003 raised the legal and financial stakes for companies holding sensitive data. Since then, class action lawsuits and regulatory fines have become synonymous with data breaches. For instance, under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, health-care organizations could face up to $1.5 million in fines for violation of the HIPAA privacy and security rules.
In addition, new trends such as outsourcing data processing to cloud providers and the increased use of personal mobile devices to conduct business have greatly increased the risk of a data breach, since data are now in less-secure environments.
Statistics prove that data breaches are occurring more frequently, rising 32% in the health-care sector, according to a study on patient privacy and data security by the Ponemon Institute. InformationWeek reported that 419 data breaches were publicly disclosed in 2011 in the United States, with a combined 22.9 million records exposed, based on a study from the Identity Theft Resource Center.
The Benefits of Cyberinsurance
To help bear the costs associated with data breaches, some companies are turning to cyberinsurance as part of their overall risk management strategy. These organizations have discovered several advantages to having cyberinsurance.
1. Closing the Gap Between Traditional Coverage and Current Needs
Some cases have indicated that traditional insurance commercial liability insurance only covers liability arising out of “tangible” property, for instance the server on which a data is stored, rather than the data itself, says David Navetta, a founding partner of Information Law Group.
Traditional policies also do not explicitly cover first-party breach notification costs. This could leave a significant gap in coverage of an organization’s digital assets exposing them to the full costs of a data loss event. Cyberinsurance was designed to cover that gap. According to The Betterley Report, cyberinsurance typically provides coverage for: (1) Liability for data breach or loss of data, (2) remediation costs to respond to breach, and (3) regulatory and legal fines and penalties.
2. Offsetting the Expenses of a Data Breach
Given their unpredictable nature, data breaches are difficult to budget for. The size, scope, and complexity of each data breach vary widely. The breach of protected health information (PHI) can be particularly costly, given strict notification requirements, the potential for fines from multiple regulatory agencies, and specialized medical identity monitoring and recovery services.
Many organizations have found that cyberinsurance helps cope with unexpected expenses and bear some of the data breach costs, especially the costs around data breach notification. Typical breach coverage includes: Forensics investigations, legal fees (during and after response), data analysis, communication (notification letters, call center and regulatory notices), identity monitoring (i.e., credit monitoring), identity restoration services, public relations, regulatory fines, and legal settlements
3. Providing Resources for Data Breach Response
Many carriers, either through informal referrals or panel of approved vendors, offer resources to companies facing a data breach. Often, this includes a breach coach, an attorney who guides the insured through the breach response process and seeks to limit the organization’s legal exposure.
In addition, insurers may be able to provide referrals for a range of service providers including forensics, data breach notification, legal and PR, often at a pre-negotiated, discounted rate. Sometimes the use of approved vendors can increase coverage limits. Some companies find it convenient to use these vendors rather than shop around for their own data breach services provider. The other benefit to using a carrier’s resources is that of experience. A company’s legal counsel, for example, may not have experience in the data breach/privacy sector.
The Limitations of Cyberinsurance
As with all types of coverage, cyber liability insurance has limits. The following are three that every potential policyholder should understand.
1. Limits on Coverage
Not all policies are the same. What one may cover, another will not. For instance, some breaches are caused not by the data “owners” but by a third-party service provider, such as a cloud provider. In the health-care sector, the data owners (often hospitals or insurance providers) are often liable for the breach of protected health information caused by their business associates.
Another example: Companies with data breaches that cover multiple states face different notification laws. While the company may want to provide the same notice to all affected individuals, the insurer may not cover the cost of notification in states where it is not legally required.
Another variance is the source of a breach: Does a policy only cover “technical breaches,” such as the loss of a computing device or unauthorized access of a company’s systems? Other factors that affect coverage may include the types and amounts of fines or penalties levied or other actions by regulators that affect the outcome of a data breach.
2. Limits on Choice
The terms of a cyberinsurance policy may restrict the way an organization responds to a data breach. For instance, it may cover credit monitoring services for the breach of protected health information, which requires the monitoring of a patient’s medical identity, not their credit.
Cyberinsurance policies may also limit the choice of vendors when responding to a data breach. Many companies may prefer to use providers with whom they have an existing relationship, such as legal counsel, but are required to use the services of a preapproved vendor. Such limitations can impact the quality of a data breach response. For instance, the use of a foreign call center to manage the breach of sensitive data such as mental health records could be subpar.
3. Cannot Replace the Need for Data Protection
Even with the most comprehensive cybercoverage, companies still have the responsibility to improve their internal privacy and security measures. Ultimately, prevention is still the best form of insurance against a data breach. All organizations should regularly assess their privacy and security risks and then take actions to mitigate the identified gaps.
Additionally, all departments, from IT to human resources, should develop and regularly review their “Incident Response Plan.” This plan must provide an effective, cost-efficient means of helping the organization meet statutory requirements and develop guidelines related to data breach incidents.
Given the increasing complexity and likelihood of data breaches, companies are finding cyberinsurance provides a measure of security. Cyberinsurance, unlike traditional insurance, is designed to meet the needs of companies in the digital age.
As with all types of coverage, however, cyberinsurance has its limitations. Companies would do well to thoroughly research all their options before deciding to invest in cyberinsurance or other means of data breach prevention.
(The above post is a guest post for the Risk Management Monitor written by Rick Kam, president and co-founder of ID Experts, a provider of data breach solutions.)