by Eric Cernak, assistant vice president, and
Mark MacGougan, vice president, strategic products
The Hartford Steam Boiler Inspection and Insurance Company,
Hartford, Conn.
This is the latest in a series of guest columns by professionals in organizations that are associate members of AAIS. For information on having your company become an associate member, contact Rick Maka, director of marketing and strategic alliances, at rickm@AAISonline.com, or by calling 800-564-AAIS, ext. 222.
With almost all states passing laws to protect the personal information of consumers, the pressure is mounting on businesses to notify customers of a data breach and to provide free services to help them prevent identity theft and fraud.
How many companies would know what to do, however, when the private information they keep on customers or employees is lost, stolen, or inadvertently made public?
That’s especially true of small and mid-size businesses, which are less likely to have IT security experts, or use anti-virus software or encryption that can help prevent a loss. Most of those businesses lack the resources to respond quickly when data is breached.
It’s a growing exposure, creating a need for new data compromise insurance products and services to help protect smaller businesses and organizations. This emerging market presents opportunities for insurers as consumers and lawmakers demand more accountability of companies and a faster response when personal information is disclosed.
|
What your insureds don’t know about data breaches can really cost them when the personal information they are responsible for is lost or stolen. Here are 10 misconceptions about data breaches and data compromise coverage that can help your clients respond.
- I don’t have an exposure because I don’t
keep personal information on customers.
Any entity that has employees is exposed. It may keep Social Security numbers for payroll, health information for benefits, and other sensitive data on current and former employees, and job applicants.
- I’m not at risk because I don’t do business
on the Internet.
Computer hackers stealing information on the Web get a lot of media attention. But most data breaches occur by other means, such as lost or stolen paper files, or electronic media, including laptop computers, CD-ROMs, or flash drives.
- Personal data breaches only happen to
large companies and public agencies.
Data breaches affect all size businesses. In fact, smaller organizations can be more susceptible because they have fewer resources and may be less focused on data security.
- Laws requiring notification of personal data
breaches only apply to large businesses.
At least 46 states require notification of people affected by a data breach. Chances are the laws will most likely apply to any commercial entity that collects personally identifiable information.
- In this economy, I can’t afford any more insurance.
You can’t afford not to have data compromise coverage. A recent study found that direct costs to respond to a breach averaged $60 per record. Even a small breach of 100 records could cost you thousands of dollars.
- I already have coverage for data breaches
under my General Liability or other commercial insurance policy.
You should read your policy closely. Covered damages usually result from bodily injury and property damage. The courts generally rule that electronic data is not considered tangible property.
- Insurance coverage to help provide a professional response to a data breach would require a separate policy with a lengthy application and various audits.
Until recently, that was true. Now, more carriers are offering data compromise, a data breach response expense coverage, as an endorsement to commercial lines policies, and usually don’t require an underwriting application.
- There is nothing I can do to reduce my company’s chances of having a personal data breach.
There are several steps you can take to streamline the personal information you keep and safeguard that data to reduce the risk of loss or theft. Some insurers that offer data compromise coverage provide loss prevention information.
- If my company has to notify customers of a data breach, we can send letters of apology and business will get back to normal as the incident fades.
You may comply with the law, but your business would have a public relations problem. Left on their own, your customers may go elsewhere. Consumers have come to expect free services, such as a toll-free information line, credit monitoring and identity recovery services.
- I don’t need data compromise insurance if I spend more on information technology security.
IT security may help reduce your exposure, but it won’t prevent a breach from occurring. Data breaches often involve staff error or rogue employees who have access from the inside. You need insurance and appropriate IT security.
|
U.S. businesses account for almost half of all data breaches which have exposed hundreds of millions of
personal records over the past several years, industry
studies show.
The loss or theft of laptop computers and physical files are the biggest source of compromised information, followed by computer hacking. Some sensitive personal data is carelessly discarded, in dumpsters, recycling centers, even curbside trash cans.
Whatever the cause of a data breach, a company must protect its reputation and relationships with customers by notifying them and providing services.
The cost is high, but falling short of expectations can have serious consequences. One study found that 31 percent of customers ended their business relationship when a business experienced a breach of personal information, and 75 percent of companies reported losing sales as a result.
In at least 46 states, plus the District of Columbia and Puerto Rico, laws have been passed that require a business or organization to notify consumers when their personal information is breached.
Federal law imposes disclosure rules on health care providers, including doctors and dentists, and legislation is pending that would extend similar requirements to many other types of businesses. Smaller companies may not be aware of these legal obligations, but a failure to comply can result in fines, penalties and bad publicity.
Increasingly, insurers offer data compromise programs to help fill this coverage gap, packaging the coverage with their small business policies to keep it simple and affordable.
The new programs enable smaller commercial customers to provide a timely, professional response when personal data is breached, similar to that of larger companies. Data compromise coverage typically includes:
- A legal review of statutory obligations, which vary by state and circumstance;
- Forensic information support to determine the nature and scope of the breach, to identify the individuals affected and the means available to notify them;
- Preparation and production of notifications and call center support;
- Credit monitoring for persons affected; and
- Identity restoration case management and other personal services for victims of identity theft and fraud that occurred because of the data breach.
Small businesses are a prime target of thieves as data breaches continue to escalate. Every day, criminals devise new ways to infiltrate organizations and steal information; other personal data is lost or revealed by mistake.
Until now, small businesses had limited options when faced with the disclosure of private information. The new data compromise programs offer them a simple solution to help cope with a complex and evolving exposure.
Eric Cernak, assistant vice president, and Mark MacGougan, vice president, for strategic products with The Hartford Steam Boiler Inspection and Insurance Company, manage HSB’s data compromise and identity recovery programs. These turnkey programs reinsure coverage for other property-casualty companies.
.
|
This is the latest in a series of guest columns by professionals in organizations that are associate members of AAIS. For information on having your company become an associate member, contact Rick Maka, director of marketing and strategic alliances, at rickm@AAISonline.com, or by calling 800-564-AAIS, ext. 222.
