What Penalties Will a Data Breach Bring to your Company?
Data breaches are a large and growing problem for businesses of all sizes: The Data Loss Database - an online resource devoted to documenting reported and unreported lapses in data security - reports that the number of data breach incidents has grown steadily every year for the past four years, and has nearly doubled between 2009 and 2012. As of this writing, the number of known data breach incidents stands at 1,333.
To put the problem in perspective, the same organization reports that there were only 44 such cases in 2004.
Although the number of cases appears small, each case can affect a very large number of people. Nationwide Insurance recently reported a breach that potentially leaked the Social Security Numbers, drivers’ license numbers and dates of birth of 1.1 million people who asked for an online auto insurance quote. (Nationwide has been proactive, contacting those at potential risk and offering them free credit monitoring and identity theft protection insurance for a year.)
The law is clear: Businesses are responsible for safeguarding personally identifiable information entrusted to their care. This is true whether all your data is on your own employees, or whether you are a health care or insurance company with potentially sensitive information on thousands of people.
Many businesses would potentially be bankrupted in the event of a catastrophic breach of their entire database, or a big enough fraction of it. But standard business insurance does not typically provide any protection for losses incurred thanks to data breaches.
The potential losses are large. Lost income and man-hours spent notifying individuals potentially affected by a potential breach costs health care providers an average of $204 per incident, according to the Ponemon Institute.
The HITECH Act sets federal penalties on health care companies that leak data on 500 patients or more as high as $1.5 million per incident. For all other industries, the Health Insurance Portability and Accountability Act imposes stiff civil and even criminal penalties for those responsible for data breaches.
"My employees are good. They won’t steal data"
You are probably right. But inside employees are not the biggest threat. Only about 10 percent of data compromises are attributable to an inside job by employees intentionally looking to steal sensitive data.
Rather, the single largest source of data leak was hacking by outside attackers - responsible for 25 percent of all known data breaches over time. Another 13 percent was attributable to data stored on stolen laptop computers. Poor document shredding and disposal practices were responsible for 7 percent of incidents. Mail accounted for 4 percent, and email accounted for 3 percent.
Accidental breaches caused by inside employees accounted for 21 percent of incidents, 57 percent of breaches, however, were caused by agents outside of the company or agency.
That’s where data breach insurance coverage comes in. This kind of insurance - sometimes known as "cyber insurance," is fairly recent. It is a stand-alone policy that focuses solely on data breaches, as opposed to data loss by other hazards, such as fire and flood.
Policies vary, but a broadly written policy may provide coverage for the following:
- The cost of notifying those affected
- Lost income due to reputation damage
- The cost of providing credit monitoring services to those affected
- The cost of a rehabilitative public relations effort
- The cost of legal defense
Coverage for fines can be added as a rider, but is not normally included in base policies at this point.
Scott Godes, an attorney with the Dickstein & Shapiro Law Firm, has written more extensively about the questions business owners can ask data breach insurance agents here.
- Will the policy cover liability for damages to the credit card industry?
- Does the policy cover data stored offsite? Offshore? In "the cloud?"
- Does the policy cover regulatory action? If so, at what point? How formal does the action have to be?
- Does the policy pay for data restoration costs?
Godes also advises small business owners and risk managers not to assume their crime insurance policies will cover data breaches.
Who Is Most At Risk?
While hospitals and insurance companies typically have a large number of personnel files, the most dangerous risk exposure seems to be in the small business market, say experts. This is because larger enterprises can afford to invest in state-of-the-art network security resources, top-of-the-line HIPAA certification and training for key persons, and a full-time network security and compliance staff member. Small businesses, on the other hand, face the same potential penalties, but without the in-house resources to mount a top-flight prevention effort. This is the market where data breach insurance is the most vital.