September 1, 2008 | last updated May 26, 2012 5:37 am

Covering Cyber Threats | Companies spent more than $6.3 million on data breaches in 2007

As companies face a host of new risks associated with their digital data, insurers are scrambling to create a whole new field of coverage: cyber liability.

Costly and legally troublesome problems ranging from data breaches to infringement cases are on the rise, and 43 states, including Connecticut, have passed laws spelling out rules for companies that experience them.

Data breaches that become public underscore what's at stake for the companies held responsible.

Bank of New York Mellon faces a potential class action suit and other penalties after it lost two unencrypted data tapes in February. Those tapes contained account information for about 4.5 million customers, including some 550,000 Connecticut residents.

As of last week, more than 500 plaintiffs had signed up to sue the bank.

And under pressure from Attorney General Richard Blumenthal and other state officials, the bank agreed to provide customers with two years of free credit monitoring, $25,000 in identity theft insurance and free credit freezes.

As businesses seek protection against big expenses from such a potential threat, cyber liability insurance coverage is now coming into its own. Insurers that offer it include The Hartford, Travelers, AIG, Darwin Professional Underwriters and ACE Limited.

ACE Limited, a global property and casualty insurer, has seen demand for its cyber liability coverage double in the past 12 months.

Tobey Merrill, system vice president of ACE's professional risk unit, said greater awareness by businesses has led to the jump in sales. New customers range from large retailers to a small laundromat.

"Companies are surprised by the high costs associated with a security breach," Merrill said. "They see this insurance as a way to protect themselves."

Most cyber policies offer first-and-third party coverage, including expenses associated with data recovery and business interruption. They may also help pay for crisis management costs, including the notification of affected parties and investigations by outside experts.

Some policies also offer reimbursement for legal fees and public relations campaigns, which are used to repair a company's image following a breach. But they may not cover the costs from victims who sue and win lawsuits.

"It's a new era for risk," said Drew Bartkiewicz, vice president of Cyber and Technology Risk at The Hartford. "Traditional insurance no longer covers the risks presented by the Internet."

According to The Identity Theft Resource Center, a California-based nonprofit, 342 data breaches were reported from Jan. 1 to June 27, a 69 percent increase over the same period last year. The actual number of breaches is muc higher, ITRC said, due to underreporting.

The costs of dealing with such breaches can be high. Companies spent $6.3 million, or $197 per record, on average in 2007 to recover from data breaches, according to a study from the Ponemon Institute, a Michigan-based privacy and information management research firm.

Forty-three states, including Connecticut, now require businesses to notify customers when data breaches occur.

And as more customers become aware that their private information has been compromised, lawsuits against the faulty party will likely increase, said John Scordo a partner at Day Pitney, a multistate law firm with major operations in Hartford. "There is a lot more potential for problems," Scordo said. "This is only the tip of the iceberg."

Market Evolving

Paul Paray, a senior vice president at Hilb Rogal and Hobbs, an insurance brokerage firm, sees great market potential for network security and privacy insurance products. It has been estimated that fewer than 10 percent of companies who handle large amounts of sensitive data currently have such coverage.

"Any enterprise that collects sensitive data about employees and customers can be in serious jeopardy if there is a security breach or data loss," Paray said. "This type of coverage provides a safety net."

The insurance is being marketed to the financial services industry, retailers and health care organizations because they hold the largest amount of personal data about customers.

But even mom and pop shops should consider the coverage, Paray said, because a data breach can wreak havoc on small budgets.

"You could be a small company in Connecticut with a liability of international proportions," Bartkiewicz said.

Cyber risks aren't just about data breaches. The Hartford just unveiled a new product to cover user-generated Web sites such as YouTube and Facebook, which are open to libel and copyright infringement lawsuits.

Last year, for example, media giant Viacom sued YouTube and parent company Google for $1 billion, accusing the video-sharing site of copyright infringement. Viacom claimed YouTube used nearly 160,000 unauthorized clips without permission.

While there may be a booming market for cyber liability coverages, insurers are likely to experience some growing pains, experts predict.

"The complex nature of business and technology can make it difficult for companies to understand what is or what is not covered in a policy," Scordo said.

For example, some insurers require companies to store data on their own network in order for it to be covered in the event of a security breach. But many companies now rely on outsourced service providers for Web hosting, credit card processing and data warehousing. Unless the policy expressly covers a third-party provider, a security breach may not be covered if the data is outsourced.

Merrill, of ACE Limited, said he believes cyber policies have fewer holes than they did a few years ago. He said many insurers have broadened their coverage and defined more clearly what their insurance will pay for.

Most Popular on Facebook
Copyright 2017 New England Business Media