Last May, Vice President and Atlanta Burns & Wilcox Branch Manager Jim Epting was co-conducting a seminar for 30 agents about the value of data privacy coverage when an agent’s BlackBerry started buzzing. The owner checked his email, gasped and immediately shared its contents with the class.
“It seems that the agent’s server had been breached and certain agency client records were compromised,” Epting said.
Right away, 30 people started completing applications for data privacy coverage or emailing their offices to suggest the agency purchase it.”
While many agents are selling the coverage to their clients, others, like the proverbial shoemaker whose children are shoeless, are not buying the coverage for themselves. Though they spend their days focused on risk, agents and brokers sometimes require a wake-up call to truly recognize the value of the data they hold and its vulnerability to incursion or loss.
A New Worry
Business information theft has been an ongoing issue for years.
“The speed and ease with which vast amounts of data can be breached has changed,” Burns & Wilcox Vice President of Product Development Marla Donovan said. “To steal data 20 years ago—in the old bricks and mortar days—you either broke in or, if you were an employee, you walked out with a Rolodex or Xerox copies of a stack of files.”
“Today, you simply forward a ZIP file to your home computer or you burn a CD and walk out the door,” Donovan said. “It’s much easier to do and more difficult to detect.”
Because of technology, geography no longer limits theft. An outside hacker operating anywhere in the world can access the information contained on an organization’s networks, gathering valuable information on its customers. A breach may go undiscovered for weeks or longer, while the thief quietly makes unauthorized purchases or drains bank accounts.
The financial services industry is particularly vulnerable because of the information it holds. The 2009 Verizon Business Data Breach Investigations Report, which detailed information from its 2008 forensic engagements, showed 30 percent of data breaches were in the financial services sector.
“Financial services firms were singled out and fell victim to some very determined, very sophisticated, and—unfortunately—very successful attacks in 2008. This industry accounted for 93 percent of the over 285 million records compromised. This finding reflects a few very large breaches.”
Insurance agents and brokers have the information hackers are seeking. When handling personal lines, agents gather information on home values, assets and a lot of other personal data. Commercial accounts require very detailed information, inspection reports and even Social Security numbers to run credit reports on these customers. Life and health products require brokers to obtain detailed health records. All of this data resides in the agency, and any of it could present a liability.
“Data breach has been a growing concern over the last five or 10 years, even for small agencies,” Donovan said. “I’d say that over the last two or three years, it’s become a big issue.”
Redefining Privacy Loss
From an insurance standpoint, part of what makes data breach so troublesome—and proper coverage so important—is that it is accompanied by a redefined and expanded concept of “loss.” Loss is no longer just bodily injury or property damage.
“With a slip and fall claim, it’s not enough for an accident to have happened. For there to be coverage the victim must be hurt,” Donovan said. “When there is even a whiff of data breach, though, even before a client is harmed, someone needs to be notified and investigative costs start accruing.”
“How many other insurance policies react to a suspicion?” Donovan asked.
“Nowadays, reputation is property; therefore loss of reputation is a property loss that must be mitigated. Similarly, privacy is now an expectation,” Donovan said. “A business that has allowed an incursion into the private data it holds racks up expensive notification, credit monitoring and other compliance costs.”
Donovan reported the federal government became involved with data privacy with the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that slowly phased in requirements for health-care providers, health organizations and government health plans to safeguard patient information.
“In 2009, those privacy requirements were expanded through provisions embedded in the federal stimulus package to balance the act’s encouragement of advances in health information technology and electronic health record-keeping systems,” Donovan continued.
“The expansion brings additional mandatory breach notification requirements, raises penalties for a breach and expands the field of entities subject to civil and criminal penalties from a breach,” Donovan said.
The Federal Trade Commission is now enforcing the “Red Flags Rule,” requiring businesses to create, update and use programs to detect warning signs for identity theft.
“On the non-medical front, more than 45 states have general data breach laws on their books that require client notification under certain circumstances. And Congress is considering the expansion of federal notification requirements to all entities,” Donovan continued.
“Even without government involvement or actual third-party damages, the discovery of a possible breach is expensive. Simply notifying clients their data was breached can cost upward of $50 per client, but standard errors and omissions policies don’t offer help,” she said.
Hiscox Senior Vice President of Privacy and Technology Jim Whetstone agreed.
“Generally, E&O policies are not clear on whether they intend to cover anything related to a data breach,” Whetstone said. “That’s why you see so many carriers coming out with stand-alone policies or modules for data privacy cover. No one is relying on whether traditional policies intend to cover data privacy exposures. From my perspective, many of the E&O policies that are available in the marketplace right now, with the exception of those for the technology industry…do not do a good job of addressing this. Many of them are silent on data breach.”
Data Privacy Coverage
The need for coverage extends beyond agents and brokers.
“We have yet to underwrite a company that didn’t have a data breach exposure,” Whetstone said. “While many keep extensive customer records, for others it may be they have the personal data on their employees.”
Burns & Wilcox has access to a variety of carriers including Hiscox, which has offered first- and third-party data privacy policies since 2006. The policy covers such items as forensic costs to determine the extent of the breach, customer notification costs, credit monitoring costs where applicable, and public relations costs to restore reputation.
In some cases this coverage can include defense costs for lawsuits, investigation fees, fines or civil penalties from regulators where allowed. If the breach involves credit card data, the third-party claims may include those from banks for any fraudulent charges or the costs to reissue credit cards.
One emerging exposure for agents is failure to make customers aware of their data breach risk, especially when the vulnerability is not apparent. A pub in the United Kingdom, for example, made its computers available to customers to do Internet dating and gaming, but when the patron’s data was breached, the pub was liable.
“Data breach can happen where you least expect it,” Donovan said. “But ‘I didn’t think of it.’ is not a defense for an agent.”
Donovan and Whetstone recommend an agency do a data privacy risk assessment of its own organization before starting to take clients through their assessments.