Data Security: It’s not just personal (information)
Most businesses are now aware of the financial and reputational risks they face from breaches of their confidential information. Each week, sometimes even everyday, there are reports describing the theft or loss of sensitive data from companies, healthcare and educational institutions, or governments. Many of these incidents receive considerable media attention, such as the serial breaches at Sony. Security experts speculate about the costs companies incur in connection with data breaches, ranging from the hundreds of thousands to the hundreds of millions of dollars.
Much of the media attention is understandably directed at breaches of confidential consumer information. Those involve the compromise of personally identifiable information that can be used to engage in identity theft and cause terrible personal financial loss. They are also the breaches that generally require notice under various laws, sometimes involve the provision of credit monitoring or call center services, and occasionally spur the filing of (thus far largely unsuccessful) class action lawsuits.
The focus on consumer privacy can obscure the financial and reputational risks of breaches of other types of confidential information – and on the disparate attitudes of insurers about covering them. Many companies assume that if they are not in consumer-oriented business or do not have many employees, they do not have significant financial exposure to data breaches. They are doubly wrong. They are wrong because breaches of confidential non-personal data can be extremely costly to them, and they are wrong because many insurance policies that purport to cover breaches of confidential data will not in practice cover the most significant financial exposures that many companies face.
A company can suffer substantial financial loss from the breach of many types of confidential information. Examples include: information a company acquired from individuals affiliated or associated with the company (such as consumers, employees, patients, and donors), information entrusted to the company by other organizations (such as corporate clients, vendors and other service providers), and information that the company developed or obtained for its own business purposes (such as business processes, R&D, trade secrets or other intellectual property).
While the damage to the corporate treasury can be equally painful regardless of the nature of the data compromised, insurance policies — whether characterized as privacy, data security, cyber liability, data asset, errors and omissions, or something else — do not cover them all in equal measure. Insurers’ willingness to cover breaches of the various types of confidential information ranges from alacrity to aversion, and depends upon factors such as the type of policy involved, the business and size of the insured company, the nature of the confidential data involved, the circumstances of the breach, the amount of premium being collected, and of course an insurer’s particular appetite for categories of risk.
Companies should therefore not take false comfort in the notion that their “privacy” or “data security” insurance policies protect them from potentially severe losses caused by breaches of all types of confidential information. Instead, risk managers and general counsels should work closely with their brokers to make sure they understand what is (and isn’t) covered by their current insurance policies, and also what they can do to negotiate broader coverage for their greatest exposures. Many companies will be unpleasantly surprised to learn that the scope of their insurance protection is not so broad as they had probably thought. Fortunately, in this rapidly evolving insurance environment, they can likely obtain broader coverage than they currently have in place. At a minimum, this exercise will help them align their expectations with their insurance realities — and in the process, show them where they may need to improve their data security practices in order to reduce risks that cannot be transferred on a cost-effective basis.
About the Author
John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.