Home > Property & Casualty > Data Security: It’s not just personal (information)

Data Security: It’s not just personal (information)

Most businesses are now aware of the financial and reputational risks they face from breaches of their confidential information. Each week, sometimes even everyday, there are reports describing the theft or loss of sensitive data from companies, healthcare and educational institutions, or governments. Many of these incidents receive considerable media attention, such as the serial breaches at Sony. Security experts speculate about the costs companies incur in connection with data breaches, ranging from the hundreds of thousands to the hundreds of millions of dollars.

Much of the media attention is understandably directed at breaches of confidential consumer information. Those involve the compromise of personally identifiable information that can be used to engage in identity theft and cause terrible personal financial loss. They are also the breaches that generally require notice under various laws, sometimes involve the provision of credit monitoring or call center services, and occasionally spur the filing of (thus far largely unsuccessful) class action lawsuits.

The focus on consumer privacy can obscure the financial and reputational risks of breaches of other types of confidential information – and on the disparate attitudes of insurers about covering them. Many companies assume that if they are not in consumer-oriented business or do not have many employees, they do not have significant financial exposure to data breaches. They are doubly wrong. They are wrong because breaches of confidential non-personal data can be extremely costly to them, and they are wrong because many insurance policies that purport to cover breaches of confidential data will not in practice cover the most significant financial exposures that many companies face.

A company can suffer substantial financial loss from the breach of many types of confidential information. Examples include: information a company acquired from individuals affiliated or associated with the company (such as consumers, employees, patients, and donors), information entrusted to the company by other organizations (such as corporate clients, vendors and other service providers), and information that the company developed or obtained for its own business purposes (such as business processes, R&D, trade secrets or other intellectual property).

While the damage to the corporate treasury can be equally painful regardless of the nature of the data compromised, insurance policies — whether characterized as privacy, data security,  cyber liability, data asset, errors and omissions, or something else — do not cover them all in equal measure. Insurers’ willingness to cover breaches of the various types of confidential information ranges from alacrity to aversion, and depends upon factors such as the type of policy involved, the business and size of the insured company, the nature of the confidential data involved, the circumstances of the breach, the amount of premium being collected, and of course an insurer’s particular appetite for categories of risk.

Companies should therefore not take false comfort in the notion that their “privacy” or “data security” insurance policies protect them from potentially severe losses caused by breaches of all types of confidential information. Instead, risk managers and general counsels should work closely with their brokers to make sure they understand what is (and isn’t) covered by their current insurance policies, and also what they can do to negotiate broader coverage for their greatest exposures. Many companies will be unpleasantly surprised to learn that the scope of their insurance protection is not so broad as they had probably thought. Fortunately, in this rapidly evolving insurance environment, they can likely obtain broader coverage than they currently have in place. At a minimum, this exercise will help them align their expectations with their insurance realities — and in the process, show them where they may need to improve their data security practices in order to reduce risks that cannot be transferred on a cost-effective basis.

About the Author

John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.

617.646.0336  JDoernberg@wgains.com   Connect with John via LinkedIn


  1. dee
    July 11, 2011 at 11:01 am

    When I dispose of an asset because I no longer need it and it gets hacked in the secondary market where the information is stolen, am I still responsible or is the 3rd party that cleaned the disks? What type of insurance do I need to take out in order to protect me financially for this situation?

    • John Doernberg
      July 11, 2011 at 3:22 pm

      Some states (including Massachusetts), have laws about the proper disposal of confidential information, and the Massachusetts Data Security Regulations also impose obligations in connection with the transfer of confidential personal information to third parties. Depending on the facts, various federal laws may also be implicated. There have been a number of reported breaches triggered by the failure to dispose of data properly, including situations when a third party (i.e., not the owner of the data) caused the breach. See, for example, the blog post at http://wp.me/pFoTv-jV. My understanding is that in those situations, the data owner may, depending on the particular facts of each situation, have some indemnification rights against the party that actually caused the breach — but that the data owner could remain responsible under various laws and also to the people who entrusted it with the confidential information. A lot depends on the nature and extent of the obligations you have to the people who provided you with confidential information, on the exact obligations imposed by the applicable laws, and on the actions you took in connection with giving a third party access to the confidential information. This is not legal advice, and you should consult with a practicing lawyer to determine the extent of your legal liability for the breach of confidential information in your particular circumstances.

      Privacy/data security insurance is generally available to cover this kind of situation. Insurance underwriters will commonly ask the prospective insured about the “due diligence” actions it has taken with respect to third parties given access to confidential information.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s