Home Breadcrumb caret News Breadcrumb caret Risk Cyber Protection Insurance coverage for cyber-liability is starting to become more refined as exposures become better understood. July 31, 2010 | Last updated on October 1, 2024 7 min read Scott Schleicher, Assistant Vice President, Manager, Technology E&O, XL Insurance|Steven Anderson, ssistant Vice President, Senior Underwriter, Select Professional, XL Insurance Actor Marlon Brando once said: “Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” Like Brando, most people value their privacy. While Brando went so far as to purchase his own private island to protect his privacy, most of us do not have the luxury to live on our own island. Even if we did, in today’s technologically-driven world, most would still choose to remain connected in some way. And that is making safeguarding privacy much more of a challenge these days. Technology is allowing us to conduct business anywhere in the world, no matter where we are or where we may go. Increased social interaction via technology, as well as our dependency on technology, however, leaves both our businesses and personal lives vulnerable to a variety of cyber risks. For instance, breaches in computer networks can pose a threat to financial, customer, employee and other proprietary data, putting it in the wrong hands. Hackers can take down a Web site and totally interrupt a company’s online operation. The wrong post on a company Web site can leave it fighting copyright infringement. Despite the potential risks, far too many companies are overlooking cyber-liability. A recent poll of Canadian Business conducted by EKOS for the Office of the Privacy Commissioner of Canada found that 42% of businesses surveyed were not concerned about security breaches. This is despite the fact that businesses are increasingly collecting and holding personal information about their customers. Other businesses are not hiding their heads in the sand — especially after seeing some very costly incidents. Most recently, a security flaw in AT&T’s network exposed the e-mail addresses of more than 100,000 owners of Apple’s 3G iPad. Thus far, the breach-of-all-breaches occurred in 2008 at Heartland Payment Systems, the fifth-biggest payments processor in the United States. Considered the largest-ever criminal breach of credit card data, security experts estimate that as many as 100 million cards issued by more than 650 financial services companies may have been compromised. Heartland has recorded $12.6 million in expenses related to the intrusion, including litigation and fees. No industry is immune to potential privacy breaches. They have occurred in both private and public enterprises, as well as in government agencies. In a study conducted by the Ponemon Institute, the 2009 Annual U.S. Enterprise Encryption Trends Study, 85% of the 997 survey respondents reported experiencing at least one data breach sometime over the past 12 months. In addition to threats from outside ‘hackers,’ as was the case in Heartland, there is a threat of current employees gaining access to and wrongly distributing information. In Canada, dozens of workers at the Canada Revenue Agency were recently discovered reading confidential tax files, snooping on their ex-spouses, mothers-in-law, creditors and others. Internal reports uncovered that rogue employees were improperly reviewing the private financial affairs of taxpayers without their knowledge. In one case, an employee accessed 37,500 emails and 776 documents containing confidential financial information about ordinary Canadians and downloaded the files onto 17 compact discs for her personal use. SEEKING STRONGER PRIVACY PROTECTION Given these high-profile incidents and more, as well as taking into account their costly repercussions, the Canadian government is seeking more privacy protection for its citizens. The Government of Canada introduced several significant amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) on May 25, 2010. PIPEDA governs how private-sector organizations collect, use and disclose personal information in the course of commercial business. Introduced as Bill C-29 in the House of Commons, the amendments aim to incorporate recommended changes including the mandatory reporting of data breaches and provisions permitting personal information to be used and disclosed for business transactions. If and when the provisions of the bill come into force, businesses with a presence in Canada will need to review their privacy policies and procedures to ensure compliance with the amendments. Critics say the proposed amendments will not do enough to protect consumers’ privacy. They say the language is too “wishy-washy” and the amendments have too many loopholes and ambiguities to address privacy concerns adequately. For instance, the legislation does not require businesses to contact those consumers that may be affected by a possible data breach immediately. Instead, it suggests they should be contacted as soon as feasible. In the United States, many individual states are imposing harsher penalties for failing to quickly notify individuals whose information may have been compromised. Whatever the outcome of Bill C-29 in Parliament, businesses need to be ready to address and resolve situations involving their customers’ information. According to Ponemon Institute’s Fifth Annual Cost of Data Breach Study, the average cost of a data breach has risen to $204 per customer record in 2009 from $202 in 2008.The costs involved with notifying customers about breaches can be substantial, but the loss of customer trust and loyalty is not as easily quantified. When a breach of private data occurs, in addition to the operational expense of notifying customers, companies may find themselves paying for costs related to crisis management efforts, restoration or reconstruction of data at the very same time they are dealing with a potential decline in their own revenue. They might also be susceptible to potential third-party claims — general damages; out-of-pocket expenses related to data restoration or credit monitoring services for those affected; contractual fines; and even shareholder lawsuits. PROACTIVE RISK MANAGEMENT So how does a company protect itself from cyber risks? In general, risk management is not about being reactive, but proactive. Companies recognize they have tremendous risk related to identity and security breaches, and they are closely examining their risk management strategies to reduce their exposure. For instance, companies can: • train employees and contractors to understand their responsibility in the protection of data assets; • ensure mobile devices are encrypted and that employees understand the organizations’ policies with respect to downloading sensitive information and working remotely; and • make employees aware of the precautions that should be taken when travelling with laptops, PDAs and other data-bearing devices. Additionally, Canadian carriers are offering cyber-insurance policies to help protect businesses from a variety of tech-related liabilities. Coverage offers protection against a variety of cyber liabilities, including: Network security liability Such coverage protects companies from losses associated with unauthorized access to or theft of customer, employee or other proprietary data or e-business activities, computer viruses, denial of service attacks, as well as alleged unauthorized e-commerce transactions. Privacy Liability This coverage provides protection if an insured fails to protect electronic or non-electronic information in their care custody and control. Media Content Services Liability Thanks to the Internet and social networking sites such as Facebook, LinkedIn and Twitter, all businesses are media companies, too; therefore, they need to be concerned with media liability. Although blogging and other forms of business-related social media seem to be harmless, businesses are liable for the content they generate and post on their Web sites. They have to be wary of misusing competitors’ copyrights and trademarks or disclosing confidential information. Many businesses have adopted clear media policy or social computing guidelines, because employers are generally responsible for ind ependent actions taken by employees if these actions are deemed to be within the scope of employment. Media content insurance covers the insured for intellectual property and personal Injury perils that result from an error or omission in content. (It is important to note that coverage for patent and trade secrets is generally not provided.) Extortion Threat This coverage includes payments made to a party threatening to attack an insured’s computer system in order to avert a cyber attack. Disgruntled employees, customers or vendors can cause significant harm. For instance, a laid-off IT administrator was recently arrested and faces up to five years in prison after he tried to extort money from his former employer, a mutual fund company, by threatening to crash the company’s servers. Demanding a better severance package, he threatened to use his connections with hackers in Eastern Europe to wreck havoc on their customers’ private information. Other risks that can be insured in cyberliabilty protection include: • Regulatory Liability: Coverage for privacy-related lawsuits or investigations by federal, provincial or foreign regulators; • Notification Expense: Coverage to address firstparty expenses to comply with privacy law notification requirements; • Credit Monitoring Expense: Protection against first-party expenses to comply with privacy law credit-monitoring requirements; • Crisis Management: Cover to address first-party expenses to hire a public relations firm; • Data Recovery: Protection to address firstparty expenses to recover data damaged on an insured computer system as a result of a failure of security; and • Business Interruption: Covers first-party expenses for lost income from an interruption to an insured computer system as a result of a failure of security. Cyber-liability insurance has been around in some form or another for the last decade. But insurers have carefully expanded the insurance protection to offer coverage as discussed above, as well as coverage costs related to crisis management, business interruption, privacy notification or credit-monitoring costs, as well as regulatory fines that a business might suffer following an cyber incident such as an extortion attempt or privacy breach. A company may feel more secure with all of these coverages, or just a few, depending on the nature of business and the breadth of information stored in your computer systems. Privacy is valuable. Protecting it is going to be a shared challenge for all businesses going forward. ——— The average cost of a data breach has risen to $204 per customer record in 2009 from $202 in 2008. The costs involved with notifying customers about breaches can be substantial, but the loss of customer trust and loyalty is not as easily quantified. ——— Some risks insured in cyber-liability protection include regulatory liability, notification expense, credit monitoring expense, crisis management and data recovery. Save Stroke 1 Print Group 8 Share LI logo