Privacy Breaches Boost Technology Coverages

  • Print
by Jonathan Schwarzberg

The airwaves have been filled with information about the latest privacy breach involving Wikileaks releasing e-mails from Stratfor, a global security/intelligence company.

If it sounds familiar, that’s because similar data breaches have been in the news almost constantly for months now. Businesses and insurers alike are taking note.

Betterley Risk Consultants recently stated that it believes interest in technology coverage is largely driven by concerns over privacy breaches.

If there was any doubt that this risk is generating ample interest, Betterley’s survey found that more than 95 percent of readers see coverage for data breaches as highly or somewhat interesting.

“Combined with increasing pressure by business partners to show evidence of real coverage, the days of self-funding this risk may be about over,” Betterley states.

As demand for this coverage increases throughout the business world, carriers have responded by offering higher capacity and more targeted products. Betterley reports that large carriers will offer up to $25 million in limits for technology risks, and even small carriers will put up between $5 million and $10 million in limits. Excess coverage is available, too.

Lockton reported recently that the leading cause of data breach events is stolen computer equipment such as laptops and memory sticks. The broker said this makes up 33 percent of breaches.

Coming in a close second is theft from hackers and criminals, which makes up 32 percent of data breaches. Rogue employees are responsible for 19 percent of these problems.

Carriers seem to be responding with new products. In February alone, Liberty International Underwriters launched three new tech-related products and hired Oliver Brew as vice president of miscellaneous professional liability and technology errors and omission (E&O). He has more than a decade of experience in global technology, network privacy and data security E&O.

NAS Insurance Services launched a new product to provide educational facilities protection against privacy breaches.

Carriers have developed dozens of other privacy-related coverages over the past year, too, targeting segments healthcare, finance, retail and other segments.

LIU’s trio of new products all have at least some privacy component involved.

LIU Tech Insure, the company’s broadest offering for technology service companies, covers breach of contract, intellectual property infringement, project failure coverage, data breach liability and E&O for all offered services.

LIU Data Insure provides standalone coverage for data breach liability and related costs coverage for companies that handle personal data. LIU DataPro Insure provides professional liability coverage as well as data breach liability and related costs cover for a wide range of professions and companies.

“Computer hacking has always been a risk for any company with a website and a network, but recently the frequency and severity of attacks has significantly increased,” Brew said at the product’s release. “Data security is now more than just an IT issue – it is a board-level issue.”

The new NAS Insurance Services product is called NetGuard Plus writeNOW! For Schools. It offers network security and privacy protection for K-12 schools.

The company said that it designed the product to meet growing exposure to breaches that could compromise sensitive and confidential student, parent and employee information.

As both companies and insurers look at covering privacy risks, Betterley defines this as three areas.

First, companies can be liable if a client’s third-party data is compromised. This type of problem is generally covered by an errors and omissions policy.

Another risk is to a company’s own data, which is considered a first-party coverage. These types of claims are not usually covered by an E&O policy but can usually be covered by a cyber policy.

The third area of risk is for data that is lost while in the possession of a company, such as through hackers breaking into a network or the loss or theft of a laptop with confidential material.

“Our concern, though, is that coverage for breach of data that is not a result of an error or omission might also be needed,” Betterley states.

Carriers and their insureds continue to hash out the details of what exactly is covered and should be covered when it comes to data breaches, suggesting that a slew of new products could be on the way.

Related Products

Comments

  • March 1, 2012 at 4:20 pm
    Jack Straw says:

    There are over 30 Markets seling this coverage in some form \or another- we will sell only 6 given poor claims made language and/or usage of absolute exclusions renedering the policy illusory

    Reply
  • March 2, 2012 at 4:10 pm
    Online Store Help says:

    When I was a Risk Manager for a Silicon Valley tech company, next to D&O, this was our most expensive coverage and the hardest to find markets for. Lloyds is very active here. Unlike a G/L claim, these losses when they happen can easily exhaust the limit. Let’s see how many of these programs are available in 3 years as it can be hard to profit on these policies.

    That being said, preparation for the eventual data breach is key in this field and keeping your claim costs low. A privacy breach plan needs to be created including responses as well as negotiating with vendors up front in the event of a breach.

    http://blog.onlinestorehelp.com

    Reply
  • March 12, 2012 at 6:25 am
    Bruna says:

    Lisa,This is actually a very good sammution of some of the more important lessons learned that current breach reporting can provide. I agree at present there seems to be far too much focus on reporting and not near enough attention being given to detection, hence your statement that we don’t know what we don’t know which translates to the thought that there may be more breaches occurring than we are seeing. The goal of good security is to detect and avoid such events, not mere,y to catch and report. This ties into another of your observations which is very key to doing a better job of reducing the risk of breaches, that organizations should first ask the question why was ePHI on the device in the first place. While right on target this is still a reactive question.I’d like to suggest a proactive approach to minimizing breaches and meeting our compliance and business obligations to protect information. Take a data centric approach. Start first by describing the life cycle of ePHI in the enterprise and then inventorying its location accurately. Meaning ask the questions proactively who is creating it, how are they creating it, where are they creating it, and then repeat this line of questioning again replacing creating with processing, storing, transmitting, archiving, sharing, disposing, etc. until we have good understanding of the life of PHI in our business. Next conduct an accurate inventory of all your PHI and where it currently resides within your enterprise. Fortunately there are tools out there today that can do this detailed inventorying. Then ask your question. Does PHI need to be on this device, or should it be on this device, or accessible from this location, should this group or individual have access, etc. Once you know the answers to these questions, consider all of the security controls available to develop an integrated solution to creating safe harbor and minimizing breaches by having better knowledge of where our data is, appropriate mechanisms for monitoring and enforcing rules and by minimizing the landscape that has to be encrypted by reducing the number of locations, and the associated risks, where PHI can be found to those that represent a legitimate business purpose and meaningful use.We need to think more proactively. Healthcare cannot afford the interruptions or distractions of reactive mitigation of risks.

    Reply

Add a Comment

Your email address will not be published. Required fields are marked *