Data security and privacy could be the "stealth issue of 2010," according to a recent report. Despite the intense focus on financial and related issues during the current economic crisis, a variety of legislative and regulatory initiatives suggest that data privacy and security issues necessarily will become a top corporate priority. These developments have important risk management consequences, among which are the increasing importance of privacy breach and network security liability insurance within a company’s overall insurance program.
Recent Regulatory and Legislative Action
A March 12, 2010 Law Technology News article entitled "The Evolving Landscape of Data Privacy" (here), takes a comprehensive look at the various recent regulatory and legislative developments raising the importance of data security and privacy issues.
As the article emphasizes, several new federal and state privacy regimes go into effect this year. In particular, the FTC’s long-delayed Red Flag rules will become effective on June 1, 2010. These rules will require "financial institutions" and "creditors" (as those terms are defined in the rules) to implement a written identity theft protection program designed to detect the warning signs of identify theft, to prevent the crime, and to anticipated the damage it inflicts. The FTC’s guide to the new rules can be found here.
In addition, the Massachusetts Office of Consumer Affairs and Business Regulation has promulgated its "Standards for the Protection of Personal Information of Residents of the Commonwealth" (here), which applies to persons who "own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts."
The regulation requires all affected persons to "develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information." The regulations include the requirement that the affected persons must "adopt comprehensive security programs that include technical administrative and physical safeguards for both electronic and paper records."
The state level action in Massachusetts suggests the possibility of similar actions in other states, which raises the specter of a confusing patchwork of different regulatory requirements, a situation that cries out for uniform regulation at the federal level. In that context it is hardly surprising that there are Congressional initiatives in this area as well.
On December 8, 2009, the House passed the Data Accountability and Trust Act (H.R. 2221), about which refer here. The legislation would, among other things, require all businesses to implement safeguards to protect reasonably foreseeable data vulnerabilities and to notify customers if their personal information is breached. Similar initiatives are receiving Senate consideration. Though the Senate has a great deal of other things on its plate right now, it is possible this legislation could still get through, perhaps as part of another larger bill (for example, a financial reform bill).
Practical Steps, Including Insurance Solutions
It seems probable that these kinds of regulatory and legislative initiatives will continue to emerge in the months and years ahead. In light of these concerns, the article cited above suggests that companies adopt compliance strategies, including: reviewing how their firms safeguard non-public customer and employee data; adopting risk-based safeguards and controls that encompass industry best practices and make use of available technology; and reviewing their firms’ data privacy policies and notices.
In addition to these practical steps, every company’s data privacy and security risk management should also include the acquisition of a privacy breach and network security liability insurance policy. These policies have been available for some time, but in recent years, both their availability and their scope of coverage have improved significantly. There are now a variety of commercially attractive insurance products available in this area.
Because this insurance product is relatively new, there still is some skepticism over the need for this type of insurance protection. Some of this resistance is simply due to the lack of familiarity with the numerous and growing sources of exposure in this area. As time goes by and the extent of corporate vulnerabilities becomes increasingly apparent, this reluctance will eventually fade, a process that will undoubtedly be accelerated by the increasing amount and extent of the growing regulatory requirements.
Another source of skepticism about his product arises from the view that the consumer actions that have been filed so far have not fared particularly well. Some of the consumer cases have indeed been unsuccessful (refer for example here), in part because consumers have a difficult time showing proximately caused damages. In light of consumer concerns when data breaches occur, however, it seems likely that consumers affected by data breaches will continue to bring these kinds of actions, which at a minimum means a continuing defense costs exposure.
Companies that suffer data breaches will continue to have both notification and remediation requirements, which even in relatively modest breaches can entail an enormous expense. A recent study relating to data security breaches in the United States (link unavailable) shows that the average 2009 per-incident costs were $6.75 million. The costs included an average cost of $204 per customer with a potentially compromised data record.
In addition, companies sustaining data breaches are subject to the costs of regulatory investigations, as well as penalties and fines. While not all of these costs will be insured in every instance, remediation costs and legal expense will be covered in many instances. Many policies offer fines and penalties coverage on a sub-limited basis under certain circumstances.
Finally, because of the likelihood that plaintiffs’ lawyers will continue to press these issues when data breaches occur, there is a continuing danger that plaintiffs lawyers will succeed in imposing liability on persons they contend are responsible for the data breach. The policies cover negligence or failure to protect or safeguard confidential data, even for acts of rogue employees or vendor employees. Some policies will apply in instances of employee negligence such as lost or stolen laptops.
Some of the insurance products also provide protection in the event of cyber extortion, for example in connection with the threat of a disclosure of a security breach or a denial of service attack. Some policies also provide first party coverage in the event of electronic business interruption or reimbursement coverage for the cost to replace or reconstruct digital assets.
Insurance for privacy liability and network security is still a developing product area, but with the passage of time, more and more companies are recognizing that their insurance programs are incomplete without this kind of protection. The evolution of this product very similar to where we were several years ago when Employment Practices Liability insurance came along. At first, takeup of the product was slow. But over time the product improved and the need for the insurance became more self-evident, and now pretty much every company has EPL insurance. Within a very short time, the same will also be true of privacy liability and network security insurance.
The fact is that, particularly in the current regulatory and legislative environment, every company is susceptible to these kinds of problems and so every kind of company should consider this insurance as an important part of a complete corporate insurance program.