Feature Story: Privacy: A Growing Liability for Today’s Businesses

Privacy risksToday’s headlines report significant data breaches involving behemoth companies like SONY and Citibank, government entities, news outlets, etc. However, unauthorized use of confidential data can affect any business in any industry and is a result of occurrences much more mundane than hackers going after big corporations. While this issue is widespread, many businesses continue to function without proper insurance protection.

Published on June 5, 2012

We spoke with Mike Smith, Founder and President of Axis Insurance Services, LLC, about the growing exposure and privacy risks that impact today’s businesses, and what steps companies can take towards getting the proper protection.

Founded in 1999, New Jersey-based Axis is a professional liability insurance brokerage working with licensed agents nationwide. Axis specializes in providing custom coverage for Errors and Omissions, Fiduciary Liability, Directors and Officers, Employment Practices, Crime, and Privacy.

What distinguishes Axis from its competitors is that they have direct interaction with their client and carriers, bringing a depth and breadth of knowledge of professional liability and related products to the table. In fact, because of their ability to foster such strong relationships, Axis has experienced a steady growth of 30%-40% each year over the last five years and continues to thrive, making its mark as a leader in the professional liability market.

Prior to forming Axis, Mike was a CPA with Coopers & Lybrand in Philadelphia where he worked for the firm’s insurance practice, auditing more than 50 insurers during his tenure. He then joined a medical malpractice carrier working on mergers and acquisitions where he later became the CFO for one of its subsidiaries. In 1996, Mike began consulting on professional liability issues, which marked the beginning of the well-established, successful Axis Insurance Services today.

Annie George (AG): Let’s discuss privacy, the coverage, and the liability involved.

Mike Smith (MS): “Privacy coverage is designed to protect an individual against the unauthorized use or misuse of confidential information. For example, the information one provides to their physician, such as a Social Security number, date of birth and prior medical history. That physician has the responsibility to protect the patient by maintaining control over this data. As an insurance agent, you also have important information on file from your clients and must ensure it doesn’t get in the wrong hands.

“You can apply this to any industry – from the restaurant swiping someone’s credit card to the flower shop that has stored credit card information on file. Every business in the U.S., for the most part, has retained some level of confidential information about their clients.

“There are two ways a lawsuit can occur when it comes to privacy issues. First, you have what is called third-party liability, where an individual sues you to recover damages because they have been harmed financially (emotional damages included too). This means you’ve allowed someone’s confidential information to ‘get on the street’. For example, someone hacked into your company’s website, an employee left a laptop with confidential data on a train, a rogue employee downloaded information on to a jump stick, or a smartphone was left in a restaurant. All of these situations result in someone’s personal information being compromised and you are then sued for the damages associated with that disclosure (ruining someone’s credit rating, preventing someone from obtaining a loan).

“The second piece of the puzzle involves first-party liability. These are the direct costs the company incurs as a result of a breach. For example, if you disclose any confidential information, you have an obligation, by statute, to notify individuals that their data has been compromised. Many states require that notification be in the form of a letter, setting up a call center to receive calls, offering free credit monitoring, etc., all of which will cost you money.”

“It also could involve the costs for forensic services, which means having your computer system analyzed by a third-party to determine the extent of the problem. This can be a significant expense, with forensic accountants charging upwards of $1,000-$1,500 per hour. A Privacy Liability policy will provide coverage for the forensic costs up to a certain amount. Some companies offer limits of $25,000, some half a million, and others up to $1 million, but all will have some sort of sublimit.

“Also included in a Privacy policy is coverage for reputational damage – the marketing costs involved to protect your image and retain or regain your customers’ trust and confidence. Depending on the carrier and the size of the company and its risk, this often has a sublimit, or may not be included. With a standard, off-the-shelf product, you’d have a $50,000-$100,000 sublimit. Many of our carriers will write this coverage with $200,000-$250,000 sublimit.

Mike also explained that coverage for cyber hostage is typically included in a Privacy policy.

“For example, let’s say a website has been bombarded with 10,000 hits per minute so that no one can gain access to it. Or, customer data has been retrieved and it’s being held hostage. The perpetrators could ask for ransom to stop bombarding the site or not to disclose the data, much like an actual kidnap and ransom situation. This situation actually occurred with a major flower company two weeks before Valentine’s Day. Both the website and its data were held hostage. The hackers asked for an exorbitant amount of money not to disclose customer information or create a cyber-attack so the company would not be able to conduct business online. The ransom was paid to prevent the attack.

“What’s more, companies may also be subject to additional fines or penalties for a data breach. If medical records were compromised there could be HIPAA fines and penalties, and investigation expenses. Some of the better policies include coverage to pay for fines, regulatory penalties and investigative services. You can see that all these first-party costs could add up to be a significant expense for a company without a Privacy policy,” said Mike. 

AG: Why do many refer to Privacy coverage as Cyber Liability insurance?

MS: “Initially, Cyber Liability insurance was designed to protect company websites in the event of software malfunctions, malicious code, or other that caused errors. This had nothing to do with privacy, but everything to do with technology. In fact, some call this type of policy Technology E&O. Privacy is a very different component, which sometimes is sold under the same policy.

“When I refer to privacy, I’m referring to the portion of a Cyber policy that deals with the unauthorized use or dissemination of confidential information. A Cyber policy will include the Technology E&O portion that deals with services or operations being processed incorrectly. Is the site functioning? Did the server go down? For example, if a credit card processor’s site goes down preventing customers from conducting transactions, this is a Technology E&O issue…there is no breach of privacy under this scenario.”

AG: Why do so many businesses go without privacy coverage?

MS: “In the last six months, we’ve been selling more of these policies and believe that everyone will be seeking this important coverage more often. Privacy Liability is necessary for those in the professional services business and anybody that accepts credit cards for transactions. The coverage is also relatively inexpensive – for a company with annual revenues of $1 million, the cost for a policy is usually only about $5,000.

“Most people believe it’s the liability that is the principal issue here. However, the vast majority of data breaches don’t involve an actual loss incurred by an individual, but as a corporation you must take steps to ensure that no further damage will occur. Typically, most losses are due to errant reasons, such as a lost laptop or smartphone.”

Mike also shared current insight from an interesting piece on a news exposé, illustrating how insidious data breaches could be.

MS: “There’s a hard drive included in many photocopiers that keeps a record of every single copy made on the machine. Someone can actually swap out that hard drive and gain access to a wealth of information. In the exposé, the news crew purchased four photocopiers from a used copy shop. They were able to download online software which helped them read information on the hard drives. One copier was from a Rapes Victim Unit in a police station in one of our larger cities - all the victims’ information was stored on it. Another police station’s copier was from a major Crime Unit and included information on confidential informants, drug raids etc.; while yet another one was from a hospital containing patients’ medical information. These used copiers typically sell for $400.00 each. Individuals buy and ship them overseas, and download the private information. It’s become an entire industry.”

When it comes to risk management and data breaches, privacy insurance offers the right protection. To be sure data is secure, make sure a firewall is in place and that there are policies and procedures implemented for laptops, smartphones, etc.

“You shouldn’t use company machines for personal reasons, it makes your business vulnerable to compromised data, viruses, etc.,” said Mike.

For more information about Axis and its professional liability solutions, including Privacy Liability coverage, visit: www.errors-omissions.com or contact Mike Smith directly at: 201.847.9175 or msmith@axisins.com.