The headlines of late are filled with one data breach after another – from Sony’s PlayStation, Nintendo, and Sega to CitiGroup and ADP. Hackers and criminals are going where the money is: Data that can be monetized whether it’s customer information, R&D, or intellectual property. Yet data breaches are not only as a result of cyber crime but most often are also because of simple negligence or a rogue employee who’s disgruntled and steals data, according to Mike Palotay, Vice President of NAS Insurance. Furthermore virtually all businesses that collect data are exposed to data breaches and can be targets of cyber crime, says Mike.
We spoke to Mike about the recent headline-making cyber crimes, the exposures involved for companies, what can be done to mitigate losses, and the insurance programs available to protect against claims and lawsuits as a result of a data breach. Mike manages the underwriting department for cyber and technology insurance for NAS, an Encino, California-based firm that provides a full spectrum of specialty products on a wholesale, program, and reinsurance basis. NAS programs include: Abuse/Molestation, Cyber Liability, Network Security, Technology Liability, Social Services, MEDEFENSE™ Plus, HIPAA Protector, Miscellaneous E&O, Tenant Discrimination Insurance, Sexual Misconduct Liability, Allied Healthcare, Non-Standard Physicians, Tax Audit and Miscellaneous Medical Malpractice.
Annie George (AG): Every day it seems another data breach comes to light. Why are we seeing such an increase in frequency of late?
Mike Palotay (MP): “Simply put, the massive amount of data that large multi-national corporations are collecting and storing is significantly different today than it was 10 to 15 years ago. There has been a huge push to digitize everything, with companies gathering and analyzing data and using it to determine buying patterns and other types of consumer statistics that help them. They’re leveraging this significant asset as a means of getting a return on investment, thereby storing a ton of information that is vulnerable to loss.
“The problem is that while a company’s data-collecting ability has increased dramatically, network security safeguards, although certainly progressing, have lagged behind, as evidenced by the increased frequency of large-scale breaches. We’ve seen high-profile breaches like Sony and CitiGroup; numerous healthcare companies like WellPoint and AmeriHealth; government agencies such as the VA; universities like UCLA, which lost donor information; and retailers such as TJ Maxx who paid out nearly $41 million a few years ago to banks and VISA because of a massive breach of customers’ credit card data. As information is made digital it becomes very portable and thus easier to lose or steal.”
Mike explained that there are all types of scenarios that data breaches encompass, but the majority of losses are due to negligence. “The well-publicized breaches, including TJ Maxx and PlayStation, are from highly sophisticated computer hackers who can get around very complex security systems to steal a large number of credit cards and other types of personal information. They can then sell the data online for 30, 40, 50 cents per identity, which can number in the tens of thousands, to other criminal organizations to use in credit card fraud. But the reality is that the majority of breaches happen due to simple negligence or error, whether it is an employee leaving a laptop with a bunch of information on the subway, or a medical center improperly disposing old health records in the dumpster. Or, in the case with a company in Texas, an employee accidentally made a private server public. Anyone could log on and see everyone’s information. It’s easy to make a mistake and the costs could be huge.
“Another contributing factor to data breaches comes from unhappy or dissatisfied employees who take the records, the information from the company, after a firing or when they’re leaving,”
AG: What are the estimated costs involved when a breach occurs?
MP: “According to a recent survey by the Ponemon Institute, which conducts research on privacy, data protection and information security policy, the latest estimates for the average cost per record is at $214.00 per identity. If you’re talking 1,000 records, that’s over $200,000, and a lot of these companies have millions of records.”
AG: What makes up this cost?
MP: “A number of items contribute to the cost. First, once a breach is discovered, the company has to spend a lot of money quickly to respond. This involves legal fees and IT forensics. Many times a company knows a breach has occurred but doesn’t know which records were stolen so a specialist needs to come in to determine where the compromise took place. Then you have notification costs. Most states require companies to notify a customer if a record has been lost or stolen. If there’s a healthcare breach, there is a national notification law. When you notify the customers, you usually also provide a free credit monitoring service to make sure that no new accounts have been opened and no large transactions have occurred.
“Companies also have crisis-management expenses, hiring a PR firm to do press releases, explain what happened and what they’ve done to correct the problem. They will also pay call centers so that customers can call in and obtain information on what they should do in the event their data has been breached.
“These costs all involve the response phase once a company realizes a breach happened. After the initial response, then there are all types of exposures that can occur, including class-action lawsuits and increased scrutiny by a regulatory agency on cyber-related losses, so a company may have to defend against regulatory action and may be fined or penalized.
“Additionally, a major component is loss of goodwill, which leads to lost revenue.”
AG: What types of companies are more susceptible to data breaches?
MP: “First, let me say that any type of company that stores any type of private information has an exposure, whether you’re a large multi-national or a local retailer. The extent of exposure depends on how many records a company is storing…this provides a good indicator of what the potential loss can be. The types of companies with significant risk are the healthcare industry that have all types of medical records, billing info, insurance info, and Social Security numbers for patients and employees; any kind of transactional business and as the number of transactions increases the exposure increases; online retailers; schools, especially universities that have tens of thousands of student records as well as those of past students with a number of people having access to these records, such as teachers and assistants; and financial institutions, such as banks, credit card companies, and credit card processing companies.”
AG: What do you recommend to help mitigate risks?
MP: “It’s key to have a well-thought-out reasoned approach. The first step is for a company to look within their organization and understand their exposure. Many companies are collecting a lot of information and not doing much with it or not keeping track of where it’s being stored. So, first understand your exposure. What information are you storing? How long are you keeping the info? Do you need to keep it that long? Is all the information that you’re keeping being used? Keeping the data comes at a cost so are you leveraging it? How are you protecting this information? What firewalls, data encryptions are in place? Are all laptops encrypted?
“Once this analysis is done then you can decide the next step to designing a risk management strategy that is appropriate for the exposure. Obviously, an online retailer with hundreds of thousands of transactions a year has a much bigger exposure than a mom and pop retail store on Main Street, and the approach to security has to scale to their exposure.
“There are different security systems and other Best Practices to use, all will apply on a case-by-case basis.”
AG: This of course brings us to the point that risk management can only go so far, which is where cyber coverage comes in. I read a study recently that although companies are aware of the risks, many are still not insuring against it. Why is that?
MP: “We’ve been seeing more demand in the last 18 months for this coverage, getting calls daily on Cyber Liability insurance. The increased frequency of data breaches and the media attention devoted on cyber threat has helped spike awareness. President Obama’s proposed Cyber Security plan has drawn further attention to the threat, especially with defense industries and governmental institutions being targeted to gain information. There’s more awareness out there than there was five years ago.
“Some companies may hesitate to purchase the coverage because they don’t feel the risk is sufficient, while others may not understand the costs that can be incurred if a breach happens, or they simply don’t have the money to buy the insurance.
“When you discuss the risks and exposures with a company, oftentimes you’re meeting with the decision maker to purchase the insurance as well as the head of IT, who can be adamant that a breach cannot occur. The company has the latest firewall, antivirus, encryption, and so on. But a lot of these breaches happen with rogue employees who have the passwords and can gain access to the files. Or, because an employee accidently loses a laptop that hasn’t been encrypted and the information is stolen.”
AG: Tell us about NAS’ cyber insurance program.
MP: “Our programs cover the costs I discussed earlier that arise from data breaches. We will cover the insured’s response costs, including legal fees, notification, credit monitoring, IT forensics, and call center operation. A customer that has had a data breach has access to our claims hotline. We will guide the client through the process from start to finish. It’s very important to get ahead of this type of loss. You don’t want to wait to respond or notify customers because the losses can get much worse. This is the type of thing that can get away from you and if you don’t have control of the media attention, your company can be significantly hurt.
“Other coverages that may or may not be triggered after the response phase include Broad Network Security and Privacy Liability, which defends the insured if a claim or lawsuit is brought against them. We will appoint defense counsel, and vigorously defend the insured and pay any settlement or judgment that arises, up to the limit.
“There’s a regulatory component of the coverage, which will cover defense and pay fines and penalties as a result of regulatory action. For example, the healthcare industry falls under HIPPA or the HITECH Act; there are a number of regulations in place for financial institutions, such as the Red Flag Rule; as well as other regulatory agencies that can come after you if you have a breach.
“We also offer first-party coverage called Network Asset Protection: There are two sections: The first component covers a company that suffers some type of attack or loss of information for data recovery or recreation. The data, a significant asset for companies, if lost or corrupted or the server fails, can be a substantial cost for the company. The policy will respond and pay for the data to be recovered or recreated. The other component is Business Interruption, which covers loss of income associated with a company’s network going down.
“The easiest example to provide is an online retailer like amazon.com. Amazon gets most of its income between Thanksgiving and Christmas. If its system goes down, even for a few hours, Amazon can lose millions of dollars. Once a network goes down, our policy will begin to pay for lost revenues. This doesn’t apply to only online retailers but also other companies that would have a hard time doing business without their networks.
“Another coverage that the product includes is Cyber Extortion, which is basically Kidnap & Ransom coverage for data. If there’s an extortion threat by a hacker or criminal –either the insured’s system has already been hacked and the hacker has the data and is asking for money or else the information will be released, or the hacker is asking for money to stop from knocking down the site. Law enforcement determines if it’s a credible threat and, if it is, the demand will be paid by the policy.
“Cyber Terrorism is available and pays Business Interruption or revenue loss if a company’s network goes down because of a cyber terrorism act, which is a growing risk today. A number of countries are using the Internet as a weapon. If they knocked down the Internet in the U.S., and it caused significant loss of income to the insured, this coverage will kick in to pay for the loss.”
Mike explained there are standard limit sizes depending on the size of risk, with the ability to customize the coverage depending on the client’s needs. The programs, Netguard Plus and e-MDTM for physicians and the healthcare industry, are national and available on an open-access basis.
NAS also offers a proprietary online risk management suite with the purchase of its Cyber policy that can help a company understand their exposure, understand the regulatory environment, train their employees, and create policies to manage their risk.
AG: What would you recommend to agents and brokers when talking with their clients about cyber risks and the need for coverage?
MP: “Cyber risks and a company’s exposure is definitely a conversation that everyone should have with their clients, and it should be an integral part of the client’s risk assessment. Ask the client how much info they’re storing and determine what their risk would be and the average cost if the information is lost. Is this something the insured wants to self-insure?
“It’s important for brokers to understand the cost of potential breaches so that they can explain it to their clients and make them aware of their exposures. A lot of people don’t realize how much it can cost, which also contributes to why many don’t buy the coverage.
“Twenty years ago, in California, barely anyone was buying EPLI coverage as they weren’t aware of the cost of claims. Now, it’s one of the coverages talked about, with the majority of companies purchasing the coverage. The rise in wage and hour claims, for example, made this part of the insurance and risk management equation. Cyber Liability is similar in its development as EPLI once was. It’s evolving and changing and becoming more prevalent as a must-have insurance product.”