The collection, use, and transmittal of private data by businesses has never been higher than it is today. Unfortunately, so is the misuse and theft of such information, stemming from negligence and cyberattacks. Faced with rapidly changing technology, increasingly sophisticated cyber-criminals, and heightened regulatory and compliance obligations, companies are confronting greater challenges than ever in today’s information age. Dealing with data security issues has gone from being something on your IT director’s “to do” list to a matter of corporate survival, right down to being incorporated into risk management and insurance planning.
Those seeking reasons for such increased emphasis need look no further than news reports. Since 2005, American businesses and government agencies have had more than “100 million consumers’ privacy compromised as a result of lost or stolen data, at an estimated cost per person of $180,” says partner Robert J. Scott of Dallas law firm Scott & Scott LLP. In January 2007, millions of consumers’ personal information was put at risk by a security breach at retail giant TJX Cos. (parent company of TJ Maxx, among others). This past May, hackers managed to access the information of an estimated 1 percent of Citicorp’s 21 million customers, including account information for some 360,000 credit cardholders.
And in June, hackers calling themselves LulzSec obtained the data of more than 1 million Sony customers—including passwords, email addresses, phone numbers, home addresses, and dates of birth. By the end of that month, at least 3,400 of the affected customers had reported suffering a combined loss of $2.7 million, according to the information clearinghouse/industry watchdog site Databreaches.net.
Texas companies and government agencies haven’t been immune to data security issues. In April 2011, the Texas Comptroller’s office went public with the biggest security breach in state history, acknowledging that the personal data (including Social Security numbers and license numbers) of approximately 3.5 million Texans was exposed. Internal protocols were ignored, leaving a wealth of unencrypted information from the Teachers Retirement System, State Employees Retirement System, and the Texas Workforce Commission available on a public site for more than a year before the blunder was discovered. Although the state responded quickly, staffing a 24-hour call center and incurring at least $1.8 million in mitigation costs and consulting fees for outside experts, the true cost—after lawsuits as well as the toll of identity theft and fraud—is yet to be determined.
This past April, Irving-based Epsilon, a unit of Plano’s Alliance Data Systems Corp., reported a potentially massive data security breach. The advertising firm manages email communications for more than 2,500 clients, including Best Buy, Marriott International, and Kroger Co., as well as financial services entities like Chase, Citigroup Inc., Capital One, and Ameriprise Financial. In the breach, millions of email addresses and consumer names (but no personal information) were exposed.
Data breaches aren’t exclusively caused by malware or hackers; sometimes the loss or theft of a company-owned laptop is all it takes to trigger a security breach. This past May, Methodist Charlton Medical Center in Dallas reported the theft of a laptop that contained personal information for patients during a four-year period. And in August 2011, Texas Health Presbyterian Hospital in Flower Mound reported a similar theft of a company-issued laptop, which contained both medical history information and personal information (such as employer and Social Security number) for an undisclosed number of patients.
Data security issues can significantly impact a company’s bottom line. According to the Ponemon Institute’s Second Annual Cost of Cyber Crime Study in July 2011, the average annualized cost per company for such cyberattacks and data breaches comes to $5.9 million. This represents a 56 percent increase from the costs reported in the think tank’s inaugural 2010 survey. Although “negligence” is still cited as the leading cause of data breaches (accounting for 41 percent, according to Ponemon), “malicious or criminal attacks” are on the rise, accounting for 31 percent of the security losses. According to the Ponemon Institute, cyberattacks can be costly, especially if they’re not resolved quickly. The study found that the average time to resolve such a security breach is 18 days, at an average cost to a company of $416,000. However, industry experts like consultant and U.S. National Cyber Security Council board member Israel
Martinez point out that prior planning, in the form of both enhanced internal security and risk management solutions, can lessen the financial impact of cyberattacks. “The need to prevent internal attacks as well as external cannot be overemphasized,” he says. “Hackers implementing identity theft attacks conduct a variety of infiltration techniques, often gathering intelligence about an employee through services such as Google or sites like Facebook or LinkedIn. Once enough information is collected, the culprit ‘hijacks’ the victim’s identity or simply accesses the victim’s application and sends an infected email to an unsuspecting fellow employee, further deepening the security breach.”
Martinez says that with enhanced software protection and proper monitoring, “an IT administrator can rapidly detect who has been breached, the nature of the attack and the IP address of the attacker.” In fact, the Ponemon Institute notes that companies implementing such measures can reduce the costs of cyberattacks by as much as 25 percent.
Failures in corporate security can trigger significant costs for a company, ranging from data breach and privacy lawsuits to the financial impact of compliance with breach notification laws (Texas is one of approximately 35 states with such regulations), to the incalculable harm to a corporate brand. Realizing that traditional insurance didn’t adequately address such exposures, businesses have begun to turn to insurance carriers offering coverage for cyberliability and network security.
Insurers like Chartis (formerly AIG) and XLInsurance offer programs aimed at companies that hold and manage personal information for customers. Policies can be tailored to the size of the business and the nature of the information at issue, and they can encompass every scenario from stolen laptops or dishonest employees to system risks or tech breakdowns that can compromise personal data.
With limits that sometimes range as high as $25 million, these insurance policies are intended to address not just the costs associated with data breach claims, but also business interruption losses, legal fees, and the toll that crisis management can take, such as public relations consultants, notification costs (in the Texas State Comptroller’s case, it cost $1.2 million simply to mail letters to those whose data was exposed), and customer access to credit counseling services, according to Steven Anderson, assistant vice president and senior underwriter at XLInsurance in Dallas. Not surprisingly, members of the highly regulated financial services and health care industries have been among the first to embrace such insurance options.
“We are beginning to see an increased interest in all industries, not just tech companies,” Anderson says. “Companies are beginning to realize that just because you aren’t an online retailer, for example, you still have the exposure of sensistive first-party and third-party data stored on your networks.”
Companies have already witnessed the escalating costs involved with reacting to breaches of cybersecuity. Although enhanced security measures and cyber-liability coverage don’t come cheap, more businesses are facing up to the fact that being proactive can save them money and headaches.
John Browning is a partner at the law firm of Lewis, Brisbois, Bisgaard & Smith in Dallas, an award-winning journalist, and the author of The Lawyer’s Guide to Social Networking.