Why Not Pull the Trigger on Cyber - Privacy Liability Insurance?
Almost every business collects sensitive data. This means that almost all businesses are at risk of a privacy breach that results in unplanned expenses like forensics, legal fees, notification and monitoring costs. Some breaches even have legal fees from class action lawsuits or regulatory actions. For other unplanned expenses like a building fire or a heart attack, companies and individuals alike purchase insurance as a way to protect themselves and/or their assets. For organizations with sensitive data, which is most, there is cyber/privacy liability insurance to protect them, so why don’t all organizations buy this coverage.
Cyber - Privacy Liability Insurance is available to all businesses. It is a relatively new insurance product and many organizations are asking their insurance agents what products best meet their specific needs. I find it interesting that a very high percentage of organizations are considering this coverage but a relatively low percentage are currently buying it. If you attend any conference on the topic, many insurance carriers say they have been offering the coverage for years ago however the majority of organizations still have not purchased it. I'm trying to understand why that is the case since this risk has been around for nearly 10 years when California enacted the first data breach notification law.
I believe there are two basic reasons why companies have not yet purchased Cyber - Privacy Liability Insurance. The first factor is that insurance premiums are typically determined based on revenue and potential size of loss which are difficult factors to use when trying to determine the risk and costs of a data breach. Typically data breaches are dependent upon your industry, the type of data you collect, who you share it with and how you protect it. How compliant you are to the regulations also has a considerable bearing on the amount of potential liability post breach.
When you are considering insurance to protect your home or your automobile it's a lot easier because we know the values of these items with a high degree of certainty and the likelihood of damage or other types of loss to those assets, so it’s easier to determine the amount of coverage and the appropriate premium. With protected health information (PHI) or personally identifiable information (PII) it's significantly more challenging to put a value on it. The level of compliance and how well trained your staff are at following those policies and procedures are important factors. Routine risk assessments can be helpful to assess and quantify these risks, but many industries still do not have a well-developed compliance program due to a lack of resources. In other words they have a difficult time justifying the expense of compliance until after it is too late.
If there was a way to “put a number on it” many projects that are currently on hold may be able to calculate a straightforward Return on Investment that would show value in many desired projects that are currently on hold. Well, the value estimator exists now and the American National Standards Institute (ANSI) has completed a report that is available to anyone and can be downloaded for free.
This report provides information that will enable organizations in the health care sector to build a strong business case for the benefits of investing in PHI protection and turning compliance with privacy and security laws to their market advantage. The report explores the reputational, financial, legal, operational, and clinical repercussions of a PHI breach on an organization, and offers a 5-step method – PHIve (PHI Value Estimator, pronounced “five”) – for evaluating the “at risk” value of their PHI. This tool estimates the overall potential costs of a data breach to an organization, and provides a methodology for determining an appropriate level of investment to reduce the probability of a breach. Download the report at www.ansi.org/phi
If you are an executive tasked with protecting your organizations private data you should attend the PHI Protection Workshop in Boston March 11-12. Any organization that completes the workshop and accurately understands the value of their data will have two basic outcomes. First you will be able to justify additional investments in technology, training and staff to minimize risk. The second is important to the insurance community, if you are an insurance agent or broker you will learn how to help your clients value their data. Understanding this process will bring tremendous value to your clients and that valuation is a key piece to the investment of insurance.
ID Experts has clients who have already successfully used this estimation process to secure additional insurance to protect their highly vulnerable organization. They were able to determine how much is appropriate and justify it because of this report.
The second major hang up for companies who are interested but not buying this type of insurance is the knowledge level necessary from the broker to connect the dots from compliance, privacy, and risk management. Nearly every day I speak with folks who are potential insured, or who are insurance agents and brokers offering this type of insurance. Often I see insurance brokers are extremely knowledgeable in regards to limits and coverage terms but not as educated on privacy and security risks related to a data breach. They often focus on the wrong parts of a policy, in my opinion. The result is a broker who may be advising clients on insurance policies that will not hit the mark for their client putting their own reputation at risk as an insurance agent. When this is the case agents that are presenting cyber coverage tend to go with the simplest, best limits, and most marketed policy (safety in numbers) approach to the coverage.
From my side of the breach response world I see these policies as having more protection for the wrong issues. It is not common for a breach to end in litigation or result in significant fines, the liability is much more tied to the notification expenses so flexibility here makes sense. Executives want to control how the “bad” news is communicated to their customers more than extra 3rd party liability coverage.
So how do we solve this problem? The simple answer is more education but there are so many sources of education where do we start? I would recommend a few basic reliable sources one of which is our own website that is extremely helpful and educational and with a consistent flow of webinars that are free to our attendees and provide education focused around privacy and security risks so you can’t go wrong. Who better to learn from than the folks that spend all day working through these kinds of challenges for our customers?
Another great source I recently learned of is from AIG. They recently released CyberEdge, a new app for your iPad. This app is free and an easy source for lots of different news relative to privacy breaches and information on different case studies all related to this type of incident
Here is a list of other sources I visit routinely to stay on top of my game:Back to blog