Thursday, September 27, 2012
Data Breach coverage is first party coverage, meaning it’s intended to provide coverage to your client if they experience a loss of THEIR customer’s *personal information. There’s no need for the policy to be triggered by a suit or other demand for damages as you would expect in a third party claim. ( *personal information includes credit card numbers, driver’s license numbers and/or social security numbers. Most of the U.S. Government’s info on this subject refers to such customer info as “personally identifiable information”, or PII; some carriers are simply calling it “personal information”, or PI).
In addition, even if they don’t have thousands of customer records containing PI that is lost or stolen, the fact that this info COULD have been compromised is usually all that’s necessary to trigger notification requirements spelled out in state and federal laws. Simply put, your client could very well be on the hook to send out written notification to ALL of it’s clients, even if only one record is lost or stolen.
In addition to existing federal laws, forty six states have enacted laws regarding notification. The notification requirements are not standardized, and if your client has customers in multiple states the likelihood of your client knowing the statutes and being able to quickly and easily comply with them is slim and none, and you guessed it - slim has already left town. The cost of a reputable, qualified third party to perform the notification task for your client varies greatly based on territory and some other factors, but I’ve seen estimates from $50 to $250 per customer record. (if you need help explaining the reason for the costs being so high, I can help with that)
If you want documentation of those costs, there aren’t a lot of options available just yet, but try the report from Ponemon Institute in association with Symantec. For the events they could verify, they show that the cost of notification for 2011 was $194 per record. http://www.symantec.com/about/news/release/article.jsp?prid=20120320_02
This report also shows the difference in breach event costs between companies that have chief information security officers and those that don’t, as well as several other factors.
Other “hard” costs that your client may have to deal with are regulatory costs and credit monitoring services. Regulatory costs could include fines, penalties and/or the establishment of a compensatory fund – all as determined by the regulator. Your client must also provide credit monitoring services for those customers who may have had their information compromised. It’s usually a requirement for a company that’s had a breach to provide their customers with at least one year of credit monitoring services from a qualified third party vendor.
In addition to hard costs there are “soft” costs that are likely to be associated with a data breach; abnormal turnover of customers, increased customer acquisition (or re-acquisition) activities, reputation losses, as well as diminished goodwill.
Obviously there’s more to consider, but hopefully this gives you an idea of what’s at stake and helps you evaluate which of your customers may need to consider this coverage. In the next post I’ll look at coverage options available.
Tuesday, September 11, 2012
An American flag flies at half staff next to a twin towers statue at Tyrrell Park in Beaumont in 2011. Guiseppe Barranco/The Enterprise
I feel compelled to post something today regarding the anniversary of 9-11. I know it’s not going to be profound or life altering, but it’s important to me to do so.
On September 11, 2001 in New York city many innocent lives were taken and many others were injured. And for those of us who were somewhere else at the time, we were impacted in some way. I hope people take a moment today to remember those who died and those who were permanently damaged physically and/or emotionally. And to remember those who tried their best to help their fellow human beings, many of them at the loss of their own lives.
I think that’s what I want to remember as much as anything else, that people still care about other people. That we can actually do something good and positive for others around us, even if we don’t know them at all.
We can’t change what happened, and I for one still can’t really make sense of it. But I know that I can do something to remember and honor those human beings that died that day. I can find someone today that I can help, or encourage or love. Maybe more than one someone, and maybe not just for today.