Not being able to visually depict a data breach, I found a photo of an earthen dam being breached. Similar to water, when data is not contained where it’s supposed to be, the result can be damaging and costly.
Data Breach coverage is first party coverage, meaning it’s intended to provide coverage to your client if they experience a loss of THEIR customer’s *personal information. There’s no need for the policy to be triggered by a suit or other demand for damages as you would expect in a third party claim. ( *personal information includes credit card numbers, driver’s license numbers and/or social security numbers. Most of the U.S. Government’s info on this subject refers to such customer info as “personally identifiable information”, or PII; some carriers are simply calling it “personal information”, or PI).
In addition, even if they don’t have thousands of customer records containing PI that is lost or stolen, the fact that this info COULD have been compromised is usually all that’s necessary to trigger notification requirements spelled out in state and federal laws. Simply put, your client could very well be on the hook to send out written notification to ALL of it’s clients, even if only one record is lost or stolen.
In addition to existing federal laws, forty six states have enacted laws regarding notification. The notification requirements are not standardized, and if your client has customers in multiple states the likelihood of your client knowing the statutes and being able to quickly and easily comply with them is slim and none, and you guessed it - slim has already left town. The cost of a reputable, qualified third party to perform the notification task for your client varies greatly based on territory and some other factors, but I’ve seen estimates from $50 to $250 per customer record. (if you need help explaining the reason for the costs being so high, I can help with that)
If you want documentation of those costs, there aren’t a lot of options available just yet, but try the report from Ponemon Institute in association with Symantec. For the events they could verify, they show that the cost of notification for 2011 was $194 per record. http://www.symantec.com/about/news/release/article.jsp?prid=20120320_02
This report also shows the difference in breach event costs between companies that have chief information security officers and those that don’t, as well as several other factors.
Other “hard” costs that your client may have to deal with are regulatory costs and credit monitoring services. Regulatory costs could include fines, penalties and/or the establishment of a compensatory fund – all as determined by the regulator. Your client must also provide credit monitoring services for those customers who may have had their information compromised. It’s usually a requirement for a company that’s had a breach to provide their customers with at least one year of credit monitoring services from a qualified third party vendor.
In addition to hard costs there are “soft” costs that are likely to be associated with a data breach; abnormal turnover of customers, increased customer acquisition (or re-acquisition) activities, reputation losses, as well as diminished goodwill.
Obviously there’s more to consider, but hopefully this gives you an idea of what’s at stake and helps you evaluate which of your customers may need to consider this coverage. In the next post I’ll look at coverage options available.