Information Security News: Dark Day Planning: Insuring Against Data Loss

[InfoSec News <alerts () infosecnews org>]

http://www.eweek.com/article2/0,1895,2073528,00.asp

By Matt Hines
December 15, 2006

The list of data breaches involving sensitive personal information 
maintained by the Privacy Rights Clearinghouse achieved a significant 
milestone Dec. 13, as the nonprofit group saw the total number of 
records exposed in such events crest the 100 million mark.

Since the PRC first began tracking data losses in February 2005, when 
consumer data aggregator ChoicePoint reported that fraudsters had gained 
access to 163,000 consumer records, most states have passed legislation 
forcing companies to inform individuals when their information may have 
been lost. The laws also essentially compel companies to admit their 
mistakes publicly.

Threatened by financial losses related to data leakage events, which now 
include potential payouts to consumers and regulators as well as 
revenues lost because of damage done to their corporate reputations, 
enterprises are turning to their insurance brokers seeking new levels of 
protection.

"The impact of those breach notification laws is just starting to 
permeate through business because of all the press given to the events 
and the growing expectation for companies not only to notify customers 
but also [to] pay for services such as credit monitoring," said Nancy 
Callahan, vice president of the Identity Theft and Fraud Division of 
insurance giant American International Group, in New York.

"The costs for informing and supporting affected consumers can be 
expensive, and there's also the additional cost of regulatory 
investigations and civil lawsuits."

As a result of the widening impact of data losses, AIG has seen its 
business of providing insurance for potential corporate security 
failures shift increasingly toward protection for privacy-related risks. 
Another growing driver for new forms of insurance is the many government 
data compliance regulations that threaten stiff penalties for companies 
that cannot effectively defend their information, such as the 
Sarbanes-Oxley Act, according to Callahan.

The parameters of these newly crafted insurance policies are determined 
by the size of the company, the volume of data it handles and the level 
of protection it has established to protect IT infrastructure.

At an Information Technology Association of America conference in 
Virginia in November, U.S. Rep. Tom Davis, R-Va., told security experts 
that he believes private companies and government agencies are failing 
to report all their data losses, partly out of fear of the financial 
repercussions.

As an example of the potential fallout of a serious breach, researchers 
point to the Department of Veteran Affairs' laptop theft incident in 
May, through which the agency exposed the records of an estimated 28.6 
million former servicemen and servicewomen.

If the class action lawsuit currently pending against the agency in 
Washingtonwhich seeks damages of $1,000 for every person listed in the 
missing fileswere to win a settlement for every veteran affected by the 
information breach, the government would be on the hook for $28.6 
billion.

More recently, on Dec. 12, the University of California, Los Angeles 
reported that a database loaded with the personal information of current 
and former students, faculty and staff was hacked by outsiders. The 
massive breach is the type of event that will push more states to put 
strict data protection laws on the books.

"In next two years, all 50 states will have similar laws in place 
patterned after California's 1386 law," said Robert Scott, attorney with 
Dallas-based Scott & Scott, which specializes in IT compliance law. "As 
a result, there are a lot of companies doing assessment of insurance 
coverage right now. Many don't even know what their existing coverage 
for these events may be or what's available."

Researchers say the majority of identity fraud is still carried out by 
traditional means, such as dumpster diving and credit card schemes, but 
indicated that the perceived risk of ID theft via the loss of electronic 
records will likely continue to present businesses with new financial 
liabilities.

However, the proliferation of state data-handling laws and compliance 
regulations should actually make it easier for enterprises and their 
insurers to prepare for potential mishaps, said Larry Ponemon, chairman 
of Ponemon Institute, in Elk Rapids, Mich.

Information losses cost U.S. companies an average of $182 per 
compromised record in 2006, compared with an average loss of $138 per 
record in 2005an increase of about 31 percent, according to a report 
published by the Ponemon Institute in October.

"I'm not surprised at all that the insurance industry is starting to 
take advantage of this, only that it's taken this long for the market to 
develop," Ponemon said.

"But without the automatic penalties created by the laws, it was hard 
for them to underwrite the risk. Business executives are troubled by the 
idea of how you define the risk of a catastrophic system blowup or 
breach involving millions of customers, so insurance companies are 
seeing the potential for a fairly serious market for policies that help 
mitigate these risks."


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn