By MATTHEW BRODSKY, senior editor/Web editor of Risk & Insurance®
Two important lessons regarding data security came out of this month's uproar over the Epsilon breach.
The first is that many data security insurance or privacy insurance policies might not cover such an event for the clients of the now infamous email services provider.
"The question there is: What are the damages?" said Adam Sills, who runs the technology errors-and-omissions division at Allied World.
In the case of the Epsilon breach, it appears that only names and addresses were lost. In the legal world of cybersecurity, these data points aren't technically considered personally identifiable information--unlike such linkable data as Social Security numbers, medical information or financial data, for example. And in the world of many insurers, policies are only triggered by the loss of such personally identifiable information.
The key here is state law and the fact that most states mandate that companies notify consumers if personally identifiable data has been possibly lost or breached, said Leib Dodell, CEO of the managing general underwriting agency ThinkRisk, part of Ryan Specialty Group.
So policies might only pay out for the costs of legally mandated notifications, Dodell explained. On the other hand, some data security and privacy policies could be broad enough to include voluntary notifications, such as the ones carried out by many of Epsilon's clients in the weeks since the breach was announced in late March.
Another coverage issue could be the fact that the lost data was in the hands of a third party. Some policies are written broadly enough to include data not in insureds' hands, some not, Dodell said.
With such a difference between one carrier's cyberpolicy and another's, the market is the "Wild West of insurance," according to Scott Godes, the Washington, D.C.-based counsel in Dickstein Shapiro's Insurance Coverage Practice.
"There's such a variety in the marketplace for cyber coverages," he said.
Dodell estimated that there are 10 legitimate insurance carriers in the now competitive data security and privacy insurance marketplace, up from three or four a couple years ago.
Of course, the first question we should all be asking is if Epsilon's clients have data security or privacy insurance policies. For larger organizations, said Dodell, this sort of coverage is getting to be ubiquitous.
The problem could be, however, that these seemingly sophisticated enterprises don't view all client and customer data as in that top-tier of personally identifiable. Here is our second lesson out of Epsilon.
"If I'm taking any data from my customers, I should be viewing it as personally identifiable information," said Erich Bublitz, Technology practice leader at ThinkRisk.
Allied World's Sills gets the impression from talking to the marketplace that many larger companies don't have particular safeguards in place in terms of how vendors protect email information.
"When information isn't considered personally identifiable, there are a lot fewer safeguards in place," he said.
Hypothetically speaking, these firms might then not put as much pressure on third-party vendors such as an Epsilon to have security as rigorous as they would if they were handling health information, Sills explained. They might not require on-site audits, and they might not apply such tough contractual risk management either: This is among larger organizations, mind you.
The middle market has even less awareness about this exposure and how to do deal with it, the underwriter said.
On April 1, Epsilon notified its clients of the breach, including the likes of Verizon, JPMorgan Chase, Robert Half International, Marriott and perhaps as many as 50 to 60 more, which use the email service provider to manage their email marketing campaigns. In the days that followed, many of these firms notified their customers that their names and email addresses might have been compromised. The main risk of this to consumers, it has been reported, is that they could then become targets of "spear phishing" attacks, in which cybercriminals pose as legitimate businesses to trick marks into releasing personally identifiable information.
According to Reuters, it's estimated that Dallas-based Alliance Data Systems Corp., Epsilon's parent, could face $100 million or more in costs and lost sales from the incident--or about 4 percent of its prior-year revenues.
If the firm has technology errors-and-omissions insurance, Dodell said, most of this might end up with that underwriter.
"It'll take years for all these potential liabilities to play out," he added.
April 18, 2011
Copyright 2011© LRP Publications