Privacy Breach Insurance; new solution for mitigating the risk of credit card and identity breaches

Yesterday’s announcement by the retailer Hannaford looks to be the second largest credit card security breach in history. It is reported that some 4.2 million credit card numbers and expiration dates have been stolen. With unfortunate regularity companies are disclosing they are the latest victims of massive credit card or Personally Identifiable Information (PII) theft. This has gotten the attention of a few Insurance companies who, in response, have created a new insurance product called Privacy Breach Insurance. Companies like Chubb, AIG, and Executive Risk are betting that as the information theft problem continues to escalate, companies will increasingly turn to privacy insurance as a way to stave off the risk and reduce the financial impact of a privacy breach.

Quoting from one of AIG’s products, this type of insurance protects policy holders from; “the liability that arises when private or confidential information is put at risk due to failure of computer security or wrongful release or disclosure of information by the insured, the insured’s employee or another third party.” What I find very interesting, and even compelling, is that the protection is extended even if the privacy breach was the fault of a third party, i.e. business partner or hacker. Given that the majority of privacy breaches are perpetrated by third parties this makes the insurance offering viable.

AIG's security and privacy insurance offers coverage from the liability arising from the following: (Note: coverage from other insurance vendors are similar)

• A failure of your network security protections
• A failure to protect or wrongful disclosure of private or confidential information
• A failure to protect PII from misuse or theft
• A violation of any federal, state or local privacy statute alleged in connection with the failure to protect PII

Privacy Breach insurance products offer policy holders all sorts of benefits. Here is just a sampling:

• Covers expense of third party damages and legal claims
• Covers fines and penalties imposed by federal, state, and local governments
• Covers the expense incurred in notifying customers of a breach and the cost of mitigating reputational damage done
• Covers expense of defense costs within policy limits
• Covers expense incurred repairing or cleaning up the breach
• Covers expense of fines levied by banks and credit card companies due to a privacy breach

I’ll be watching to see if this insurance offering starts to gain momentum. And if it does will companies start to rely on it at the expense of vigorously defending their networks from intrusions. Not to say that companies will stop defending their networks, but will they be less vigorous of their defense given the protections they are being offered by their insurance carrier.

Additionally, if this insurance takes off and is successful will Insurance companies start to require companies to maintain a certain security posture and maintain security standards. Kind of like a PCI standards requirement for Insurance policy holders. If they do go down that road I just hope that the security standards they adopt are concise, meaningful, and precise. I’d like to hear from anyone who has purchased or looked at purchasing Privacy Insurance and what your experience was. So is this insurance offering a boon or bust for companies dealing with the risks of privacy breach?
For more info on the Hannaford breach see here:
http://www.networkworld.com/news/2008/031708-hannaford-data-breach.html