I have been exchanging emails off-line with Kevin P. Kalinich, J.D. Kevin is the Co- National Managing Director of the Financial Services Group at Professional Risk Solutions. A couple days ago Kevin emailed me a response to my blog on the Hannaford credit card theft and state of privacy breach insurance. Kevin is a pioneer in this emerging insurance space and I found his insight and experience very valuable. He sent me an excellent (30+ page) whitepaper he authored on the current state of the privacy breach insurance marketplace. You can get a copy of Legal Exposures to the Maxx here. It is a must read for any company considering a privacy breach insurance policy. With Kevin’s permission, here is the dialog we have had so far. I recommend you first read my original
Privacy Blog here so you can follow along.
**********
Dear Jamey:
Since Aon is the insurance broker for Hannaford among many others., we cannot comment on this specific incident. However, Privacy and Security insurance policies may respond to many of the exposures you detailed if customized. Most of the base policies have extensive exclusions without negotiation. In addition, regulatory fines and penalties (i.e. FTC, State Attorney Generals, etc.) are generally prohibited by law from being covered. The theory is that it is against public policy to compensate a "bad actor" for his breach of law.
I have attached a White Paper for your review that sets forth some of the salient issues.
Kevin P. Kalinich, J.D. | Financial Services Group – Professional Risk Solutions
Co- National Managing Director
***
Hi Kevin,
Thanks for you interest in my article and your informative response. I would agree with you that in this country their maybe laws prohibiting the coverage of some fines but I would argue that PII theft is a global issue. If a global company experiences a PII intrusion originating from their Brazilian branch that ultimately results in PII data being compromised in other branches around the globe, said company is likely to be fined by multiple countries, states, and localities. Other countries, like Canada, do allow coverage of fines. Since we have a global audience and individuals working for global companies on network world it makes sense to include this info. For an example of this type of coverage take a look at executive risk services coverage highlights.
http://www.executiveriskservices.com/pdf/privacy_network/Privacy_Network_Liability_brochure.pdf
How would a company like AON respond to this type of global threat and resulting fine coverage in a privacy breach insurance policy? Would it be possible to structure a policy that allowed the insured to recover the costs of fines where applicable/allowed?
Does Aon have a privacy breach insurance type product? If so, can you send me a link to it, I’d like to learn more.
***
Jamey:
You are dead-on for each point.
1. Privacy is a global issue and the laws (and culture) in foreign jurisdictions vary. The coverage must be true worldwide coverage regardless of the location of the occurrence, damage or litigation. However, since the U.S. is the most litigious country, the defense costs here have been the biggest portion of insurance pay-outs to date.
2. Aon is an insurance broker that represents entities that may have data breach exposures. As such, we analyze the unique exposures of each client, quantifies and qualifies the potential losses, maps them against potential coverage and prepares insurance carrier comparisons for each risk. Most base forms have material gaps in coverage that must be negotiated to be useful.
3. For example, the request for fines and penalties coverage, where legally acceptable, is a good example of customized coverage. There are many more intricacies to address (see some examples in the below attached White Paper).
***
Kevin,
Like most things in life the devils in the details. It looks like privacy breach insurance is no exception.
I just finished skim reading (it’s a long one) the whitepaper you attached. I missed it the first time. It is incredibly in-depth and very well done.
Being an author myself, I can appreciate the work that goes into something like that.
For this type of insurance to move from customized to commoditized I think the insurance industry will have to adopt its own security standard for policy holders.
Something similar to life insurance requiring a health screening.
The level of compliance a company has with regards to this security standard would dictate their premium levels. This would start to quantify the risk that carriers are taking on and likewise reward (via lower premiums) insurees that maintain a strong security posture. The insurance industry wouldn’t necessarily have to define their own security standards, they could re-use an existing one. However, given the pervasive lack of real “teeth” in most of today’s security standards it would be a good idea if they did develop their own.
Also, do you have a link I can post there as well to your whitepaper? I think many would find it a solid read.
***
Jamey:
Thank you for the compliment.
1. Most insurance carriers underwrite against 27001 (formerly ISO 17 799), SAS 70 II, etc. However, with respect to data breach exposures, the PCI certification is becoming the de facto standard to the extent credit cards are involved. Only a few insurance carriers are sophisticated enough to develop their own standards, which are proprietary. The level of due diligence and variability in premium ratings is incredible. For example, we recently placed a Privacy and Security insurance policy for a healthcare provider. We submitted the application to eight insurance carriers and requested $20 MM in limits with 27 coverage specifications required. After the IT Security due diligence, two carriers declined to offer coverage at any price, two offered coverage with material exclusions (i.e. remote access coverage excluded because of a lake of uniform lap top encryption), and the remaining four quotes varied from $225K to $540K.
2. I am revising the White Paper to incorporate a few recent developments (i.e. Certegy settlement offer, SEC Proposal to expand Privacy Regulation , Red Flag Rules of Section 114 of the FACT Act for FI's, Data Breach Statistics updated, Basel II's Impact on IS, the effect of Visa's IPO on its relationship with banks, and a few significant data breach incidents) and should have the updated draft available soon.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
I have drafted Security and Privacy Policies
Hello, I am an attorney that has drafted some of the security/privacy insurance policies for some of the top insurance carriers in this space. Understanding the frustration with policy forms that vary from carrier to carrier and require very careful reading, I can say that nonetheless, the current policies provide meaningful coverage. I will go further and say that not having at least breach notice coverage and security/liability coverage if you are a big organization (read: juicy target for plaintiffs) having this coverage is becoming less of an "optional" purchase. However, this risk is not filtering down to the mid-sized and smaller companies -- they need the protection now more than ever. It comes down to risk management -- there is a point where it is no longer cost effective to buy more security, and instead insurance is a cost-effective choice (e.g. instead of building Fort Knox, build 1/2 of Fort Knox and transfer the rest of the risk to insurance). The problem is that security professionals are often unaware of the coverage, don't understand the coverage and don't understand how it fits in to managing risk. Brokers like AON and Marsh are excellent at managing the risk, but typically are dealing with the "big fish," not the smaller/medium companies, for whom a data security breach can mean bankruptcy. Until the market makes meaningful strides to address smaller and medium risk, there will be a TON of liability exposure out there.....
P.S. If you want to read more about the legal implications/problems with PCI, check out an article I recently did on my blog:
Link to privacy insurance whitepaper
You can get a copy of Legal Exposures to the Maxx that I mentioned in this article. He just recently updated it with new information so it is hot off the press! Download it here. It is a must read for any company considering a privacy breach insurance policy.
Great article and some questions
This is an important question today. Even I work on IT security this is something I haven't seen coming up too often, should!
Now the questions (for insurance people mainly). I used to work for/in insurance a long time ago and especially with organizations insuring ships (oil rigs, other large and risky objects) all over the world. Couldn't this work the same way? An insurance company has their own specialists / consultants doing the risk assessments, negotiating the terms and maybe setting the rates? They also could help the companies showing where and why (maybe for a fee?) At least at that time it was a good business for both sides, insurance company and shipping lines. Or is this already done?
Now, of course, it still leaves the small business mainly out (the cost) but over time when the risks and statistics are better understood there would come out "canned" contracts? I did see that happening in "shipping" business, what was learned moved to land and even to smaller targets.
risk specialists
As I understand it, the cyber insurance carriers and brokers are using risk specialists to determine the insurance premium. According to Kevin this risk process varies from company to company and results in widely varied premium proposals. Kevin gives an example above. This is why I am so hot on having the insurance industry adopt, or develop, a security standard. This standard could then be used consistently across the insurance industry for risk assessments. It should ultimately result in a more predictable premium schedule.
-Jamey