Insurance broker for Hannaford provides insider view on data theft insurance

I have been exchanging emails off-line with Kevin P. Kalinich, J.D. Kevin is the Co- National Managing Director of the Financial Services Group at Professional Risk Solutions. A couple days ago Kevin emailed me a response to my blog on the Hannaford credit card theft and state of privacy breach insurance. Kevin is a pioneer in this emerging insurance space and I found his insight and experience very valuable. He sent me an excellent (30+ page) whitepaper he authored on the current state of the privacy breach insurance marketplace. You can get a copy of Legal Exposures to the Maxx here. It is a must read for any company considering a privacy breach insurance policy. With Kevin’s permission, here is the dialog we have had so far. I recommend you first read my original Privacy Blog here so you can follow along. ********** Dear Jamey: Since Aon is the insurance broker for Hannaford among many others., we cannot comment on this specific incident. However, Privacy and Security insurance policies may respond to many of the exposures you detailed if customized. Most of the base policies have extensive exclusions without negotiation. In addition, regulatory fines and penalties (i.e. FTC, State Attorney Generals, etc.) are generally prohibited by law from being covered. The theory is that it is against public policy to compensate a "bad actor" for his breach of law. I have attached a White Paper for your review that sets forth some of the salient issues. Kevin P. Kalinich, J.D. | Financial Services Group – Professional Risk Solutions Co- National Managing Director *** Hi Kevin, Thanks for you interest in my article and your informative response. I would agree with you that in this country their maybe laws prohibiting the coverage of some fines but I would argue that PII theft is a global issue. If a global company experiences a PII intrusion originating from their Brazilian branch that ultimately results in PII data being compromised in other branches around the globe, said company is likely to be fined by multiple countries, states, and localities. Other countries, like Canada, do allow coverage of fines. Since we have a global audience and individuals working for global companies on network world it makes sense to include this info. For an example of this type of coverage take a look at executive risk services coverage highlights. http://www.executiveriskservices.com/pdf/privacy_network/Privacy_Network_Liability_brochure.pdf How would a company like AON respond to this type of global threat and resulting fine coverage in a privacy breach insurance policy? Would it be possible to structure a policy that allowed the insured to recover the costs of fines where applicable/allowed? Does Aon have a privacy breach insurance type product? If so, can you send me a link to it, I’d like to learn more. *** Jamey: You are dead-on for each point. 1. Privacy is a global issue and the laws (and culture) in foreign jurisdictions vary. The coverage must be true worldwide coverage regardless of the location of the occurrence, damage or litigation. However, since the U.S. is the most litigious country, the defense costs here have been the biggest portion of insurance pay-outs to date. 2. Aon is an insurance broker that represents entities that may have data breach exposures. As such, we analyze the unique exposures of each client, quantifies and qualifies the potential losses, maps them against potential coverage and prepares insurance carrier comparisons for each risk. Most base forms have material gaps in coverage that must be negotiated to be useful. 3. For example, the request for fines and penalties coverage, where legally acceptable, is a good example of customized coverage. There are many more intricacies to address (see some examples in the below attached White Paper). *** Kevin, Like most things in life the devils in the details. It looks like privacy breach insurance is no exception. I just finished skim reading (it’s a long one) the whitepaper you attached. I missed it the first time. It is incredibly in-depth and very well done. Being an author myself, I can appreciate the work that goes into something like that. For this type of insurance to move from customized to commoditized I think the insurance industry will have to adopt its own security standard for policy holders. Something similar to life insurance requiring a health screening. The level of compliance a company has with regards to this security standard would dictate their premium levels. This would start to quantify the risk that carriers are taking on and likewise reward (via lower premiums) insurees that maintain a strong security posture. The insurance industry wouldn’t necessarily have to define their own security standards, they could re-use an existing one. However, given the pervasive lack of real “teeth” in most of today’s security standards it would be a good idea if they did develop their own. Also, do you have a link I can post there as well to your whitepaper? I think many would find it a solid read. *** Jamey: Thank you for the compliment. 1. Most insurance carriers underwrite against 27001 (formerly ISO 17 799), SAS 70 II, etc. However, with respect to data breach exposures, the PCI certification is becoming the de facto standard to the extent credit cards are involved. Only a few insurance carriers are sophisticated enough to develop their own standards, which are proprietary. The level of due diligence and variability in premium ratings is incredible. For example, we recently placed a Privacy and Security insurance policy for a healthcare provider. We submitted the application to eight insurance carriers and requested $20 MM in limits with 27 coverage specifications required. After the IT Security due diligence, two carriers declined to offer coverage at any price, two offered coverage with material exclusions (i.e. remote access coverage excluded because of a lake of uniform lap top encryption), and the remaining four quotes varied from $225K to $540K. 2. I am revising the White Paper to incorporate a few recent developments (i.e. Certegy settlement offer, SEC Proposal to expand Privacy Regulation