The pros and cons of data breach insurance

By Bill Brenner, Senior News Writer 19 Mar 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

It transfers some of the risk from an organization that may not be able to deal with all the technological issues. Roger Nebel, director of strategic security, FTI Consulting

Security incidents at the Hannaford Bros. Co. supermarket chain and elsewhere illustrate the importance of a response plan, but industry experts are less than enthusiastic when asked if such a plan should include data breach insurance.

Some experts say it doesn't hurt to include the insurance as part of a larger data breach response program. But in general data breach insurance is an immature product that lacks uniformity from one provider to the next, others warn.

Data breach insurance has become increasingly popular as the rate of security incidents accelerate. Troy, Mich.-based Royal Group Services Ltd., for example, devotes a healthy chunk of its website toward promoting its breach insurance product, saying that "a merchant could incur unexpected costs resulting from a data breach [that could] significantly affect revenue and even jeopardize the existence of the business. This inexpensive policy reduces a merchant's monetary exposure when a presumed or actual data compromise occurs, thus providing peace of mind!"

Meanwhile, Toronto-based Executive Risk Insurance Services is rolling out a data breach insurance category for corporate clients, and similar insurance is available from such companies as American International Group Inc. (AIG) and Chubb Corp.

It ... will not guard against damage to reputation and the consequential loss in client business and future opportunities that can result. Brian Davey, senior consultant, Teed Business Continuity

Indeed, data breach insurance can be useful if incorporated into a larger incident response plan, experts say. But it would be a mistake to think an insurance policy by itself is all that's needed to survive the aftermath of a breach like the one Hannaford suffered. The supermarket chain disclosed Monday that it suffered a serious data breach in which 4.2 million credit and debit card numbers were potentially exposed to identity fraud.

"Insurance is never the complete answer to a security breach," said Brian Davey, a senior consultant at Teed Business Continuity. "It can undoubtedly reduce the direct financial impact of a breach but will not guard against damage to reputation and the consequential loss in client business and future opportunities that can result."

Furthermore, he said, the downside of insurance is that it can lead to complacency, where companies believe that a risk is fully mitigated without understanding the residual risk that still exists.

Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, agrees insurance should not be seen as the be-all, end-all, but he does see it as a useful part of a company's overall business continuity program.

Related news: Cyber insurer hopes to boost business with pen testing: Hoping to ramp up sales of its cyber insurance policies, commercial insurer, Chubb is offering a discount for companies that deploy a penetration testing tool. PCI compliance costs often underestimated, study finds: Companies are moving forward with PCI DSS projects, but many are underestimating the costs associated with compliance. New database forensics tool could aid data breach cases: Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations.

"It is especially good to have it if you are a small business because it transfers some of the risk from an organization that may not be able to deal with all the technological issues," said Nebel.

Nebel suspects that Hannaford already has the insurance, which could come in handy against the $1 million or so he believes the chain will have to spend dealing with the breach. Specifically, he said it makes sense to work a rider on data breach coverage into a company's general liability policy.

"This kind of insurance isn't perfect, but I do recommend it if you can afford it," he said. "It's at least something to have against the millions you'll have to spend in the event of a breach."

Lisa Sotto, head of the privacy and information management practice at Hunton & Williams LLP and vice chair of the DHS Data Privacy and Integrity Advisory Committee, said insurance is one thing to consider when developing a business continuity plan. But it's not the biggest piece of the puzzle.

"Most companies I know of have thought about insurance and rejected the idea, and today it's not the most useful product to purchase because it has holes, said Sotto, who recently co-authored a (.pdf) report on how to navigate the legal minefields of a data breach.

She said there's no one-size-fits-all formula for data breach insurance, and many insurers continue to wrestle over what standard coverage should look like. Furthermore, she said, coverage often includes credit monitoring but she hasn't run into anyone who has taken advantage of it.

"One issue is that there is no immediate evidence that harm has been done," Sotto said. "It's one thing if there are actual identity theft victims, but right now very few victims emerge after a breach, and for data breach insurance to be worth it you need to have a lot more cases of actual victims coming forward."

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, agreed. In his opinion, a company shouldn't pay for something unless it has clear value and it can justify the investment. Data breach insurance doesn't meet that criteria, he said.

"The general opinion is that since they don't have any accurate actuarial data, there is no way the insurance companies can properly price it," he said. "As a result, policies may be expensive and, in the end, all it buys you is a seat at the arbitration table. No one knows how this stuff should really be priced or how much it helps. And so it's buyer beware."

Tags: Identity Theft and Data Security Breaches,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Researchers predict SSNs, crack algorithm putting identities at risk TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Enterprise Risk Management: Metrics and Assessments The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Mature SIMs do more than log aggregation and correlation Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession Security budgets take hit in media, tech industry, survey finds Service-focused security offers best value to organization Ease the compliance burden with automation Forensic accounting success depends on information security support Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary