It transfers some of the risk from an organization that may not be able to deal with all the technological issues.
director of strategic securityFTI Consulting
Security incidents at the Hannaford Bros. Co. supermarket chain and elsewhere illustrate the importance of a response plan, but industry experts are less than enthusiastic when asked if such a plan should include data breach insurance.
Some experts say it doesn't hurt to include the insurance as part of a larger data breach response program. But in general data breach insurance is an immature product that lacks uniformity from one provider to the next, others warn.
Data breach insurance has become increasingly popular as the rate of security incidents accelerate. Troy, Mich.-based Royal Group Services Ltd., for example, devotes a healthy chunk of its website toward promoting its breach insurance product, saying that "a merchant could incur unexpected costs resulting from a data breach [that could] significantly affect revenue and even jeopardize the existence of the business. This inexpensive policy reduces a merchant's monetary exposure when a presumed or actual data compromise occurs, thus providing peace of mind!"
Meanwhile, Toronto-based Executive Risk Insurance Services is rolling out a data breach insurance category for corporate clients, and similar insurance is available from such companies as American International Group Inc. (AIG) and Chubb Corp.
It ... will not guard against damage to reputation and the consequential loss in client business and future opportunities that can result.
Senior Consultant, Teed Business Continuity
Indeed, data breach insurance can be useful if incorporated into a larger incident response plan, experts say. But it would be a mistake to think an insurance policy by itself is all that's needed to survive the aftermath of a breach like the one Hannaford suffered. The supermarket chain disclosed Monday that it suffered a serious data breach in which 4.2 million credit and debit card numbers were potentially exposed to identity fraud.
"Insurance is never the complete answer to a security breach," said Brian Davey, a senior consultant at Teed Business Continuity. "It can undoubtedly reduce the direct financial impact of a breach but will not guard against damage to reputation and the consequential loss in client business and future opportunities that can result."
Furthermore, he said, the downside of insurance is that it can lead to complacency, where companies believe that a risk is fully mitigated without understanding the residual risk that still exists.
Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, agrees insurance should not be seen as the be-all, end-all, but he does see it as a useful part of a company's overall business continuity program.
"It is especially good to have it if you are a small business because it transfers some of the risk from an organization that may not be able to deal with all the technological issues," said Nebel.
Nebel suspects that Hannaford already has the insurance, which could come in handy against the $1 million or so he believes the chain will have to spend dealing with the breach. Specifically, he said it makes sense to work a rider on data breach coverage into a company's general liability policy.
"This kind of insurance isn't perfect, but I do recommend it if you can afford it," he said. "It's at least something to have against the millions you'll have to spend in the event of a breach."
Lisa Sotto, head of the privacy and information management practice at Hunton & Williams LLP and vice chair of the DHS Data Privacy and Integrity Advisory Committee, said insurance is one thing to consider when developing a business continuity plan. But it's not the biggest piece of the puzzle.
"Most companies I know of have thought about insurance and rejected the idea, and today it's not the most useful product to purchase because it has holes, said Sotto, who recently co-authored a (.pdf) report on how to navigate the legal minefields of a data breach.
She said there's no one-size-fits-all formula for data breach insurance, and many insurers continue to wrestle over what standard coverage should look like. Furthermore, she said, coverage often includes credit monitoring but she hasn't run into anyone who has taken advantage of it.
"One issue is that there is no immediate evidence that harm has been done," Sotto said. "It's one thing if there are actual identity theft victims, but right now very few victims emerge after a breach, and for data breach insurance to be worth it you need to have a lot more cases of actual victims coming forward."
Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, agreed. In his opinion, a company shouldn't pay for something unless it has clear value and it can justify the investment. Data breach insurance doesn't meet that criteria, he said.
"The general opinion is that since they don't have any accurate actuarial data, there is no way the insurance companies can properly price it," he said. "As a result, policies may be expensive and, in the end, all it buys you is a seat at the arbitration table. No one knows how this stuff should really be priced or how much it helps. And so it's buyer beware."