European risk managers must be ready for a data breach
The last few years have witnessed a growing number of data breaches that in some cases have involved huge numbers of individual records.
In the U.K., back in 2007, H.M. Revenue and Customs managed to lose computer discs that contained around 25 million child benefit claimant records. And in the U.S., also in 2007, U.S. retailer TJ Maxx announced a data breach that involved around 46 million personal credit details, which to date is believed to have cost in excess of $150m.
In the U.S., the average cost per record of a data breach is at least $20-$30, with the average total cost of a breach about $7m.
Organisations of all sizes are at risk, and as Dan Trueman, Active Underwriter, Enterprise Risk, Kiln Syndicate 510, points out, “Even organisations with an obsession about information or security have been seen to lose dataÑlook at the recent example of the U.K. Ministry of Defence losing laptops [that carried sensitive information]. No-one is immune.”
hide
Mr Trueman said that these examples of companies or government departments that lose customers’ data, or have the information ‘compromised’, are certainly one of the main reasons why organisations are more aware of the issue.
PRIVATE LESSONS
But the Lloyd’s underwriter said that there are two other key forces at play. “One is a greater awareness of peopleÕs common law right to have privacy of their data, and secondly, the legislative agenda increasing the responsibility of companies to make sure that data is kept private. In the U.S., in particular, they have an enormous number of data protection laws,” he explained.
That is the crucial difference between the U.S. and the rest of the world, according to Ben Beeson, Executive Director, Technology Risks Practice, at brokerage Lockton.
“In the U.S., if you have a data breach, and that information is not encrypted, the company has to tell the individuals by state law that the breach has happened. It has completely changed the landscape in the U.S. In Europe, such mandatory notification is not the case,” he said.
Mr. Beeson said that is why data breach is not such a big issue for European companies as it is for U.S. ones. He explains that the matter is at the board level in the U.S., whereas in Europe it still sits at the risk management compliance level, and often with very little knowledge about the possible consequences.
In a recent white paper from Lockton, entitled ‘UK Identity Theft: Urban Legend or Real Risk?’, the brokerage states: “There is now an increasingly real chance that we will soon follow the U.S. model whereby there is a legal duty to inform all your customers when a data leak occurs. E.U. member states like the U.K. are subject to European legislation on data security and privacy of information, and while these rules are not as stringent as they are in the U.S., they are set to get tougher.”
Mr. Beeson pointed out that the European Commission has already announced that it is to introduce mandatory notification for internet service providers and telecommunication companies.
“What we really want to see is a wider application to retailers, to the banks, hospitality and hotels,” he said. “That will probably come, but not for another two or three years. Until that happens, the financial consequences of a data breach will not be as stringent as in the U.S. Companies in Europe are not yet concerned about the financial consequences of a data breach.”
The brokers explained that if there was a requirement in Europe to tell people that their data has been breached, as in the U.S., there would be considerable financial consequences.
This would include the costs of notifying people, the costs of forensics and hiring an IT firm to find out how the breach occurred and how it can be prevented in future, and also the mitigation that a company would have to offer the customers affected, such as credit monitoring, which involves a third party company providing such services to customers.
In addition, regulators can set fines, and there is the threat of litigation, and there have been examples of class actions in the U.S.
“European companies need to be aware of the issue and start taking action now as there will be major financial consequences in two or three years time,” warned Mr. Beeson.
“They need to look at their internal controls, not just software and IT solutions, but also people. They need to train them up and ensure that they know how to handle information,” he added.
As the Lockton white paper points out, “Ultimately, managing the ‘people risk’ is every bit as important as managing the technology aspect. No system is more secure than the people you trust to operate it.”
Mr. Trueman at Kiln agrees. “There is no point having a policy unless the individuals involved in the process actually implement that policy. And, quite often that is the vulnerability. That is not necessarily just leaving the laptop on the train, it is also the fact that one’s internal staff can be the greatest threat. They have access to systems, the disgruntled employee destroying data, or deliberately breaching data,” he said.
The very fact that the people risk is so important means that insurance plays a vital role, Mr. Beeson explained. “Ultimately, you cannot guarantee that this risk is not going to happen – you can never stop the inside job, and then there is the outsourcing issue. And, that is where insurance comes in. It sits above one’s best efforts to mitigate the risk, and takes out the severity loss.”
The main insurance market is probably Lloyd’s, while the marketplace is almost exclusively the U.S. at the moment. This is because risk managers in mainland Europe currently do not see enough of a risk or exposure to warrant looking at buying insurance.
MORAL MAZE
Paul Bantick, Underwriter in the large risks technology, media and business services team at Beazley in London said: “The thing that most insurers are trying to get their heads around now is that you can offer the coverage internationally, but in the U.S. it is all hinged on the legal requirement to notify people in the event of a breach, or legally required to do forensics, and so insurers will pay for that. But, internationally, it would be voluntary as there are no current requirements, and so that could be going down a moral hazard type route because you could end up paying for breaches that wouldn’t be covered in the U.S.”
Interestingly, it is not just the insurance that organisations are interested in, but the service that goes with it. “The biggest reason that people are buying this product now is service,” said Mr Bantick.
“Companies don’t know what to do in the event of a breach. How do we do forensics? Do we notify? How do we notify? What is the legal advice? How do we deal with this breach? How do we do credit monitoring? So what they are all looking for is effectively a response. People are looking for an insurer that will help them deal with these breaches,” he explained.
In other words, it is not simply that the insurer pays the costs, but, actively helps the insured to deal with the data breach by putting them in touch with specialists and paying for those services.
Mainland European companies may also soon be turning to specialist insurers such as those underwriters at Lloyd’s to provide them with true peace of mind in the event of a data breach.