By Matt Hines
December 15, 2006
The list of data breaches involving sensitive personal information
maintained by the Privacy Rights Clearinghouse achieved a significant
milestone Dec. 13, as the nonprofit group saw the total number of
records exposed in such events crest the 100 million mark.
Since the PRC first began tracking data losses in February 2005, when
consumer data aggregator ChoicePoint reported that fraudsters had gained
access to 163,000 consumer records, most states have passed legislation
forcing companies to inform individuals when their information may have
been lost. The laws also essentially compel companies to admit their
Threatened by financial losses related to data leakage events, which now
include potential payouts to consumers and regulators as well as
revenues lost because of damage done to their corporate reputations,
enterprises are turning to their insurance brokers seeking new levels of
"The impact of those breach notification laws is just starting to
permeate through business because of all the press given to the events
and the growing expectation for companies not only to notify customers
but also [to] pay for services such as credit monitoring," said Nancy
Callahan, vice president of the Identity Theft and Fraud Division of
insurance giant American International Group, in New York.
"The costs for informing and supporting affected consumers can be
expensive, and there's also the additional cost of regulatory
investigations and civil lawsuits."
As a result of the widening impact of data losses, AIG has seen its
business of providing insurance for potential corporate security
failures shift increasingly toward protection for privacy-related risks.
Another growing driver for new forms of insurance is the many government
data compliance regulations that threaten stiff penalties for companies
that cannot effectively defend their information, such as the
Sarbanes-Oxley Act, according to Callahan.
The parameters of these newly crafted insurance policies are determined
by the size of the company, the volume of data it handles and the level
of protection it has established to protect IT infrastructure.
At an Information Technology Association of America conference in
Virginia in November, U.S. Rep. Tom Davis, R-Va., told security experts
that he believes private companies and government agencies are failing
to report all their data losses, partly out of fear of the financial
As an example of the potential fallout of a serious breach, researchers
point to the Department of Veteran Affairs' laptop theft incident in
May, through which the agency exposed the records of an estimated 28.6
million former servicemen and servicewomen.
If the class action lawsuit currently pending against the agency in
Washingtonwhich seeks damages of $1,000 for every person listed in the
missing fileswere to win a settlement for every veteran affected by the
information breach, the government would be on the hook for $28.6
More recently, on Dec. 12, the University of California, Los Angeles
reported that a database loaded with the personal information of current
and former students, faculty and staff was hacked by outsiders. The
massive breach is the type of event that will push more states to put
strict data protection laws on the books.
"In next two years, all 50 states will have similar laws in place
patterned after California's 1386 law," said Robert Scott, attorney with
Dallas-based Scott & Scott, which specializes in IT compliance law. "As
a result, there are a lot of companies doing assessment of insurance
coverage right now. Many don't even know what their existing coverage
for these events may be or what's available."
Researchers say the majority of identity fraud is still carried out by
traditional means, such as dumpster diving and credit card schemes, but
indicated that the perceived risk of ID theft via the loss of electronic
records will likely continue to present businesses with new financial
However, the proliferation of state data-handling laws and compliance
regulations should actually make it easier for enterprises and their
insurers to prepare for potential mishaps, said Larry Ponemon, chairman
of Ponemon Institute, in Elk Rapids, Mich.
Information losses cost U.S. companies an average of $182 per
compromised record in 2006, compared with an average loss of $138 per
record in 2005an increase of about 31 percent, according to a report
published by the Ponemon Institute in October.
"I'm not surprised at all that the insurance industry is starting to
take advantage of this, only that it's taken this long for the market to
develop," Ponemon said.
"But without the automatic penalties created by the laws, it was hard
for them to underwrite the risk. Business executives are troubled by the
idea of how you define the risk of a catastrophic system blowup or
breach involving millions of customers, so insurance companies are
seeing the potential for a fairly serious market for policies that help
mitigate these risks."
Subscribe to InfoSec News