2. Under lock and key: risk transfer solutions to limit liability for security and privacy data breaches
Risks to data security It is very important for these entities to review and audit their
existing insurance policies to determine what, if any, coverage they
Businesses are under increasing pressure to put data online in order
have for first and third party claims arising out of security and
to serve clients. This has resulted in a worldwide technology and
privacy breaches.
communications infrastructure that is vulnerable to both internal
and external risks.
Risk transfer solutions
With that in mind, companies should take a detailed look at their Commercial general liability policies may appear to provide some
data security risk management practices and strategies as they coverage for thirdâparty losses; however, U.S. courts have recently
pertain to sensitive, confidential or proprietary personal identifiable ruled that data is not considered tangible property under certain
information from customers, business partners, prospects or CGL policies and, as a result, have excluded coverage.
employees in the following areas:
Professional liability policies may cover a number of security
âą collection âą aggregation and privacy breach exposures faced by insureds while rendering
âą processing âą use professional services to their clients/customers, but may not respond
to claims for breaches that arise outside of that arena.
âą transfer âą storage
âą distribution âą destruction Fidelity, employment related practices, data processing, computer
fraud, advertising and kidnap and ransom policies are generally not
It is safe to say that most companies engage in some or all of these
intended to cover privacy and data breaches, and there are significant
activities, and thus are at risk for liability stemming from data
coverage gaps in each.
security and privacy breaches.
Lawsuits and third-party liability Privacy and data loss liability coverage
A number of insurance carriers have developed specific privacy
It should come as no surprise that most of the litigious activity
and data loss liability coverage products that provide coverage for
involving data security breaches is initiated out of the United States;
businesses when data in their care and control is compromised.
however, Canadians are catching on quickly. Class action lawsuits
were brought against Winners and HomeSense in almost every For the fullest coverage, it is important to determine whether these
Canadian province for damages arising out of the TJX security policies will respond to claims from employees, customers and
breach. The costs in connection with the potential liability to third corporate clients, as well as from the insured itself for damages,
parties for privacy and data breaches due to corporate negligence, is defense costs, administrative expenses, notification costs, crisis
a growing concern. expenses and credit monitoring expenses.
First-party losses Conclusion
Even if a security breach does not result in a lawsuit or regulatory In determining the most appropriate risk transfer solutions for
investigation, the first-party costs associated with internal companies seeking to limit their liability for security and privacy
investigations, public and investor damage control, discounted data breaches, it is highly recommended that advice be procured
services and lost employee productivity can be crippling. Ponemon from an experienced insurance professional. Only then can a
Institute research indicates that the cost of a data breach is now over decision be made as to whether an alteration and/or endorsement
$200 per compromised customer record. to an existing insurance product, or the placement of a specialized
stand-alone policy is most appropriate from a coverage and cost
Preparing for increased regulation and perspective.
enforcement
Brian Rosenbaum LL.B
It is clear that the public is pushing for greater liability for those Aon Financial Services Group
responsible for security and privacy breaches. As a result, entities Director, Legal and Research Practice
that deal with personal, identifiable information should prepare
themselves for the prospect of increased regulation and enforcement
by government, as well as enforcement through private sector
lawsuits.
This publication contains general information only and is intended to provide an overview of legal, liability and insurance issues. The information is not intended to constitute legal or other professional advice.