A Blog on managing risk in the Technology Sector

Managing Risk in the Tech Sector

Leave a comment

The Cost of a Data Breach – $3.94 or $194 per record? Unpicking the numbers.

Data breaches and identify theft is a common news story nowadays.

Although it’s usually the more high profile cases such as Sony, Linkedin, Wyndham Hotels and Zappos that you tend to read about, smaller and medium size companies are frequently the victims  of malicious or criminal attacks leading to data theft or inadvertently breach customer or third party data through negligence of their employees or ‘glitches’ in their IT systems.

According to the Identity Theft Resource Center, 23 million confidential records were exposed in 2011. 2011 also saw the expansion of what courts consider to be personally identifiable information (PII). After breaches at marketing firms Epsilon and Silverpop, email addresses are arguably considered as PII. The broadening of this definition, places further burdens on companies to ensure they comply with the notification requirements enshrined in both state and federal law, following a breach involving personal information.

Data breaches and cyber crime can cost organizations millions in fines, legal damages, notification costs, public relations expenses and loss of profits.  In a recently released report by NetDiligence, the average cost per breach was $3.7m, with the average cost per record at $3.94 per record. This data was driven from 137 insurable events that occurred between 2009 and 2011. As the report correctly points out the sample is a small subset of total data and only focuses of those costs which the insurance carriers incurred.

Another authoritative report is the annual benchmark study carried out by the Ponemon Institute. In 2011’s study, the cost of a data breach was reported at $194 per record and $5.5m per breach.

So which number is correct?

The Ponemon report studies 49 U.S. companies in 14 different industries and examines a wider range of business costs following a data breach including expense outlays for detection, escalation, notification, impact of lost business and cost of increased customer turnover or churn. As the NetDiligence report also points out – we shouldn’t get too hung up on the cost per record. Although notification costs will correlate to the number of records, the legal and forensic costs are more likely to correlate to the complexity of the breach and the specific requirements of the industry.

As one study focuses on insurable costs and the other on total business costs, we can infer a number of conclusions from the studies:

(1) Not all your exposure is insurable – it’s important your broker or risk manager is able to clearly articulate what coverage is being offered. Cyber insurance is constantly changing and responding to emerging risks and new legislation. As there is no standardized form in the market place, as a buyer you must be fully informed of the coverage and exclusions being offered. Don’t stick your head in the sand and wait for a claim to come in!

(2) Only 10% of the NetDiligence study sample includes first party claims. That is first party expenses (excluding notification costs and other ‘crisis’ services) and loss of profits following a data breach. The variance between the two studies, would suggest that first-party losses make up the bulk of an organization’s exposure.

(3) As the Ponemon study notes, companies are becoming better at employing data loss prevention strategies and response plans. Those companies that are better prepared benefit from reduced losses when a data breach occurs. The Leading insurance carriers will offer support in implementing such strategies and plans as part of their overall service –indeed cover will often be contingent on implementing such controls. The variance in costs may also indicate that the insurance carriers are underwriting the better quality risks.

The overall variance between the two studies show that risk transfer through insurance is not a panacea but only one of several strategies companies should employ to reduce their exposure to data breaches. Those companies working in the financial services, healthcare, retail and technology sectors continue to have a significant exposure.

Leave a comment

How neglecting to read your E&O insurances could leave your Tech company with a large legal bill

There are over 20 carriers offering E&O insurance for technology companies, to protect companies from the potential devastation of a lawsuit. However the quality of coverage they are providing varies considerably.

Throughout the insurance world, E&O policies typically provide coverage for occurrences involving professional negligence – essentially these policies are a type of malpractice insurance for companies providing professional services. The coverage has generally provided protection for an insured’s liability in tort and not in contract.

Technology companies blur a traditional divide between those firms providing a product and those providing a professional service. For example, commentators have debated whether software or other technology products are a “service” or a “product”. In reality, many technology companies’ activities will include both the development and sale of a good (e.g. software) and the provision of a service (e.g. installation, calibration, design, consultancy).

The distinction between whether the insured is providing a service or product is an important one. In the U.S. ‘pure financial losses’ ( i.e. losses to a third party without personal injury or property damage) caused by a defective product will not be recoverable in tort while pure financial losses due to negligent provision of services are normally actionable as a tort.

Many (but certainly not all) carriers will limit claims alleging a breach of contract against an insured through either a blanket exclusion in their policy or excluding any claims arising from contractual obligations which go beyond the duty to exercise a degree of care or skill consistent with industry standards.

The third party in Technology E&O claims is almost always the insured’s customer and as such these claims generally arise out of a contractual relationship. Oftentimes due to the nature of a technology company, it is difficult to distinguish between what is negligence in the provision of services and that which gives rise to a breach of contract claim due to a defective product.

As a result, while the claim or suit may also include non-contract claims such as negligent misrepresentation or fraud (often asserted in an attempt to avoid liability or damages limitations in the contract), the heart of an E&O claim is almost always the breach of contract. This leaves a considerable amount of ‘grey’ area for those carriers whose policies restrict breach of contract claims. For those who exclude breach of contract claims altogether, the insured and insurer will be left with the task of distinguishing  between what part of the claim relates to the insureds liability in tort and what part relates to a breach in contract. The latter would not be covered by insurance.

According to Karen I. Johnson, Complex Claims Manager for Travelers Insurance, “In almost all [technology and manufacturing] E&O claims/suits, there would be no basis for holding either party liable to the other absent of the existence of the contractual relationship. For this reason, purchasers of E&O coverage should carefully consider how the various coverage offerings treat breach of contract claims.” 

For technology companies looking for clarity with respect to what protection they are buying, reviewing your policy exclusions with your broker is a must. Contractual liability is just one of several exclusions, which can greatly restrict coverage under an E&O policy.