While risk management must be the first line of defence in any data protection strategy, Jeremy Smith urges companies to bolster that defence with robust insurance coverage
The recent spate of data theft and loss incidents has brought into sharp relief the issues surrounding the security of sensitive and personal information stored electronically.
Government bodies, high street retailers, webhosting companies, banks and building societies are only some of the organisations hit by information breaches in the last 12 months, either through malicious attack or simple human error. With such incidents forecast to increase, network security hasnow risen to the top of the corporate agenda.
Making the headlines
‘The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,’ stated Richard Thomas, UK Information Commissioner, in the Information Commissioner’s Office Annual Report 2006/2007. This was released some four months before the loss of two disks by the HM Revenue and Customs Office in the UK, which contained the personal details of some 25m child benefit claimants.
The HRMC information breach exposed serious flaws in the procedures relating to the encryption and movement of sensitive data within the organisation.Since the incident, new acting chairman
Dave Hartnett has confirmed that the office has experienced seven significant security breaches resulting in the loss of personal data over the last two and a half years. He admitted they were due to ‘systemic failure’.
Another major security breach was also seen in November, when UK-based web-hosting firm Fasthosts announced that it had experienced an intrusion into one of its main servers containing client information, including bank details, e-mails and passwords. Fasthosts has since been forced to implement automatic password changes after it discovered that some clients had experienced ‘a compromise of their FTP space’.
These two incidents are, however, dwarfed by the scale of the data loss experienced by discount retail firm TJX Companies. In a computer intrusion between July 2005 and January 2007, hackers were able to steal information relating to some 45.7m payment cards. So extensive was the intrusion that only one of the organisation’s many retail outlets was not affected.
Attempting to gauge the overall scale of the problem is difficult, as many countries do not have regulatory requirements for the notification of data breaches. But recent studies into information security provide clear evidence that it is a major risk. In the UK, the Department of Trade and Industry’s ‘Information security breaches survey 2006’ revealed that some 62% of businesses in the UK had experienced a security incident during the previous twelve months, with this figure rising to 87% for large businesses.
In the US, figures from the FBI Computer Crime Survey 2005 show that almost nine out of ten organisations had experienced computer securityincidents during the previous twelve months.
The effectiveness of regulation
In response to the increased storage of sensitive data and the risks this poses, regulatory bodies have implemented a range of data protection legislation.
In the US, the Gramm-Leach-Bliley Act of 1999 imposes an extensive framework of security and privacy requirements on financial institutions and provides limits to the disclosure of personal information.
In Europe, the EC Data Protection Directive provides for the protection of individuals during the processing and movement of personal data.
Legislation also exists at a member state level, including Statutory Law 15/1999 on the Protection of Personal Character Data in Spain, and the UK’s Data Protection Act 1998.
The Data Protection Act includes eight principles, based on the EC Directive, which govern how personal or sensitive data can be obtained, processed, held and used. Of most relevance, given the recent spate of data theft incidents is principle 7, which requires data controllers to implement adequate provisions to ensure the data is secure from illegal access or loss due to human error or accident.
However, despite these regulatory strictures, there have been increasing calls for greater levels of protection and much stiffer penalties for those companies found in breach of security requirements.
The UK government is facing concerted pressure to strengthen its legislative response to information breaches. Richard Thomas recently called for extra powers to conduct spot checks on companies which process personal information, to improve compliance with the Data Protection Act.
Furthermore, he urged that the law be changed so that major information breaches are made a criminal offence, a move which he said, ‘would serve as a strong signal that it is completely unacceptable to be cavalier with people’s personal information’.
The first line of defence
In the current climate, it therefore not surprising that, according to the 10th Annual Ernst & Young Global Information Security Survey, organisations rank compliance with regulations, and privacy and data protection as the top two drivers for information security. Some 58% placed data privacy in their top three, up from 41% in 2006, with 73% of CEOs giving data protection a high level of importance. Information security has, for many organisations, become a key component of their overall risk profile.
82% of the Ernst & Young respondents claimed they had either fully or partially integrated information security with their risk management operations.
According to the DTI, the average company in the UK now spends 4%-5% of its IT budget on information security, while the number of businesses which have a formal security policy in place has risen threefold in the last six years. Risk assessments have become increasingly stringent, reflecting an improved understanding of the threats, both from external and internal attacks, and from human error, and often now extend down the supply chain.
Advances in technology have led to vastly improved privacy enhancing technologies (PETs), while ever more effective firewalls and anti virus softwareserve as sturdy defences against malicious attacks.
Yet no matter how stringent the line of defence it can still be breached. Whether as a result of a sophisticated hacking mechanism, failing to include new technologies in security protocols, or the simple inability of an organisation to accurately factor in human fallibility, all information security procedures have weak points. It is therefore imperative that companies implement a final line of defence: a robust, effective insurance policy.
Covering the costs
“Many countries do not have regulatory requirements for the notification of data breaches
The value of comprehensive insurance coverage is apparent when considering the potential financial implications of an information breach. From a regulatory standpoint, companies can be exposed to hefty fines. In February, the UK’s Financial Services Authority imposed a £980,000 fine on Nationwide Building Society, following the loss of a laptop containing customer information – a figure which included a 30% discount as the organisation agreed to an early settlement.
A company may also be forced to temporarily suspend trading until effective security measures have been implemented to prevent a recurrence.
A company is also financially exposed from a number of other angles. The potential legal costs incurred from having to defend a class action launched by those affected by the data loss can be astronomical. In the case of TXJ Companies, on 29 November it announced in an 8K filing that it had entered a settlement agreement with Visa and Fifth Third Bank to resolve potential claims from the data theft, in which it stated that it would fund up to a maximum of $40.9m in pre-tax in alternative recovery payments. At the time of writing it was still uncertain whether this would be accepted.
Furthermore, an organisation may be required to pay expenses relating to credit monitoring for fraudulent withdrawals or instances of identity theft. In the UK, for example, such costs are normally in the region of £50 per person per year. Since some monitoring periods can extend up to 20 years, this can place a serious strain on an organisation.
If fraudulent withdrawals are discovered, the bank involved can claim the money lost back from the company. The bank may also look to pass on the costs of changing the account details of affected customers. Add to this the costs of notifying clients of the incident, setting up facilities to handle customer enquiries, and conducting an extensive investigation to find the source of the breach, and it is clear that the financial impact of a failure in a company’s network security can be devastating.
In response to the growing number of information security breaches and instances of data theft, the insurance industry has developed stand-alone privacy and network security policies.
Given the diverse nature of privacy and security-related threats, and the scope of potential exposures, a traditional insurancepolicy cannot effectively mitigate the risks.
According to the DTI study, there is a growing awareness among UK businesses of the inability of a standard property and casualty policy to provide any real protection should an information security incident occur. Only those respondents with a specialist cyber risk related policy felt confident that their coverage would meet the demands of such an incident, with 46% believing their policy provided them with full coverage. However the survey also revealed that a quarter of respondents had no real understanding of the extent of their coverage.
It is perhaps unsurprising that some insurance buyers have failed to keep pace with the new coverage options available on the market, but given the ever increasing risk which information security poses, it is imperative that they get up to speed.
A comprehensive policy should provide cover fora broad range of potential expenses, including:
¦?Forensic experts/crisis management specialists
¦?Additional call centre capacity
¦?Ongoing third party credit monitoring and claims for identity fraud from those who have had their identity stolen
¦?Litigation expenses and damages: from customers and banks (lost funds and card replacement)
¦?Regulatory defence and settlement.
To achieve this, an organisation must ensure their policy incorporates a number of key clauses: Third party privacy liability: Sums the insured is legally obliged to pay as damages and claims expenses as a result of a privacy breach or breach ofprivacy regulations
Privacy regulatory defence and penalties: Defence of a regulatory action or complaint, including indemnification for a penalty or sanction imposed by a regulatory body as a direct result of a privacy breach or breach of privacy regulations
Credit monitoring, crisis management and customer notification expenses: This includes cover for credit monitoring, public relations services to protect brand/image related to a claim, penalty or sanction covered under the other insuring clauses; and notification expenses
Security liability: Sums the insured is legally obliged to pay as damages and claims expenses arising out of computer attacks caused by failures of security including theft of client information, identity theft, negligent transmission of computer viruses and denial of service liability.
The last line
‘We have extensive security procedures in place,’ said Nationwide chief executive Philip Williamson following the theft of the laptop, ‘but in this isolated incident our systems of control were found wanting.’
Whether as a result of an isolated incident or a systemic failure the chances are that your data defences can and will be breached. It is therefore imperative that all companies ensure that a comprehensive and robust insurance policy forms one of the mainstays of their defensive arsenal.
Jeremy Smith is head of cyber and IT risks at Jardine Lloyd Thompson Limited, E-mail: Jeremy_Smith@jltgroup.com