From: Insurance Market Source, Winter 2019, Vol. 29
On August 1, TechCrunch reported that online retailer StockX did not reveal that it had suffered a data breach in May that exposed 6.8 million user records. Within days of discovering the breach, StockX emailed users and instructed them to change their passwords following what the company referred to as system updates on its platform, but did not mention a breach or security concern.
In addition to managing the fallout from the breach, StockX now finds itself embroiled in a controversy over whether it acted appropriately in response to the breach. The company has posted details on its website about the timeline surrounding the breach and offered reassurances to its customers as well as 12 months of free fraud and identity theft protection.
The StockX breach comes in the midst of a steady stream of headline-grabbing data breaches at prominent companies like Cafe Press, Asurion, Pearson, Poshmark and many more.
On July 29 Capital One announce it had experienced one of the biggest hacks in history, exposing more than 100 million customer accounts and credit applications.
The data stolen from Capital One included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and other sensitive financial and personal information.
All of this has prompted widespread discussion about companies' responsibility and capacity to safeguard individuals' private data, or what cyber security experts call personally identifiable information (PII). Concerns have been raised not only about individual consumers' privacy, but about the threats to businesses, especially those whose operations depend on third-party vendors handling proprietary and sensitive data.
Even companies that institute safeguards and security measures into their daily function are not immune to data breaches, noted Derek Kilmer, Manager, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills Michigan. "You can lessen your exposure, but odds are someone is going to find a way around them. It is only a matter of time. Vulnerabilities in cyber security are no longer just a concern, but a widespread epidemic."
The hefty burden of a data breach
After a business owner has what Neil Gurnhill, CEO, Node International, London, England, describes as "that heart-stopping, cold sweat moment of being made aware that something is not right," the hard costs of a data breach can add up quickly.
In the wake of a breach, a company must enlist the services of a forensic expert to analyze its systems and determine the source and scope of the attack. If weak spots in its system are identified, a company must shoulder the costs of implementing new security systems, protocols, software and the like to address them.
A company hit with a ransomware or malware breach may need to pay thousands of dollars to a hacker who has taken its system hostage. Once a breach and compromised data have been identified, companies must make regulatory notifications and inform affected parties.
Data breaches can also result in losses from business interruption or legal costs to defend or settle lawsuits. Repairing the reputational damage that results from a data breach is harder to quantify, but the costs can include losses from discounts offered to assuage disgruntled clients, closed accounts, lost business or reputation management services.
On top of all of these expenses are fines incurred when a company's breach, or its response, violates the terms of governing bodies. Businesses may also have to pay penalties or costs to comply with regulations, such as the European Union's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act.
"New regulations are changing how companies are able to collect personal data and what they need to do with that data," said Karl Olson, Vice President, Professional and Management Liability Practice Leader, Burns & Wilcox Brokerage, San Francisco, California. "They incur another layer of liability as well as costs to implement new standards."
Mitigating the fallout
Some casualty or property insurance providers offer cyber coverage as part of a package policy, Olson explained, but that coverage is often quite insufficient and more of a detriment to the insured's true cyber exposure. "Standalone Cyber and Privacy Liability Insurance policy programs can provide much broader coverage for more exposures, provide better limits and claim resources," he said.
"Cyber and Privacy Liability Insurance is a response-based product," explained Gurnhill. Policyholders not only get coverage for damages surffered, they receive immediate assistance from a panel of cyber security and privacy law experts.
"We respond very quickly, to stop the event from becoming worse, give the insured a clear picture of where they are, and get them back up and running quickly in a safe and secure manner. All that goes in hand with helping to manage the breach with the least amount of impact on their business as possible."
Because of the evolving and complex legal and financial issues surrounding a data breach, enlisting the help of experts is strongly recommended, especially as part of a larger program to mitigate losses and repair damages when a breach occurs. "The monetary impact of a large breach could take you out of business," said Kilmer.
"All bets are off when it comes to the layering (of application interfaces) and ways that breaches (can) occur," said Gurnhill. "There are so many fail points, and like lava, they are constantly shifting. It is a very challenging landscape for any business owner or organization to truly get their hands around."
"There is no way that you can truly eliminate the risk (of a data breach); there are so many potential things that can happen that are outside of your control," Gurnhill advised. "Never has there been a more crucial time for businesses to consider investing in Cyber and Privacy Liability Insurance."