E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Lloyds

Posted on June 16, 2008

      Privacy risks and security breaches have become a major liability for 21st century businesses. More companies are collecting personal data than ever before and are increasingly reliant on digital assets. A security breach could raze a company's reputation in a matter of hours and bring it to its knees. Lloyd's 360 risk project investigates the risks, the role for insurance and offers some 'top tips' from Lloyd's experts on how businesses can manage these emerging threats.

      An employee from credit control loses a USB storage device and the next thing you know your company's gone bust and you're packing up your desk. Sounds extreme, but the costs and reputational damage for a business that compromises private customer details could send it into liquidation.

      In the last few years there have been a number of high profile cases of millions of people's personal details being compromised by government agencies, data brokers, retailers, educational institutions, financial institutions, health care entities and internet businesses.

      In fact, these incidents are now becoming all too common. Since 2005, 227 million data records of US residents have been exposed due to security breaches, according to the Privacy Rights Clearinghouse, and the actual number is likely to be a lot higher given that in some case the number of records exposed is unknown. Numerous incidents have hit the headlines in the last few years, but experts in the Lloyd's market agree the case of TJ Maxx was a turning point.

      In January 2007, US retailer TJ Maxx revealed that it had experienced an 'unauthorised intrusion' into its computer systems and it later emerged that 46.2 million credit details may have been compromised. Credit card, debit card, check and merchandise return transactions, drivers' licence numbers, names, and addresses were all exposed in incidents dating back to 2003.

      Meanwhile, back in the UK, businesses and government agencies have had their share of data difficulties. Nationwide Building Society, the UK's largest building society, was fined 980,000 last year by the Financial Services Authority for failing to manage its information securely and report the loss in a timely manner after a laptop was stolen from an employee's home. HM Revenue and Customs lost computer discs containing 25 million records of child benefit claimants, including the bank account details of over seven million people. Then in January of this year, Marks and Spencer was found to be in breach of data protection rules after an unencrypted laptop was stolen with the personal details of 26,000 employees.

      "People are increasingly concerned about data security and it was TJ Maxx that set it all off" Simon Milner, Partner at Lloyd's broker JLT, said.

      Paul Bantick, underwriter in the Large Risks Technology, Media and Business Services team at Beazley, said: "A year ago I spent 20% of my time on security or privacy coverage, now I spend 80% of my time on it."

      According to Bantick, a surge in demand for cyber coverage - primarily from the US - is being driven by heightened awareness of the risks following the high-profile incidents and the concerns about the costs associated with reputational damage. Stringent federal privacy laws in the US are also a major factor and the breach of notification laws that have been introduced in 39 states over the last few years. The notification laws require companies to tell customers if sensitive personal information has been compromised, regardless of whether the details have been used fraudulently.

      There are no such laws in the UK at this stage, which may be why UK companies tend not to buy the coverage unless they are an international financial or retail institution or have international clients who demand it. However, UK companies cannot escape the costs of reputational damage in the event of a breach, as well as the potential legal liabilities.

      Data breaches involving sensitive personal information could result in identity theft and other financial crimes such as credit card, benefits and mortgage fraud. Companies could be on the hook to pay damages and claims expenses or could face a penalty or sanction by a federal, state or regulatory body. To date, there have not been any class action lawsuits and for many of the incidents that occur, there is not any damage done to the individuals whose records have been stolen.

      However, Aon recently warned that cyber risks could be the next big trigger for lawsuits against directors, stating that "directors could be held responsible for loss to companies and their shareholders if they failed in their duty of care by not taking preventative measures against risks such as phishing, improper data manipulation or data loss".

      Underwriters say that the biggest costs have been for businesses having to comply with US laws, as well as the reputational damage to their brands. According to Bantick: "Claims issues are very much the big cost right now. There have been no big indemnity payments."

      This involves spending money on notifying affected customers, costing from $10 - $60 per head, depending on how much information the company already has to contact the customer with. Other costs include hiring forensic experts, crisis and PR management, credit monitoring and legal costs.

      While cyber crime is on the rise, the issue also stems from an increase in the number of digital assets that companies are now relying on. Hackers and rogue employees are two of the main risks, but many incidents are caused by a loss of unencrypted mobile storage devices including laptops, discs/CDs and USBs.

      According to Marcus Alldrick, Senior Manager for Information Protection and Continuity at Lloyd's: "Companies need to encrypt all mobile storage devices holding sensitive or confidential information, particularly of a personal nature, in case they are lost or stolen. Many are not and it's fairly simple and inexpensive to do."

      For Lloyd's cyber underwriters, business is booming. US companies in just about every sector from banking to financial exchanges, e- traders and law firms are looking for coverage. Third party liability coverage is offered by a number of syndicates at Lloyd's in various forms, sometimes coupled with first party coverage.

      An insured could get a policy from Lloyd's with a $20m limit with coverage for the notification costs, legal, PR and forensic costs. Beazley's Information Security and Privacy Insurance offers cover for unauthorised access, theft or destruction of data as well as coverage for theft of personally identifiable non-public information and the liabilities arising from failure to comply with state breach-notice laws. Other Lloyd's syndicates involved in third party cyber cover include Hiscox, Brit and Ace.

      Meanwhile, Lloyd's underwriters report that clients are trying to push the boundaries on coverage by asking for higher and higher limits to cover their notification costs. Additionally, Lloyd's underwriters are increasingly adding security and privacy covers on to standard E&O policies for everyone from lawyers to architects to engineers. "It's becoming a standard add-on," Bantick said.

      While insurance is a major way to hedge against these growing risks, effective risk management is at the heart of a sound business strategy to combat these threats.

      According to Alldrick: "Sound incident management is key."

      Lloyd's top tips for businesses on how to manage cyber risks:

• Have a formal process in place to update software, firewalls and anti-virus programmes regularly and promptly.

• Safeguard mobile devices that hold sensitive personal data. Encryption is a key tool to do this.

• Safeguard personal information within the workplace, segregating pay information and personal details on a separate part of the network and restricting access to staff on a "least privilege" need to know basis.

• Develop a firm set of operational and procedural guidelines to support security policies and standards that must be followed to maintain security.

• Implement regular staff training on security procedures and employ rigorous staff vetting when hiring.

• Make sure you have a crisis management plan in place which has been rehearsed and can be executed as soon as you detect a potential security breach.

• The first 24 hours of a security breach is critical: implement the crisis plan immediately. Time is of the essence, particularly if regulatory reporting is required.

• Having insurance in place is a big bonus for companies involved in a security breach. In addition to covering many of the major costs, insurers have many of the resources to advise a company on what they need to do, as well as expert contacts to handle the situation expediently.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.