Historically, information security breaches have not been reported for fear of damage to the company's reputation, but times have changed. Along with monetary losses, companies may face legal penalties for nondisclosure of certain types of information under statutes and regulations enacted at federal and state levels.

For example, at the federal level, the 1996 Health Insurance Portability and Accountability Act and the 1999 Graham-Leach-Bliley Act impose new information-security standards for health care providers, insurers and financial institutions holding personal information.

The 2002 Sarbanes-Oxley Act puts new disclosure burdens (many of which apply to data integrity) on directors and officers of public companies, and several data privacy laws are under consideration by Congress. In addition, at least 20 states have statutes that require consumer notification following a security breach.

For companies whose security proves inadequate, the consequences can be disastrous. Last July, credit card payment processing company CardSystems Solutions said it faced "imminent extinction" after data for 239,000 accounts was removed from its system. Details of 40 million cards were exposed to possible misuse. The breach led two major credit card companies to break off their business relationships with CardSystems.

Large companies with data-intensive operations are not the only ones at risk. Any organization can have security breaches, and they can be costly. Each year, the Federal Bureau of Investigation and the Computer Security Institute conduct a Computer Crime and Security Survey of data security professionals at various corporations, medical institutions, government agencies and educational organizations in the United States.

Last year's survey indicated a marked shift in computer crime toward theft of personal or confidential information. The survey's 700 respondents reported that the average financial cost of unauthorized access to information rose nearly sixfold last year to more than $300,000 from the prior year.

Expenses associated with this type of computer crime may include investigation costs, notifying customers of a potential security breach and addressing a system's vulnerability.

Unlike more traditional perils such as fire or wind, where established risk management standards and principles can be implemented to reduce exposure to loss, no widely available standards apply to information security. Each organization is left to establish its own risk-management procedures.

To date, this approach has produced mixed results, principally due to the complex and varied nature of computer and network technologies.

An effective information-security policy combines properly deployed technology and strong management measures. In addition, high-risk organizations especially, such as financial institutions and health care providers, must be aware of and comply with any applicable data-security statutes or regulations.

Organizations able to demonstrate effective data-security controls might be able to purchase additional levels of insurance protection beyond what is presently afforded by commercial crime, general liability and property insurance policies. Buyers should be mindful that many insurers uncomfortable with the exposure no longer provide coverage for data-security exposures in standard policies.

Some insurers offer custom-tailored protection for data-security exposures in one of two ways. Lines of insurance such as directors and officers liability, errors and omissions, or professional liability provide insurance platforms that may effectively address this exposure.

This approach is well suited for most companies, because data protection is a core business activity, similar to financial accounting and human-resources management, and coverage is contemplated in many of these liability products. Be aware, however, that insurers may exclude data-security exposures from these products, as well.

The other approach is to offer separate protection for the whole spectrum of data-security risks under a "cyber" or data-protection insurance policy. Typically, these policies are purchased by organizations with a high level of risk and may require independent security assessments as part of the underwriting process.

Even the most stringent security measures can't prevent all losses. Smart companies manage their exposures and ensure they have adequate insurance to protect against a breach of information security. In today's world, a company can't afford not to protect itself from the loss of the information it needs to stay in business.