NU Online News Service, May 1, 2:46 p.m. EDT
NEW YORK--Education and preparation are essential for insurers and other companies seeking to protect themselves against multimillion-dollar privacy and data breach risks, a panel of experts said.
Commenting yesterday during the April Association of Professional Insurance Women (APIW) Luncheon, panelists said insurance coverages for such risks are available, and the market is competitive, but companies need to understand their particular risks so they can understand the myriad of coverages available.
Tracey Vispoli, global financial fidelity manager for the Chubb Group of Insurance Companies, noted that data breach events do happen, and having a disaster recovery plan in place and recognizing state and federal laws in the event of a breach are critical.
Outlining the problem facing companies, panel moderator Laurie Kamaiko, partner, Angell Palmer & Dodge LLP, said 285 million records were reported compromised in 2008. She added that the average cost of trying to address this is $100 to $300 per compromised record, and the average cost for companies facing a breach is $6 million.
Ms. Vispoli said privacy and data breaches can be committed by employees, third-party vendors, or hackers from afar.
Beth Diamond, claims manager for Beazley, said employee data breaches may be accidental--such as a lost laptop that contains sensitive data--or intentional--such as an employee downloading sensitive data onto a thumb drive and selling it to marketers.
She added data may be stolen through malware which gathers information and e-mails it out to criminals for the purposes of identity theft and other forms of fraud.
While companies such as retailers and banks are typically thought of as holding personal information susceptible to theft, Kim Quarles, senior vice president, E&O and eRisk product team, Willis Executive Risks Practice, said other companies and institutions are also at risk.
She noted that something as simple as applying for college involves the university obtaining sensitive financial and health information. Ms. Quarles cited law firms, accounting firms, real estate companies and even insurance companies as other examples.
Regarding measures companies can take to protect themselves, Ms. Diamond said firms should collect the minimum amount of personal data needed. She said a Social Security Number, for example, is not essential information for job applicants.
She also said companies should be aware where sensitive information is stored, and should minimize access to the information. Employees should not be allowed to download personal information to laptops, and companies should consider loaner laptops for traveling employees, Ms. Diamond added.
She also suggested promoting awareness among employees.
Ms. Diamond said in the event of a data breach, a company should consider if state and/or federal statutes were triggered. If so, the company may have to send out letters to victims. Additionally, the company needs to set up a call center and alert state and federal offices.
Increasingly, she added, state attorneys general want to be notified as well, and the company should prepare for a possible active investigation into the breach.
Aside from attorney general investigations, Ms. Diamond said plaintiffs' attorneys sometimes file class-action lawsuits after a breach.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
