With high-profile cases such as ChoicePoint and TJX acting as a lure, plaintiffs' attorneys are increasingly interested in generating class-action lawsuits for data security breaches. Coverage for data breaches is more popular than ever, but is still evolving.

In a panel discussion at the recent PLUS International Conference in Chicago, five experts discussed the exposure environment for data and the best ways businesses can protect themselves against a loss.

Data breach insurance, popular with businesses, will change in response to frequency of loss, federal legislation, attention from the plaintiff's bar and market competition, according to Bradley S. Gow, senior vice president at Zurich North America, based in Schaumburg, Ill.

He added, however, that five years of pricing in a soft market has resulted in policy rates that are "probably light."

"While carriers are hoping losses won't occur, there has been frequency in some industries," Mr. Gow noted. "Based on the potential of risk, we're probably whistling past the graveyard."

Today's data breach insurance coverage goes beyond basic coverage to provide the "bells and whistles" most businesses expect, added Patrick Donnelley, managing director of Professional Risk Solutions, a division of Aon.

In early policies, a breach response fund of $25,000 to $50,000 was built into most insurance policies to help minimize liability. Because of competition and evolution of the line of business, today's funds have gone into the $1 million to $10 million range, he said.

Other variations include policies with time rather than dollar deductibles, as well as business interruption coverage.

ANATOMY OF A BREACH

Two of the biggest and most notorious data breach cases involve credit scoring bureau ChoicePoint Inc. and TJX Companies Inc., owner of discount retailers Marshalls and T.J. Maxx.

The ChoicePoint breach occurred in 2005, when swindlers stole the personal financial records of more than 163,000 consumers by setting up fake business requests. In the subsequent lawsuit, ChoicePoint ended up paying $10 million in civil penalties and $5 million in consumer damages.

In the TJX case, hackers stole 45.7 million credit and debit card numbers in 2005 and 2006, resulting in a class-action lawsuit and a $200 million settlement with consumers and TJX's bank--Fifth Third Bancorp.

According to published reports, TJX has spent more than $20 million investigating the breach, notifying customers and hiring lawyers to handle dozens of lawsuits from customers and financial institutions.

THE EXPOSURE ENVIRONMENT

Although data breach lawsuits can be attractive to plaintiffs' attorneys, lawyers know they must have their ducks in a row before seeking a class-action certification, according to attorney Sherrie Savett, shareholder and chair of the securities litigation department at Berger & Montague in Philadelphia.

At the very least, the breach should affect millions of users, result in an actual misuse of data, and involve sensitive information such as Social Security numbers or credit card numbers and expiration dates, she noted.

Successful cases also result in statutory damages, she added.

Under the Fair Credit Reporting Act, companies determined to have been reckless in storing their customers' data--including medical information--could be liable for between $100 and $1,000 per victim in a case settlement.

Potential defendants include not only credit scoring bureaus but banks, lending firms and other financial institutions. Damage is the big issue and the exposure to a company can be huge, Ms. Savett warned.

In a recent class-action case involving credit card numbers stolen from Hannaford Brothers Company--an East Coast supermarket chain--the courts are determining whether the time and money a consumer spends to restore their credit is compensable damage. The trend in the courts now is to consider data as real property, not just information, she noted.

For defendants, the lawsuit is only half the story, explained Theodore Kobus II, chair of the technology, media and intellectual property practice group at Marshall, Dennehey, Warner, Coleman & Goggin in Philadelphia. State attorneys general are tracking data breaches and requiring they be reported to them, he noted.

Mellon Bank, Countryside and others have been fined by state AGs after audits, and state departments of insurance and others can audit if a breach is reported, he said.

Nevada and Massachusetts have especially stringent rules on responsibility to breach. On the federal level, H.R. 2221--the Data Accountability and Trust Act--would require "reasonable security policies and procedures to protect computerized data containing personal information," as well as nationwide notice in the event of a security breach, according to Mr. Kobus.

RESPONSE PREPAREDNESS

The good news arising from high-profile cases such as ChoicePoint and TJX is that businesses are taking a more cautious approach to data breach risk management, Mr. Gow observed. Banks are now making retailers responsible for breaches, and specifically putting this responsibility into their contracts with retailers.

Because the expenses of a breach can be mitigated by prevention, and time is critical in reacting to a breach, a written response plan is essential, advised Kendall Walsh, director of Direct Group, a direct marketing firm based in Pennington, N.J.

This should include written documentation approved by management, and a list of team members who will respond if a data breach occurs, he said.

This includes legal representation, marketing representatives for brand protection, information technology experts and outside vendors knowledgeable in state and federal privacy laws to handle forensics and customer notification, he added.

Having such experts available is key in underwriting data breach risks, according to Mr. Walsh.

Laura M. Toops is Editor In Chief of American Agent & Broker, part of the Summit Business Media P&C Magazine Group, which includes National Underwriter.