"As fast as the risks and vulnerabilities are changing, the underwriters [are] responding" to what clients want and need, Mr. Srail said. Of particular interest, he said, are coverage enhancements related to costs an insured might incur to notify customers about privacy breaches.

"Several markets now have full limits available" for these costs to send out notices, monitor credit, set up call centers and pay for forensic investigations, he said, contrasting that to the earliest network liability policies that offered $250,000 sublimits to cover these costs.

Now you can buy $10-, $20-, or $50 million in policy limits with the notification and credit monitoring cost coverage offered outside and in addition to policy limits, he said, noting that coverage for voluntary notification is something that can be expressly written into the policy.

Another quickly developing expansion of coverage deals with fines and penalties from regulators or contractual fines from credit card companies when merchants are not in compliance with PCI (payment card industry) standards, Mr. Srail said.

It's a very soft market, he said. Even though the prices may seem dangerously low to some of the underwriter members of the Minneapolis-based PLUS, "there's new premium flooding in everyday," he said, noting, for example, that 70 percent of managed care companies and 50 percent of hospitals are purchasing coverage.

Benjamin Stephan, director of incident management for Fishnet Security in Kansas City, Mo., said new enemies are also emerging daily and that they are launching increasingly complex attacks on data privacy.

Security professionals are no longer fighting the cyber war against the 16-year-old behind his computer, he said. That may have been true a few years ago, he said. Today, "we're fighting against business entities" that are hiring people to work in concert to get at privileged information.

As evidence of this, he noted that during a recent case he uncovered three separate computer files–each written in a different programming language.

A single individual is not going to purposely write in three separate languages. "What that tells us is that it's a joint effort," he said, suggesting that one group of hackers is being hired to write one piece of code, another group for another piece of code, and so on–and then they work together.

This type of approach can successfully bypass anti-virus software, he said, explaining that standard anti-virus software looks at different files and rates them in terms of the risk of attacking your system. If an attack mechanism uses multiple files, then the risk threshold is lower for each file–and the automated anti-virus software won't catch it, he said.

"In the grand scheme of things, we're actually starting to lose ground," Mr. Stephan said, noting that data protection efforts such as encryption are no longer adequate. Attackers who know they can't get at encrypted data "have shifted their focus" to memory vectors.

He also said privacy invaders have shifted their focus away from large firms, which used to be seen as a gold mine of information. Since those firms are now more protected, attackers are targeting small firms, particularly franchises.

With franchises, "they'll see a consistent structure" in terms of firewalls or lack of firewalls. So once they attack one, and they know where the data resides, then they can repeat the process over and over, he said.

John Mullen, a partner with the law firm at Nelson Levine deLuca & Horst in Blue Bell, Penn., suggested that for breaches affecting small and midsize clients he deals with, there are different parties responsible for the problems. Instead of the organized attackers that Mr. Stephan referred to, Mr. Mullen said, "The enemy is within. It's the human resources director, the administrator"–someone who gives the wrong access to the wrong people. "I see people simply making mistakes."

"Attackers leverage that too"–when someone tosses a bunch of thumb drives out into the parking lot, Mr. Stephan said.

K Royal, privacy and security officer for Concentra, an Addison, Texas-based health care company, described an incident in which a physician had a laptop computer stolen that contained patient records.

Mr. Srail said in addition to network liability and privacy protection insurance, insurers are still offering first-party data restoration and business interruption policies–and a handful of markets are "offering an administrative error trigger" that will respond to "a mistake down in the data center"–not just virus or hacker sabotage.

During the educational session, other panelists focused on how businesses should respond to conflicting regulations requiring customer notification of privacy breaches, and the question of when they should voluntarily send out such notices–to protect a firm's reputation or to minimize the risk of class actions lawsuits.

With respect to the regulatory standards, Beth Diamond, claims manager for Beazley Group in New York, noted, for example that in Massachusetts, notification to consumers cannot include a description of the breach–a specific requirement under the HITECH (Health Information Technology for Economic and Clinical Health) provision of HIPAA (Health Insurance Portability and Accountability Act) for breaches of patient records in a health care setting.

In addition, she said that Massachusetts law says the notification cannot state the number of individuals affected, while disclosure of the number of people impacted is required under California law–complicating the process for multistate breaches.

Ms. Royal noted that U.S. Department of Health and Human Services is in the process or rewriting a HITECH rule stating that notification is required where there is "significant risk of harm" to the individuals affected by the breach–a standard that has existed without defining that particular phrase.