A Data Breach Doesn’t Discriminate

Call it the liability du jour.

Now that identity theft is the fastest growing crime in America, generally perpetrated by criminals hacking into a company’s networks and systems to ferret out customer and employee personally identifiable information, the onus is on independent agents to help Main Street America address this rising exposure.

The challenge is significant: persuading small and medium-size enterprises (SMEs) that they are at dire risk of a data breach. Many SMEs simply cannot fathom why a hacker would want to access their systems, given the wealth of data stored by much larger concerns.

However, according to a survey of more than 2,100 small and midsized companies last year by Symantec, 73% of SMEs had experienced a cyberattack, and 30% of these attacks were “somewhat or extremely effective.”

There are several reasons why hackers are targeting SMEs, says Brian Tokuyoshi, senior product manager at Symantec, a Mountain View, Calif.-based technology security vendor. “For one thing, SMEs sometimes have more customer data stored in their systems than do larger companies, since they’re at the point of sale and on the front lines of commerce,” he explains. “An even more powerful factor is that hackers know that most SMEs don’t have IT departments or any IT security at all. In these cost-conscious times, the likelihood is for many smaller businesses to actually cut back on security.”

He is not alone in this view. “A few years ago, I would walk into a small company and ask to speak to the IT guy and someone would have been there,” says Larry Collins, head of e-solutions for risk engineering at insurer Zurich NA. “Today I walk in and there is no such person. Because of the recession, the company has [fewer] resources to spend on IT.”

“The risk for small and midsize companies is definitely increasing,” says Holly Moriarty, small commercial marketing director at The Hartford Financial Services Group. “The majority of the data breaches we see occur to small businesses, which don’t have the controls in place to protect them.”

Moriary makes a good point. While SMEs, just like their Fortune 500 cousins, have a veritable treasure trove of customer and employee personally-identifiable information in their databases, such as their names, Social Security numbers, addresses and birth dates, what they don’t have is anywhere near the same level of security—software encryption, password protections, intrusion detection and impenetrable firewalls, to cite a few.

And hackers know it. “Small and midsize companies feel they’re under the radar when it comes to a hacker,” says Don Ackerman, vice president in the New York office of technology consulting and investigations firm Risk Control Strategies. “They think nothing bad will happen to them because they’re not a target. They are so wrong.”

How wrong are they? A joint study by the U.S. Secret Service and Verizon Communications Inc.’s forensics analysis unit paints a frightening picture. 482 of the 761 data breaches the unit investigated in 2010—63%—occurred at companies with 100 or fewer employees. “What small company doesn’t have employee information, some kind of customer information, or business partner information that they keep in their care, custody or control?” says Ken Goldstein, vice president, Chubb Specialty Insurance.

The answer is pretty obvious. Yet many SMEs fail to take even modest precautions against a data breach. “Many of our small business accounts have a ‘This won’t happen to me’ mentality,” says Troy A. Schmidt, commercial lines and marketing manager at Lewis Mohr Real Estate & Insurance Agency in Baton Rouge, La.

“There is a state of denial,” says Arturo Perez-Reyes, client executive at San Diego-based agency Barney & Barney LLC. “It’s no different than general consumers at home who don’t lock their browsers down, or do online banking or their own accounting, not realizing the risks.”

On the bright side, Symantec’s Tokuyoshi says some SMEs are beginning to get the message. “Another survey we did last year indicates that small and midsize companies with 10 to 499 employees are making protecting their information their highest IT priority now, when a high percentage the year before had failed to enact the most basis safeguards,” he says.

The costs of a data breach for companies are significant and rising. According to a study by Symantec and the Ponemon Institute, the average organizational cost is approximately $214 per compromised record, up from $204 two years ago. While $214 may not seem like a lot of money, multiply it by the number of customers in a retail company’s database. Just a thousand customers whose records have been breached can hike the average cost to nearly a quarter million dollars. Says Ackerman, “It can be a great payday for cybertrollers.”

Illegally penetrating company networks and systems is not the only means of acquiring personal information for identity theft. Some crimincals may hire on at a company simply to have access to the data. It also isn’t uncommon for a legitimate employee to lose a laptop, iPad or smartphone at an airport or in a taxi. If these devices lack robust password controls and encryption technology and they fall into the wrong hands, the company’s database can be breached.

Even if someone with no intention of penetrating the company’s database finds the device, the mere possibility of a data breach may require the organization to notify vulnerable customers and employees, with associated costs. Yet another Symantec survey points out the threat, indicating that two-thirds of SMEs reported losing laptops, iPads and smart phones in 2011. Most of the lost devices lacked password protections.

Independent insurance agents can be a valuable resource to SMEs insofar as the risk management services they provide. Jeffrey Mohr, the president of Lewis Mohr, says the agency routinely offers IT security consultative services to clients. “We have a Q&A form they fill out that asks some probing questions about security measures, which helps us figure out their risk tolerances,” he explains. “We then help them close the gaps. For instance, we might advise that they store sensitive data in the cloud or invest in tighter firewalls.”

Barney & Barney also is keenly involved in helping clients understand their exposure. “We do a fair number of presentations on data breaches and are a sponsor of a community group in San Diego focused on the subject, called Secure Our E-City,” Perez-Reyes says.

While a strong defense is the best offense against a data breach, even world-class security measures won’t eliminate the risk. This, of course is where insurance comes in. As Tokuyoshi from Symantec says, “When everything else goes wrong, that’s what insurance is for.”

In the last five years, multiple insurance markets have sprung up to address data breach risks, beginning with the surplus lines market. More recently, some carriers like The Hartford have packaged together first- and thirty-party liability exposures emanating from a data breach as an endorsement to its general liability policy. The data breach coverage is aimed specifically at small businesses, and it addresses a wide range of exposures, including legal and forensic services, notification expenses, crisis management, defense costs and civil awards or settlements, among others. Consultative services, such as assistance with breach notifications and credit monitoring, also are provided.

Other carriers offer similar coverages and services, packaged together or in piecemeal fashion. The question is—are small companies buying the insurance? Yes and no, say agents. “It’s like employment practices liability insurance when it first came out,” explains Jay Byrnes, president of Dayville, Conn.-based Byrnes Agency. “It’s so new that customers want to discuss it and understand it and are definitely concerned about a data breach happening to them, but it is way down on the food chain, given more pressing financial concerns. I think this will change over time, as it most certainly has with EPLI.”

Other agents agree. “Many carriers are offering insurance in some combination of first- and thirty-party coverages, but we’re getting the same reaction we got 10 or 15 years ago when EPLI was introduced,” says Ted Way, cyberliability practice leader at Thoits Insurance Services Inc., in San Jose, Calif. “The difference is that companies understand this is a huge risk, even though they may not want to buy coverage yet.” He estimates that 50% of his commercial customers have purchased some form of cyberliability insurance.

Perez-Reyes says his agency has been successful convincing many retailers of the need for the insurance, given these companies’ reliance on credit card transactions. “Other types of companies think they have coverage through their general liability and professional liability policies, and I often have to point out that these policies do not [offer] coverage for a privacy breach,” he adds. “It’s still a tough sell.”

“Are our small and midsize companies listening? Yes,” says John Immordino, vice president at Springfield, Ill.-based Nicoud Insurance. “Are they buying? Well, maybe about a third. It’s definitely a long sales process. They know they have an exposure and they definitely ask questions. We’ve seen financial institutions and health care providers line up to buy, but others are less receptive, downplaying the risk.”

Goldstein from Chubb extols agents for making the case for insurance protection.

“The truth is that many small and medium-size companies just don’t have the resources—both capital and personnel—to fully stay on top of this issue,” he says. “That leaves insurance as the best recourse.”

Zurich’s Collins agrees, stating that, “Cost-effective insurance solutions are out there.” He adds a telling postscript: “This risk certainly is not going to go away.”

Even with basic safeguards, criminals perpetrating data breaches are always seeking and deploying newer ways to get the goods, such as social engineering “phishing” techniques. “An email is sent to someone at the company that looks official, maybe even from someone senior in the organization, telling the reader to click on a link,” says Don Ackerman, vice president in the New York office of technology consulting and investigations firm Risk Control Strategies.

“Unbeknownst to the person is that the link has actually downloaded a key logger device that records the user’s keystrokes, which contain the person’s password. The hacker now has access to the databases. It’s as simple as that.”

Once a hacker penetrates a database containing personally identifiable information, the victim company, depending on in which state it is located, must notify legal authorities and everyone whose personal information may have been breached. At present, 46 states have laws on the books requiring notification. Louisiana’s tough statute on data breaches, for example, states that any person or agency in the state of Louisiana that conducts a business that “owns, licenses or maintains computerized data that includes personal information,” must notify the resident of the state of the unauthorized access. Such notification must be made “in the most expedient time possible and without unreasonable delay.” The law also allows for civil actions by victims to recover damages for failure to disclose a breach in a timely manner.

—R.B.

Other agents are passing on security measures they’ve incorporated in their own firms to thwart hackers. Donna LaGoy, president of Premier Insurance Consultants in Palm City, Fla., and a member of an Agents Council for Technology (ACT) working group on agency IT security, says what she has learned about IT security had also become a valuable resource for her commercial accounts. “Most people think in terms of hackers getting at personally-identifiable information, but seemingly innocuous threats include an office cleaner who sees a computer that has not been turned off and who accesses the databases,” LaGoy says.

She advises agents to access the working group’s material at www.IIABA.net/act. On the left side of the page is a section on security and privacy, which takes viewers to a paper called ACT Prototype Agency Information Security Plan.

—R.B.