GUEST COMMENT Data theft – why should you care?
Earlier this year Tesco became the latest big name retailer to be the victim of a data breach. According to the BBC
, around 2,000 of its customer accounts were hacked and their details posted online. The news followed hot on the heels of a much larger breach at the US retailer Target in December.
A data breach usually involves financial information such as credit card or bank details, personal health or personally identifiable information, trade secrets or intellectual property being stolen or lost. Essentially it is any incident in which sensitive, protected or confidential data is potentially copied, transmitted, viewed, stolen or used by an individual who is not authorised to do so.
Data breaches may include the theft of digital media such as computer tapes, hard drives or data. Or it can be caused by something as simple as someone carelessly leaving a laptop on a train with un-encrypted sensitive data on it, or not storing hard copy records securely. The problem for companies is that the causes of data breaches are extremely diverse.
Many - and among the most expensive – instances derive from determined and often persistent attacks by external hackers. The sheer volume of personal information being stored, and the diverse locations in which it is stored, mean that perfect data security is not possible.
Recent statistics reveal the size of the problem. According to Experian, in the first half of 2012, 19.7m pieces of data were traded illegally online, and the Ponemon Institute estimates that the cost of data breach to UK businesses is around £1 billion a year. The depressing fact is that all retailers, no matter how big or small, should plan for multiple data breaches as they are a constant risk of doing business. The legal net is tightening
Law-makers in Europe are viewing the US regulatory environment with interest. To date the regulatory and financial impact of data breaches in Europe has been limited because only a few countries have laws that force companies to inform customers when their data is compromised. In the UK the Information Commissioner’s Office has the powers to impose fines on companies deemed not to be adequately protecting client data, but there is currently no mandatory customer notification requirement.
However, there are moves in the European Union to impose stringent EU-wide data protection legislation. In January 2013, the European Justice Commissioner, Viviane Reding unveiled far-reaching proposals for revising the EU's 17-year-old data protection laws. Under the new legislation, informing customers in the event of a data breach will place a considerable burden on businesses that hold sensitive customer information.
In October last year, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs took the proposed legislation one step further. They want to include an explicit consent requirement for the processing of personal information (consent which can be withdrawn at any time), a right for individuals to insist on the erasure of personal data (the so-called “right to be forgotten”), and bigger fines for breaking the rules - up to €100 million or up to 5% of a company’s annual worldwide turnover - whichever is greatest. Twenty years to build a reputation – five minutes to ruin it
The financial impact of a data breach could be the least of your worries. Even law suits and regulatory fines can seem trivial compared to the loss of customer trust. According to our clients their number one concern linked to a data breach incident is the reputational damage it could cause if not well managed. As Warren Buffett famously said: “It takes 20 years to build a reputation and five minutes to ruin it.”
In a study undertaken among consumers by the Economist Intelligence Unit last year, a quarter of respondents said they had been the victim of a data breach in the past two years. Of those affected, 38% said they no longer did business with the organisation because of the data breach. Prevention is not enough
The question that board executives should be asking is: “How will we respond when it happens to us?”
It is not surprising that the demand for insurance against a data breach is growing rapidly. Larger retailers, although often equipped with more substantial risk management and legal departments, can face significant costs because of the sheer volume of data that they hold. But small and midsize retailers should also explore data breach insurance, because they are likely to be less prepared for a data breach and less able to absorb the costs associated with it. Protecting your business
Some retailers feel they can manage a data breach on their own. Others want some assistance and some want an insurer to shoulder most of the responsibility. One thing that we have learned is that a data breach is not the time to be learning on the job. Time is critical, and companies need instant access to expert partners who’ve been there before – preferably numerous times.
For that reason, effective insurance should offer clients access to the range of specialist assistance required instantly when a data breach is discovered, including: specialised lawyers, IT experts, brand reputation specialists, notification networks and, if needed, credit monitoring services. All of these service providers need to be seamlessly coordinated to determine what data been compromised; assess the data owner’s responsibility; notify the right people; and do what is necessary to get the business back on its feet again. What we have learned is that data breach victims who respond swiftly and effectively to a data breach can emerge from the experience with their reputation intact - and in some instances even enhanced.Lessons learned
As an insurer we are keen to see evidence that retailers have robust risk management policies and procedures aimed at preventing data breaches, and that data breach protection is a board responsibility. Some companies solely rely on the IT department for data protection risk management, but no matter how many firewalls a company has, or how good its IT systems are, no set of controls can guarantee that they won’t have a data breach. What we look for is a company that takes data security seriously at a board level, and which plans and prepares effectively for a breach.
Also don’t forget that good internal risk controls will not help if client data is stored with outsourced data processing companies or with a cloud service provider. Even though these external companies hold the data, the security of the data remains your responsibility as the ‘data owner’, both in the eyes of the law and customers. So it is very important that the security procedures of these third party service providers are well-scrutinised before allowing your customer data to be held by them. Finally, it is also important to note that under the new proposed EU data regulation outsourced providers will be taking on more additional liability then they have currently in relation to the data they hold.Forewarned is forearmed
Data breach response insurance is not an ordinary coverage – the unfamiliar risks, the service concept, even the non-standard language put a premium on education. You need to know the facts, and to work with experienced, specialist insurance brokers who understand your business.
The scope of coverage available and the cost can vary significantly from insurer to insurer. A team approach with your underwriter, broker and any technical experts will help to ensure that you buy the right cover with appropriate terms and conditions.
The bottom line is – it is not a case of ‘when’ but ‘if’ a data breach will happen. However, a data breach doesn’t have to be a disaster, but mishandling will be, so make sure your business is prepared.Paul Bantick is team leader and underwriter, technology, media and business services, Beazley Group.