By Jennifer Norris
BridgeTower Media Newswires
The potential growth opportunities for the cybersecurity insurance industry seem to be constantly expanding as major businesses face significant breaches. But while insuring data has never been more important, figuring out how the process actually works and who is protected by that insurance can prove to be a complicated and confusing matter.
Christine Marciano, an agent with Cyber Data Risk Managers in New Jersey, said the daily headlines about companies suffering data breaches does almost all her marketing work for her. Since she started selling cyber insurance in 2011, Marciano said she has seen the interest in securing data grow by leaps and bounds.
“Companies weren’t really buying (cyber insurance) in 2011, but after the Sony PlayStation breach in 2011, that all changed drastically,” Marciano said.
The breach of Sony’s system exposed the personal information of as many as 77 million users, including their names, addresses and possibly credit card information. But while the high-profile incident may have cost Sony some prestige and roughly $171 million, the gamers whose data was actually compromised were merely given some free game passes and other PlayStation-related amenities as part of Sony’s apology.
Michael Hass, faculty and accreditation coordinator at the Oklahoma State University Institute of Technology’s School of Information Technologies, said watching the way Sony and other big companies handled data breaches got him thinking that maybe companies should be required to have a little more accountability to their customers when they fail to protect their data.
Both Hass and Marciano agreed that, in a data breach, the reality is the consumers are getting the short end of the stick, even if the company has cyber insurance. The reason for that is most cyber insurance is focused on recouping the damages the company has faced, and, while some money may be set aside for dealing with potential lawsuits, typically consumers don’t see much, if any, compensation from companies after data breaches.
Part of the reason companies can’t or won’t compensate customers is that it is incredibly difficult to quantify the worth of data, and the damage caused to a consumer by having it stolen.
“It has value, but if you’ve got an aggregation of data, can you pinpoint exactly whose data that is?” Hass said. “And here’s the tricky part: Customer data has value, but you can’t treat data like a tangible asset. So we need to let the actuarial process happen with information security.”
Cyber insurance is still an emerging industry, so many precedents and standards have yet to be set, Marciano said. Additionally complicating the matter is the fact that the information may have been compromised, but not yet maliciously used against the consumer, meaning they cannot prove actual damage.
In general, when consumers have tried the litigation route for recourse, the courts have agreed that consumers cannot prove standing in their lawsuit against a company that has experienced a data breach, said Steven Abrams, a cyber law attorney and a digital forensics consultant in Mount Pleasant, South Carolina.
“One of the ways you can try to get accountability is with class-action lawsuits, and those have been spectacularly unsuccessful to date,” he said.
Abrams said typically the only way consumers can be successful under current law is by proving an invasion of privacy, a breach of contract by the company, or that the company violated the Unfair Business Practices Act.
Marciano said she believes the trend may be changing, though, especially with the current class-action lawsuits filed in the Equifax breach, because those individuals did not choose to have their information stored by Equifax, and therefore did not willingly incur that risk.
However, as it stands, litigation is by no means a sure way of holding companies accountable for failing to safeguard customer data, and part of the problem may be that so few federal laws govern the use and securing of data.
But while it may be tempting to use regulation to make companies more responsible with data, that route is fraught with complications as well. According to Hass, even the existing laws on information security haven’t always been successfully followed.
“If you look at federal laws regarding how you deal with breaches, it’s inconsistently applied and inconsistently enforced,” Hass said.
He also said any new law passed would almost immediately become outdated in the ever-evolving world of technology.
Further complicating the issue is the reality that many small businesses could not afford the extra cost of a cyber insurance policy if it was legally required.
While it is hard to pin down exactly how many businesses actually carry cyber insurance, a report from accounting and consulting firm Deloitte estimated that just 29 percent of U.S. businesses had bought cyber insurance as of October 2016. For large companies, that number is more like 40 percent, but small businesses often say they skip on cyber insurance because of cost and confusion about what is covered by a policy.
Kent Livesay, owner of Livesay Orchards in Porter, Oklahoma, said he believes he carries a small amount of cyber insurance wrapped into his other policies, but said he still worries that his business is inadequately prepared for a cyberattack. He also said he wouldn’t necessarily be opposed to laws requiring cyber insurance as, like every business owner, he watches with concern the uncontrolled growth of cybercrime.
But Marciano, the insurance broker, agrees with Hass that regulation would be too prescriptive in an industry where coverage is different for every company. She said perhaps part of the solution could be that bigger penalties and fines for companies that experience data breaches due to poor cyber security would appropriately motivate companies to get their data security game together before a breach happens.
Unfortunately, no amount of insurance, fines, litigation or regulation will ever fully prevent cybercrime or give consumers total protection, because no company or individual will ever be able to reach 100 percent security, Abrams said.
He believes that ultimately that individuals have to take responsibility first and foremost for all their sensitive information by practicing the utmost caution, and perhaps getting a personal data security insurance policy, such as LifeLock.
“We have to understand that our information is never going to be completely secure,” Abrams said. “Assume that everything you put out on the internet is not secure. There are techniques you can use to not expose your real information on the internet, but if you’re posting a comment on Facebook, or writing a review online, just know that you’re publishing that to the world.”