Debate over data security breach insurance continues

Published 20 March 2008

With more and more stories about data security breaches at major companies with millions of customers, the question arises: Should companies, as part of their business continuity plan, take out data security breach insurance? Industry insiders, analysts offer a range of opinions

We reported yesterday about the security breach at supermarket chain Hannaford Bros., which exposed the credit card information of more than four million customers. The police have already detected more than 1,800 instances of cards being used fraudulently. The Hannaford experiences raise important questions about business’ response plan to such a disaster, but industry experts are less than enthusiastic when asked if such a plan should include data breach insurance. SearchSecurity’s Bill Brenner writes that some experts say it does not hurt to include the insurance as part of a larger data breach response program. In general, though, data breach insurance is an immature product that lacks uniformity from one provider to the next, others warn.

Data breach insurance has become increasingly popular as the rate of security incidents accelerate. Troy, Michigan-based Royal Group Services, for example, devotes a healthy portion of its Web site to promoting its breach insurance product. This message greets you: “$1.24 billion. According to the Nilson Report, that’s how much Visa, MasterCard, American Express, and Discover lost due to credit card fraud in 2006 alone. What does that mean for your merchants’ businesses? Well, when you consider that the $1.24 billion really equals 6.75¢ lost on every $100 in credit card volume, it becomes clear just how much they stand to lose.” The Web site continues: “A merchant could incur unexpected costs resulting from a data breach [that could] significantly affect revenue and even jeopardize the existence of the business. This inexpensive policy reduces a merchant’s monetary exposure when a presumed or actual data compromise occurs, thus providing peace of mind!” Across the border, Toronto-based Executive Risk Insurance Services is rolling out a data breach insurance category for corporate clients, and similar insurance is available from such companies as American International Group (AIG) and Chubb Corp.

Brenner’s article offers the views of analysts and industry insiders. Here is one: Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, says: “The general opinion is that since they don’t have any accurate actuarial data, there is no way the insurance companies can properly price it. As a result, policies may be expensive and, in the end, all it buys you is a seat at the arbitration table. No one knows how this stuff should really be priced or how much it helps. And so it’s buyer beware.”