Dealing with data breaches—Hartford Steam Boiler works with carriers to enhance policies with protection for loss of personal 01/08

Technology

Dealing with data breaches

Hartford Steam Boiler works with carriers to enhance policies with protection for loss of personal

By Nancy Doucette

Two-hundred-sixteen million. That’s the approximate number of “records” that have been compromised between January 2005 and November 2007 due to data breaches. A data breach includes data elements—Social Security numbers, account numbers, and driver’s license numbers—that are useful to identity thieves. Visit the Chronology of Data Breaches Web site (yes, unfortunately, there is such a compendium at www.privacyrights.org) and the details of the incidents are eye-poppers.

With numbers like that, chances are pretty good that your customers—commercial as well as personal—will be affected, if they haven’t been already.

So what’s an agent to do?

Short answer: Talk to your carriers. Quite possibly, you’ll get some reassuring news. They offer policies that include coverage to assist commercial clients facing a data compromise situation and/or personal clients in need of identity recovery services.

But you may be surprised to learn that these coverages are being provided via a reinsurance arrangement by Hartford Steam Boiler (HSB). “When most folks hear about HSB, it’s in conjunction with mechanical and electrical equipment,” notes Mark MacGougan, vice president of product development and product manager for HSB’s Identity Recovery and Data Compromise programs. “As we try to keep up with the emerging exposures that insurance needs to address today which require some sort of special expertise, that’s led us to some things that you wouldn’t traditionally associate with HSB.

“We don’t put ourselves forward as we’re helping these carriers enhance their products,” he continues. “We prefer to build up their brands. We’re behind the scenes. It’s like ‘Intel inside.’ If the HSB product is part of a package policy, it’s not our brand that the customer is buying; it’s the primary carrier’s policy. HSB is helping that carrier to differentiate their policy.”

Identity Recovery coverage

HSB’s Identity Recovery coverage combines identity theft insurance that helps victims with expenses, such as lost wages and certain legal fees, with services that help victims restore their credit history and identity records. MacGougan reports that as of early October 2007, some 40 national and regional carriers were offering this product.

He explains that there are two key services bundled in this program. First is a toll-free help line staffed by identity theft counselors. “A lot of times people just have questions,” he says. “Sometimes they aren’t certain if they’re an identity theft victim. They might just need a question answered or to get some information or advice about loss prevention. Or they may in fact be uncovering a situation that really is identity theft.”

The second key service leverages HSB’s arrangement with a professional identity restoration firm. The identity restoration firm will do research on behalf of the victim to investigate the extent of the problem. If the insured is an identity theft victim, the firm will provide restoration services. If the victim is willing to sign a limited power of attorney, the firm will act on the victim’s behalf with the credit bureaus, governmental agencies and creditors.

“Our Identity Recovery program responds to people’s needs beyond simply paying bills,” MacGougan says. “If you read statements from identity theft victims, there’s a lot of angst—not just because they’re a victim of this fraud—but because the process they have to go through to try to regain control of their identity is so time-consuming. Additionally, there’s a lot of frustration in dealing with law enforcement on this issue, not to mention credit bureaus, governmental agencies, and creditors. It’s no picnic.

“The help line and case management service make a dramatic difference for the insured, in terms of the time it takes to address matters and the amount of stress involved,” he says.

He points out that the Identity Recovery endorsement can be attached to a variety of policy types. Most often, it’s added to a homeowners policy. Some carriers build it into their coverage, making it a standard part of their offering. Premiums for the endorsement are generally low.

MacGougan says some carriers offer it with a BOP to the owners of a business as individuals. Sometimes it’s written for the employees of an organization as part of an employee assistance program. “No matter what business your insured is in, if that business owner has an employee who is an identity theft victim, that employee is going to be very distracted. Identity theft affects so many elements of the victim’s life—their access to credit, their standing with the law. So if your insured as a business owner can lift a significant part of that burden from that employee, it’s quite cost effective for your insured to do that.

“Different kinds of policies can be enhanced with this coverage,” he says. “On the personal lines side, I’ve seen this endorsement attached to dwelling policies, personal liability policies as well as to private passenger auto policies. I’ve also seen it attached to farmowners or farm/ranch type policies. On the commercial lines side, I’ve seen it attached to various forms of the commercial package. The carriers know which policies they want to sell more of so it’s those policies that they want to enhance and differentiate.”

Data Compromise coverage

MacGougan notes that HSB’s Data Compromise coverage is strictly a commercial lines program available through just a handful of carriers as it hasn’t been in the marketplace as long as the Identity Recovery product has. It’s an endorsement that can be added on an automatic or optional basis to BOPs or medium-sized packages. “A lot of carriers have expressed an interest in data compromise coverage,” he says, “so we’re expecting to see a lot more carriers offering this program in the year ahead.”

Data compromise is a different issue from identity theft according to MacGougan. “When we talk about data compromise we’re talking about a commercial entity and its exposure to loss because personal information in its care, custody and control has been lost, stolen or inadvertently published.

“A breach could be some sort of electronic hacking event, it could be a physical theft of a disk or a laptop or hard copy files,” he explains. “It could be a procedural mistake where something is made public that wasn’t supposed to be. Or something was disposed of in an improper way that allowed the information to fall into the wrong hands.”

As HSB did its research around the issue of data compromise during the development phase of the product, MacGougan recalls, they determined that the owners of Main Street and mid-market businesses didn’t have procedures in place should a data breach occur. Owners of those types of businesses didn’t know who would be qualified to help them through the process.

“This is an exposure that just about every commercial entity has. A big part of it is reputational risk,” he observes. “Most entities are just keeping their heads down and hoping that something doesn’t happen. That’s as much of a plan as they have.”

MacGougan explains that HSB’s Data Compromise coverage is based on its Identity Recovery model. “It’s a suite of professional services,” he begins. “If your insured has a triggering event, there are various things that will be paid for—some of which have to do with the research the insured has to do to find out what’s gone on and what the law requires the organization to do in terms of informing its customers. Increasingly, there’s an expectation that the entity—whether it’s a private business or a public entity—will stand with its customers and provide some level of service to help those individuals respond to the fact that their personal information has been compromised.

“As part of this program, HSB has set up a preferred relationship with a leading response provider,” he continues. “We don’t require that people use this provider, but we do have preferred rates set up, and we think that most small businesses will be grateful just to have a good, qualified entity ready to go in a case like this.

“The response provider has a lot of experience dealing with breaches so they can work with the insured to craft the message that is appropriate to that unique case,” MacGougan adds. “The affected individuals will get information by mail, have access to a help line as well as to a credit monitoring service that can help them keep an eye on their financial situation. And if they do become identity theft victims, they will have access to exactly the same kind of case management service we offer through our Identity Recovery coverage.”

With the Data Compromise coverage being a relatively new entrant to the marketplace, MacGougan suggests that agents urge their carriers to contact organizations like HSB to get this coverage added to their policies. *

Data Compromise risk management tips

Loss prevention has been one of Hartford Steam Boiler’s hallmarks for its entire 140-year history. Mark MacGougan, vice president of product development and product manager for HSB’s Identity Recovery and Data Compromise programs, provides a snapshot of the most common data compromise scenarios and some ideas for agents to share with their customers on how to prevent these losses from occurring.

The “inside job” can occur when an inside person has access to all the files. “Personal information has a street value,” MacGougan observes. “If you were hiring someone to be the treasurer for your organization, you’d do a background check because there’s an element of trust that goes with that job. Historically we haven’t thought that way about clerical help. But a clerical person can easily make more money by stealing data and selling it on the street.”

He suggests that employers be more careful in hiring. Consider an increased use of background checks. “Historically many entities have reserved that level of due diligence for more senior positions. But these days, it’s well worth considering for any hire,” he suggests.

In the second scenario, an employee has a laptop containing personal information for customers. That laptop is then lost or stolen from them when the employee is traveling. Or the business is broken into and the laptop is stolen.

MacGougan recommends better security at the business location. He says businesses should establish a separate set of procedures in determining what information goes on laptops and how it is encrypted. “The statistics on stolen laptops is staggering,” he says. “Something like 10% of all laptops are stolen within the first year of ownership. This is an evolving area and there is more software available in terms of trying to keep data secure. But if all you use is a password, that provides very little protection.”

The third scenario involves inadequate disposal of old records or files. MacGougan explains that materials that are just tossed in the dumpster are not secure and that information can fall into the wrong hands. “It happens more often than you might think,” he says. “It tends to happen when offices move or close. Those are critical times. People aren’t focused on what happens to the old files. Maybe they don’t serve a business purpose anymore, but they still might represent a risk because of the personal information that they contain.”

The key loss prevention idea for this scenario, he says, is shredding paper files and destroying old hard drives. “Simply deleting files isn’t enough,” he cautions. “The recommended procedure is to drill a hole in a hard drive.”

For more information:
The Hartford Steam Boiler Inspection and Insurance Company (HSB)
Web site: www.hsb.com