Table of Contents 

 

$2.4 million in postage

Cyber problems can produce unexpected costs

By Dennis H. Pillsbury


A mid-sized hospital recently had the records for 240,000 people compromised,” relates Drew Bartkiewicz, vice president, technology underwriting for Darwin Professional Underwriters, Inc., Farmington, Connecticut. “Under a combination of state and HIPAA (Health Insurance Portability and Accountability Act) regulations, the hospital had to notify each person via certified mail. At $10 per mailing, that’s $2.4 million in postage. And that might be just the beginning. A HIPAA investigation could result in fines and there could be individual lawsuits as well.”

And this example is just the tip of the iceberg. According to data collected by the Privacy Rights Clearinghouse, which has been tracking data breaches since February 2005, the total number of data breach victims passed the 100 million mark last December.

And incidents continue to occur. From January 25 through January 29, 2007, there were at least 10 incidents involving security breaches, including several where data involving 50,000 people or more occurred.

On January 26, it was reported that information for approximately 50,000 Virginia customers of Anthem Blue Cross Blue Shield was on stolen backup tapes. The information included Social Security numbers and names.

On January 29, the Associated Press reported that a state computer containing the names, Social Security numbers and bank account information for 70,000 Vermonters was hacked into in an automated computer attack. The Human Services computer was used as a tool to track noncustodial parents who owe back child support.

BBC News reported on January 29 that a woman who asked the Halifax Bank of Scotland for her bank statement was sent the statement of 75,000 other customers instead.

Clearly, there’s a need for coverage that will help to alleviate some of these losses, as well as an equal need for effective risk management that will help reduce the loss potential. That’s why Darwin hired Drew from his position as an executive within the high tech sector, where he had been for 10 years. By combining Drew’s deep understanding of the risks faced by the technology industry and users of technology with Darwin’s own underwriting expertise, the insurer was able to identify and effectively underwrite risks for which coverage was vitally needed.

“Our real product is our expertise,” Stephen Sills, president and CEO of Darwin, notes. “Whenever we enter a professional liability field, we always hire experts from that field so we can get a complete understanding of the underlying risks and the loss control procedures that will best serve to mitigate those risks. It allows us to more accurately price our products and provide value-added services to our brokers and their customers.”

Drew points out that technology E&O differs from many other forms of E&O coverage in that “one incident can have an impact on a large number of people, as opposed to many malpractice lines where an incident hurts only one individual. This results in both frequency and severity concerns.”

He continues: “It’s also important to note that it is not just the hospital where the data breach occurred that is at risk. The hospital may be using a larger aggregator that provides information to a number of health care facilities and that organization could be brought into any action as ‘deep pockets’ are sought.

“In addition, if a technology consultant was used at any time, the hospital may turn around and sue the consultant to try and recoup some of the losses. The standard of care requirements for computer professionals is continually ratcheting up. Many consultants are now calling themselves information architects in order to tout their professionalism, but they are also inadvertently assuming greater liability as their clients hold them to ever higher standards of accountability.”

Drew adds: “In a world where information is currency, it is clear that traditional insurance coverage which focuses on protecting against losses of tangible property is inadequate for most businesses. We have created our Tech//404® product to protect traditional businesses that are highly dependent on technology. The product specifically addresses both technology and information risk in a single policy.”

The product includes coverages in three critical areas: technology E&O, cyber liability (data privacy/network security) and Internet liability (media/intellectual property).

The technology E&O coverage does not include a “service for a fee” restriction and includes a broad definition of technology services that can be expanded by endorsement, if necessary.

The cyber liability portion includes coverages for fines, fees and compliance expenses under HIPAA, GLB, SOX, CA 1386 and other data compliance regulations. The network security coverage includes protection against unauthorized access and use; data privacy breaches; malicious code; cyber-attacks, both internal and external; and virus transmission.

The Internet liability portion includes coverage for defamation, slander or libel; false advertising or misrepresentation; unfair competition; deceptive trade practices; and intellectual property/trademark infringement.

Darwin can provide limits up to $10 million. Tech//404 is available in all states and U.S. jurisdictions.

Businesses that question the need for such coverage might heed the words of Gregory Garcia, who was appointed by the White House last September to be the first assistant secretary for cyber security and telecommunications at the Department of Homeland Security: “The threats are constantly evolving against our cyber and communications infrastructure,” Garcia told “Government Computer News” (GCN). “The one thing that I worry about is lack of awareness.”

And Air Force Secretary Michael Wayne explained his decision to create a Cyber Command to GCN this way: “In cyberspace, our military, America and indeed all of world commerce face the challenge of modern-day pirates, of many stripes and kinds, stealing money, harassing our families and threatening our ability to fight on ground, air, land and in space.”

Drew Bartkiewicz concludes that, “As businesses move to an enterprise risk management approach, management of cyber-risks will emerge as a growing concern. Cyber assets outweigh tangible assets at many companies today, and that will only grow over time. Companies need to be prepared with a game plan for managing these cyber risks, and insurance can play an important role in this endeavor.” *

The Data Loss Cost Calculator

Darwin has created an online Tech//404 data loss cost calculator to demonstrate the scope of the financial loss an organization may face as a result of a data breach or identity theft scenario. A broker or client starts by entering the number of affected records in a chosen scenario and the calculator will generate an average cost (in the plus or minus 20% range) for expenses associated with internal investigation, notification/crisis management, regulatory/compliance, and optional private liability if the incident were to give rise to a class action claim.

The calculator breaks down the costs by amounts needed to pay for: cyber crime consulting and attorney fees for the internal investigation; certified mail/notification letter, call center response, crisis management consultant, and incident media expense for the notification/crisis management; and migration of impact/credit monitoring, defense against a regulatory investigation and fines, fees or compliance expenses for regulatory/compliance. The calculator also will provide a separate breakdown for class action judgment and defense costs in the event of a private liability action.

View the Tech//404 data loss cost calculator at www.tech-404.com/calculator.html.

For more information:
Darwin Professional Underwriters, Inc.

Web site: www.tech-404.com/
Web site: www.darwinpro.com/

 
Click on image for enlargement
 

Adam Sills (standing), Underwriter, Technology and Information Liability, Darwin Professional Underwriters, and Drew Bartkiewicz, Vice President, Technology and Information Liability.

 
 

“Whenever we enter a professional liability field, we always hire experts from that field so we can get a complete understanding of the underlying risks and the loss control procedures that will best serve to mitigate those risks.”

—Stephen Sills
President and CEO

 
 

From left: Paul Romano, Senior Vice President, with Adam Sills, Drew Bartkiewicz and Stephen Sills, at the entry area of Darwin Professional Underwriters.

 
 
 

 

 
 
 

 

 
 
 

 

 

CONTACT US | HOME