• Atlanta
• Boston
• Dallas
• Ft. Lauderdale
• London
• Minneapolis
• New York
• Oakland
• Philadelphia
• Washington, DC

By Thomas B. Caswell and Hernán N. Cipriotti
To view this article in PDF format, please click here.

Most businesses, whether small or large, are aware of the risks associated with their enterprise and acquire insurance coverage to aid in managing the financial consequences of those risks. One increasingly common risk for which most businesses have not previously sought insurance coverage is the threat of a data breach.

However, the instances of data breaches have been growing in number, and now impact far more types of businesses than only the large and well-known technology companies usually mentioned in the press. Indeed, we are now in an era where virtually every organization must face the real threat of a data breach, and many have begun to seek insurance for this risk.

In response to the increasing demand for cyber insurance, various insurance companies have introduced policies to respond to losses arising from a data breach. Although no two policy forms are identical, the two most common types of cyber insurance are first- and third-party coverage.

First-party cyber insurance typically covers the cost of restoring the insured’s computer systems and may compensate the insured for revenue lost by an interruption to network systems caused by a data breach.

Third-party coverage generally covers defense expenses and indemnification for claims against the insured company brought by third parties affected by the data breach, and certain response expenses, e.g., notifying the affected parties, investigating the cause of the data breach and responding to governmental investigations.

Regardless of the policy form or the policy language, one thing remains true — the demand for cyber insurance is increasing, and it will continue to grow as insureds, particularly middle-market and smaller companies, come to the realization that data breaches pose a significant risk to not only large technology companies, but also to all business organizations.

So far this year, there have been over 370 reported data breaches where private records were stolen or disclosed. These types of attacks, where confidential and personal data or information has been entrusted to a company and is subsequently stolen and publicly disclosed, have become increasingly more common over the last decade.

While virtually everyone has heard about the data breaches occurring at companies such as PayPal Inc., Yahoo! Inc., LinkedIn Corp., Sony Entertainment Network and Amazon.com Inc., the true magnitude of this threat goes far beyond these well-known incidents.

In 2011 alone, there were over 174 million records breached.[1] Since 2005, there have been over 3,000 reported data breaches exposing over 562 million records. These records often contained personal and account information, credit card and bank account numbers and, in some instances, even U.S. Social Security numbers and medical records.

Just this past July, Yahoo! suffered one of the largest data breaches of the year. Through a simple hacking procedure called SQL injection, a group of hackers seized the information of over 400,000 users, including e-mail addresses and passwords.

While significant media focus is placed on the data breaches suffered by large corporations like Yahoo, for every “big name” breach, there have been hundreds of smaller institutions and businesses affected. These smaller breaches that do not generate the same level of media attention as a breach at Yahoo or PayPal actually account for nearly half of all data breaches occurring since 2005.[2]

The impact of these innumerable breaches is even more dramatic when one considers that the average cost to these companies for each record breached was $194 in 2011.[3] On an organizational level, it has cost companies an average of $5.5 million to respond to a data breach.[4]

While larger companies may have the resources and capability to remediate a data breach, a breach may still result in a large economic set back. This obviously is the case for smaller organizations.

Potential Liability Arising out of a Data Breach

When evaluating the impact and the potential costs and liability an organization may face as a result of a data breach, a number of factors must be considered.

One of the main factors to be considered is the content of the information breached. Most lawsuits filed against companies that have merely exposed usernames and passwords rely in part on state consumer/personal privacy statutes and more heavily on common law causes of actions such as negligence, breach of contract, breach of implied contract and negligence per se. See e.g., Szpyrka v. Linkedin Corp.[5], Stratfor Enterprises LLC v. Sterling[6] and Habashy v. Amazon.com Inc. d/b/a Zappos.com.[7]

On the other hand, companies whose records contained an individual’s medical information, Social Security numbers and credit card numbers are faced with numerous allegations based on federal and state statutes specifically tailored to address these issues.

Prevention and Mitigation

Most data breaches are the result of malicious attacks carried out by hackers directly or through malicious software.

One of the biggest challenges in attempting to mitigate the damage caused by a breach is that in 85 percent of all cases it takes weeks or more for the breach to be discovered. Hackers often use the time before the breach is discovered to download entire databases and to explore further vulnerabilities in the affected servers.

The individuals carrying out the attacks normally base their selection of databases on opportunity and not on choice.[8] This is one of the reasons why 96 percent of all breaches in 2011-2012 were considered not to be highly difficult.

These breaches occurred because the opportunity presented itself to hackers. The majority of these breaches were avoidable by implementing simple and inexpensive preventive measures.

Businesses should consider taking the following simple steps to protect their data and to reduce the consequences if a breach were to occur:

1. Document where the data is stored and how it is accessed.
2. Identify the level of protection the data needs.
3. Secure the company’s data.
4. Create a disaster plan.
5. Know what to do if a data breach occurs.

With the increased number and severity of cyber threats, every organization should undertake all reasonable efforts to prevent having systems that are vulnerable to cyber attacks. A further layer of risk management for this type of exposure is to purchase cyber insurance.

--By Thomas B. Caswell and Hernán N. Cipriotti, Zelle Hofmann Voelbel & Mason LLP

Thomas Caswell is a partner in Zelle Hofmann's Minneapolis office. Hernán Cipriotti is a summer associate with the firm.

The opinions expressed are those of the authors and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] "2012 Data Breach investigation Report." Verizon. p. 3, 2012: Retrieved Web. 30 Jul. 2012. www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.

[2] "Chronology of Data Breaches." Privacy Rights Clearinghouse. Privacy Rights Clearinghouse, 7/17. Retrieved Web. 17 Jul. 2012. www.privacyrights.org/data-breach/new.

[3] "2011 Cost of Data Breach Study: United States." Symantec. Ponemon Institute LLC, p. 5-6, Mar. 2012. Retrieved Web. 7 Jul. 2012. http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US.

[4] Id.

[5] Szpyrka v. Linkedin Corporation, 2012 WL 2169325 (N.D.Cal.)

[6] Stratfor Enterprises, LLC v. Sterling, 2012 WL 1645156 (W.D.Tex.)

[7] Habashy v. Amazon.com Inc. d/b/a Zappos.com, 2012 WL 299996 (D.Mass.)

[8] "2012 Data Breach investigation Report." Verizon. p. 3, 2012: Retrieved Web. 30 Jul. 2012. www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.