Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Firms should evaluate data breach trends: PLUS conference panel

Reprints
Firms should evaluate data breach trends: PLUS conference panel

CHICAGO — Organizations face increasing privacy and data security risks and should evaluate data breach trends within its industry, along with local and federal notification laws.

According to Open Security Foundation's DataLossDB.org, a research project that documents known and reported data loss incidents worldwide, hacking remains the highest incident data breach type since 2003, said Jake Kouns, Glen Allen, Va.-based director of cyber security and technology risks underwriting for Market Corp.

Mr. Kouns was a moderator of a panel of speakers on “Privacy and Data Security: The True Impact of Exposure” at the 25th annual Professional Liability Underwriting Society conference in Chicago on Thursday.

Of the 1,191 breach incidents year-to-date, hacking accounted for 58% of them, a 29 percentage point increase over 2011, which saw a total of 1,041 breaches, Mr. Kouns said, citing DataLossDB.org.

But organizations should not put too much weight on data breach statistics, said panelist Theodore J. Kobus, national co-leader of the privacy, security and social media team at Baker & Hostetler L.L.P in New York.

While hacking is a problem along with lost laptops, often sensitive data was never accessed, he said, noting that calling a lost laptop a “data breach” prematurely can be costly to a company or organization.

“You really have to be careful when looking at stats,” Mr. Kobus said. “You have to look at their actual value, which is looking at trends by industry.”

For example, in the education sector, negligence is a major source of breaches, while hacking and malware are typical causes of data breaches in financial institutions, he said.

Once a breach occurs, an organization's obligation to notify the customer whose records or information was compromised is not only costly, but difficult to navigate through the regulatory landscape, the speakers said.

%%BREAK%%

While complying with local or federal data breach notification laws, it's important for organizations to establish a good relationship and open dialogue with the state's attorney general, who charges data breach notification violations, said Andrew Obuchowski, associate director of disputes and investigations at Navigant Consulting Inc. in New York.

“We're learning the more you include them in the process, the more minimal they are when you're making your conclusion” if a data breach occurred, Mr. Obuchowski said.

Cloud computing risks cause a great deal of concern to insurance underwriters as contracts with third-party cloud providers do not necessarily spell out liability, Michael P. Carr, Chicago-based senior vice president of errors and omissions underwriting at Argo Pro, Argo Group International Holdings Ltd.'s professional lines unit.

Mr. Carr also expressed concerns over insurers' aggregation of risk as more companies store data with a one large vendor.

“What happens when a single event compromises one client's entire user base?” he asked. “This stuff isn't going to go away. It's like social media. It's here to stay.”

David Lewison, vice president of AmWINS Brokerage of New York Inc.'s financial risk group in New York, said that insurance coverage for cloud risks vary.

In a basic cyber liability policy, there typically is not a standard form that addresses stored data by a third-party, he said.

“I think we will see more forms to specifically address the cloud,” Mr. Lewison said, noting that such coverage can be difficult to sell because of the lengthy question process in the insurer's application.