With 500 million attempts a month to access Montana's state information technology systems, it is no wonder that Brett E. Dahl, the state's risk manager, views this as the No. 1 risk facing the state.

To address the exposure, Mr. Dahl has established a comprehensive cyber/information security insurance program that enables the state to respond quickly in the event of a data breach, such as one that occurred last year involving the inadvertent release of the names and Social Security numbers of 4,500 Montana State University students.

The state's cyber risk insurance program, led by Beazley P.L.C., with an excess layer underwritten by syndicates managed by Lloyd's of London insurer Barbican Group, provides $2 million in forensics investigation and privacy notification coverage and up to $5 million for regulatory fines and penalties. The limit for legal services, including the defense and indemnification costs, is $750,000 per claim, $1.5 million per occurrence, which is Montana's statutory cap for such liabilities. “It's a very comprehensive insurance program and approach to mitigate the impact on the individuals whose names are released,” Mr. Dahl said.

Although the personally identifiable information was only briefly available on the state's internal intranet as a result of the temporary removal of firewalls by a programmer who was having trouble getting a program to run, the Helena, Mont.-based Risk Management and Tort Defense Division mobilized quickly, contacting its insurer and working with outside counsel Baker & Hostetler L.L.P. to craft a notification letter using the language appropriate for the situation, according to Gordon Amsbaugh, senior claims specialist.

%%BREAK%%

“We did a forensic investigation that determined that someone with significant computer skills could have accessed the information and identified the parties whose information was potentially at risk,” he said.

The letters were sent to the 4,500 affected students, who were also offered free credit monitoring services, and a call center was established to address any questions, Mr. Amsbaugh said. Fortunately, “there weren't that many calls to the call center and very few escalations from what the call center couldn't handle, but we designated a person at MSU who was able to provide support to the callers if there was something that the call center couldn't address,” he said.

“We wouldn't self-insure cyber because the resources that are available through the carriers include legal resources from law firms that specialize in technology, federal and state data and cyber laws,” said Mr. Dahl.

For example, in the case of the 2013 MSU data breach, “those names involved students who lived in 30 or 40 different states — I don't remember how many — but the privacy laws are different in every state — and what the commercial insurance coverage offered that we didn't have expertise in was knowledge of federal and state laws,” he said.

“The insurance carriers also have contracts with vendors to do the mail notification, and they have a public relations firm to help craft the letter.”

%%BREAK%%

To prevent similar inadvertent breaches from occurring, state employees are also required to complete “Securing the Human,” an online security awareness program that focuses on changing human behavior through a variety of training and testing tactics.

This collaborative program with the chief information officers from state agencies and universities received the 2013 AFIRM award for innovative risk management from the State Risk & Insurance Management Association.