Banks consider identity theft cover as criminals target data

A rogue employee leaves at the end of the day with more than his briefcase and car keys. A dumpster-diver makes a jigsaw puzzle of shredded documents. A computer whiz hacks into a secured online database. An office cleaning crewmember sweeps up files left on a desk.

Experts say personal information has reached diamond-status in the criminal world and banks are among the most vulnerable.

"For banks we think this risk is more important than for other types of companies because banks store a lot of information," said Michael Lamprecht, a national practice leader with Gallagher CyberRisk Services, a Chicago-based division of Arthur J. Gallagher & Co.

Mr. Lamprecht and his colleague Michael Flanagan, a managing director also with Gallagher CyberRisk Services in Chicago, work together to help banks find insurance and risk management solutions to help deal with the risk of stolen information and identity theft.

They say interest in addressing identity theft is growing and, unlike most product development efforts, it's policyholders that are pushing their insurers to offer solutions and products.

"The banks are the ones telling (the insurance) marketplace what they need here," said Mr. Flanagan. "If (a bank) hasn't experienced a loss, they are seeing other banks that have suffered a loss."

While risk managers for several banks would not comment on identity theft coverage, experts say the topic is on the forefront thanks to numerous reports of data breaches at banks and other institutions, new regulations and concerns from lawmakers.

"This is probably the most common question I get from banks right now: 'Is identity theft covered under our policies?"' said Judy Kovach, a Cleveland-based product marketing manager for Progressive Casualty Insurance Co., which claims to insure 20% of the community banks in the United States.

Ms. Kovach's company in late February introduced a specialty insurance product zeroing in on identity theft mitigation for organizations as a way to broaden identity theft-related coverage.

Litigation and claims related to identity theft and data breaches have long been tied to Progressive's directors and officers liability and financial institution bond coverages. But that may not be enough given the current climate, she said.

"There is such a heightened awareness of responsibility for banks," she added.

Progressive's new product serves to supplement existing coverages by helping companies pay for the expenses incurred when their customers' data has been stolen.

Mr. Lamprecht estimates that the tally for banks can run as high as $40 per person affected thanks to new regulations and a push to protect reputations.

Breach notification laws passed in 34 states now require businesses and organizations to locate and notify clients—both current and former—when their personal information has been stolen, via missing files, computer hacking or other methods.

Notifying individuals can cost between $1 and $2 per person affected, according to Nicholas Economidis, Philadelphia-based vp and product manager for technology and network security with National Union & Fire Insurance Co. of Pittsburgh, Pa., a unit of American International Group Inc., which has been providing specialty identity theft mitigation coverage since 1996.

When a data breach affects tens of thousands—as can be the case when a laptop computer is stolen or a computer disk misplaced—those costs alone can run a high tab, experts say, adding that traditional coverages don't always cover the bill to comply with the new regulations.

Taking the issue a step further, banks often take voluntary action to protect their reputations, keep customers and guard against lawsuits: They provide credit-monitoring services for anyone affected; they issue new account numbers and debit or credit cards; and they start a public relations campaign to tell everyone what they are doing.

Others estimate that the cost can run even higher than Mr. Lamprecht's $40 per person estimate, if for example, a bank decides to cover court fees and credit recovery services for someone whose identity has been stolen, according to Mark Pribish, director of identity theft management services for Phoenix-based Merchants Information Solutions Inc., a company providing identity theft solutions and risk management services for companies and insurers.

Mr. Economidis, of National Union, said he has seen claims as high as $9.4 million from companies overall with at least one of those claims coming from a financial institution that experienced a data breach. He would not elaborate on specific cases.

The newer and existing identity theft mitigation insurance products serve to help banks pay those expenses and to help banks avoid lawsuits—a major fear in the industry, according to experts.

Using Mr. Lamprecht's figure, a breach where 100,000 people are affected could cost $4 million alone, without lawsuits.

"One thing that has piqued banks' interest is that there isn't a lot of (legal) precedents," said Ray DeCarlo, New York-based executive vp in the financial institution practice at National Union.

Tracey Vispoli, Warren, N.J.-based vp and global fidelity manager for Chubb Specialty Insurance, said the uncertainty and fear is helping drive the market.

"I think what makes everybody unsure is what kind of (legal) exposure this is," said Ms. Vispoli, whose company also provides banks with identity theft mitigation coverage similar to that of Progressive and National Union. "It's safe for banks to assume that they will have some sort of hack or have someone steal information."

"Nobody knows what the legal landscape is going to look like," said Ms. Kovach, of Progressive, adding that banks are most afraid of massive lawsuits and expensive defense costs.

That's why the specialty insurance products that help mitigate losses stemming from data breaches are becoming more popular, according to Mr. Pribish.

"The trend in the future is all banks are going to offer their customers an identity theft recovery program," Mr. Pribish said. "It's a lot less expensive for the bank to pay the upfront costs (following a data breach) than to pay for lawsuits."

Mr. Flanagan, of Gallagher, calls the products on the market "evolving."

"Has the winning model been developed yet? We don't know. Time will tell how this is going to play out," Mr. Flanagan said.