Small Businesses Have Breaches - And Insurers Have Solutions
Target, SONY and Home Depot may be names you associate with a data breach, but perhaps it should also be Otto Pizza, Desert Title Service and a local contractor or medical office near you. They have also suffered a data breach with all the costs that go with it.
How did they happen?
- Pizza Restaurant - Credit and debit card information affecting 900 customers were accessed in a “point of sale” attack.
- Title Service - Unshredded records containing names and social security numbers were found in a dumpster.
- Contractor - Laptop stolen from vehicle contained personal data on hundreds of clients.
- Medical Office - A clerical error resulted in the mailing of over 63,000 letters with personal information to the wrong people.
What many small businesses may not yet have realized is that they face the same types of risks and response obligations that big companies do. But are they as prepared? The growing availability of Data Breach and Cyber Liability endorsements for BOP and package policies means they can be.
Patchwork of Laws
Currently 47 states enforce laws mandating breach notifications, and no two are exactly alike. Additional federal laws regulate data protection and notifications for businesses in or closely connected to health care. One common thread across state laws is that they apply to small and large companies, and to the loss of one record or millions of records.
Until federal legislation is enacted, small businesses face a myriad of complex and frequently changing requirements. In general, a business owner must investigate a breach of personal information and notify affected individuals promptly. However, the devil is in the details of state laws that can raise compliance questions and make mistakes costly. Even knowing which state laws apply can be challenging.
Some important details and variations concern:
- Time to Respond - can be as little as 2 days
- Report to Regulators - must be without delay in some states
- Type of Information - may include medical information, policy number and taxpayer ID as well as SSNs and credit card numbers
- Private Actions - a handful of states authorize civil lawsuits for damages
- Fines and Penalties - can be many thousands per breach
Businesses with a Data Breach Response policy can report the breach, and their insurer will answer these questions and send the notifications. For those without a policy, a call to an attorney is usually made to learn what to do next.
Typical Costs Related to Business Size
Breach cost data is still rather sparse, but security industry studies and insurer loss experience are starting to fill in the picture. While the general response laws do not differentiate by business or breach size, the total costs are not the same for small and large companies.
Per a NetDiligence study, the median breach cost for a “nano” company (the smallest category in the study) was $50,000 - or one fifth that for all companies combined. The size differential was more prominent when examining the mean or average cost - $107,000 for the nano company compared to $954,000 for all companies. Insurance experience to date is in line with these findings.
This emerging data is important for businesses deciding how much insurance to buy, and to insurers selecting the limits to meet their customer needs. It is no surprise that the numbers coincide with the most popular limits offered in the small business market today. Most Data Breach Response and Cyber Liability endorsement limits are $50,000, $100,000 and $250,000. When a company grows out of “nano” to the larger capital categories, a standalone policy and higher limits are more appropriate.
Understanding the Causes
The wide range in breach costs by business size can be explained by several factors. Fewer records is one obvious explanation; Target had over 100 million credit and debit card numbers in its system, but the typical small restaurant or contractor is more likely to have under 10,000.
Another difference is forensics, and that relates to cause of breaches most common in the small business sector. Many large company breaches are the result of point of sale attacks involving malware. Forensic investigations to identify the source and victims are very costly. In the small business space, most breaches are connected with lost or stolen devices, mis-mailing and discarded paper records. These are the human negligence causes that exist independent of technology. Still, we know from recent breaches that malware can stop small businesses, and that large companies lose records, too.
“Main street” businesses can and do get infected with the malware and viruses behind breaches making the evening news. The two small businesses highlighted, Otto Pizza and the Chicago Yacht Club, fell victim to malware. When those incidents do occur, the business will need the same level of forensic service as Target did.
Insurance Product Decisions
For insurers just entering the market, the most important exercise is matching the amount and scope of protection with its customer needs. The Fortune 1000 company purchases layers of broad cyber protection that can exceed $100 million. The smallest business might have started with a $25,000 First-Party breach response policy. The target product space probably lies between the two extremes.
When developing a product and thinking about what to offer, the most common considerations are:
- Limits - Do you want to offer $50,000 or $100,000? Do you want a higher limit available on request? The coverage can be structured in separate towers for Breach Response Costs and Liability/Defense, or in a single combined limit.
- Liability - Early products focused on the First Party Data Breach Response costs, but newer policies include Third Party Liability and Defense. Do you want to expand an existing product to offer Cyber Liability coverage? A related consideration is whether an insurer wishes to handle the claims in-house or cede that work to a reinsurer or TPA.
- Enhancements - A multitude of coverage enhancements continue to appear, such as Regulatory Fines and Penalties, Network Liability, and Virus/Malware coverage. Some of these are part of base policies, while others are added in a policy upgrade at a higher cost.
- Rating - Most rating methodologies involve flat premium for a small number of hazard grades defined by the type of data maintained. One variant is to combine all grades into one blended rate for even greater ease of use, but there are always drawbacks to a blunt rating approach.
- Eligibility - Class and size restrictions can help insurers contain exposure to the desired customer space. A medical practice and hospital both possess health information, but many insurers would not want both (or perhaps either) on their books.
- Breach Response Services - Most companies elect to “buy” rather than “build” the service component. Any service provider should be vetted for their qualifications to handle all types of breaches and the defense of liability claims. Ask how many breaches they have handled, and how many were from malware versus lost laptops, so you can make an informed choice.
There is no standard policy in the marketplace, perhaps because the ISO BOP option appeared well after proprietary solutions had gained a foothold. Reviewing filings in your territory, as well as ISO products, is a good way to learn what is being offered and what you might want to offer in your own product.
For most insurers with a small business book, the Data Breach Response and Cyber Liability endorsements supporting core commercial policies. Having the endorsement can be critical to keeping or attracting those commercial customers. Moreover, providing less than superior service after a breach can help you lose a valued customer. Both product and quality of service count.
Cyber threats will evolve, as will insurance products designed to cover them. Small businesses will play a part in that process and contribute to the growth of the insurance market. Will you be part of that growth too?
- Pew Research Center, www.pewresearch.org and Privacy Rights Clearinghouse, www.privacyrights.org.
- All of these incidents have been publicly reported in http://www. idtheftcenter.org/id-theft/data-breaches.html, https://www. privacyrights.org/ and/or http://www.databreaches.net.