Mark Greisiger President NetDiligence®
A Study of Actual Payouts for
Covered Data Breaches
In 2010, some 16 million confidential records were exposed through more than 662 reported security breaches, according to the national nonprofit Identity Theft Resource Center (ITRC). Most recently, in a blog post that appeared on April 26, 2011, Sony Computer Entertainment America reported a security breach of its PlayStation Network in which
hackers obtained personal information on some 100+ million subscribers, resulting in a security investigation so broad it suspended business operations, and resulted in multiple class action lawsuits.
In cases like Sony’s, insurers will help foot the bill for the data breach—an amount that has been estimated at up to $2 billion—and insurers are fielding increasing numbers of data breach-related claims. “Last year, privacy breaches ran about 1-2 per week. This year, it is more like 6-8 per week,” says Beth Diamond, Insurance Claims Focus Group Leader for Technology, Media and Business Services at Beazley Group. Diamond says the rising numbers are the result of increased legislation and companies’ heightened awareness about their legal obligations to report breach incidents.
That cyber security breaches are now a painful reality for organizations of all kinds, at all levels, is well established. What insurers and corporate risk managers are looking for are more effective ways to predict and prevent these incidents while developing a greater understanding of their financial implications.
This NetDiligence® cyber liability claims study, the first of its kind, examines where the bulk of these breaches are occurring and what kind of impact they have had on affected organizations. Major underwriters of cyber liability provided information about 117 events that occurred between 2005 and 2010, which we analyzed for emerging patterns. Among
our findings: PII (personal identification information) is the most typically exposed data type, followed by PHI (personal health information). Topping the list of the most frequently breached sectors are healthcare and financial services. The average cost per breach was $2.4 million, with the majority devoted to legal services.
While previous studies have shed light on data breach events through anec-dotal information, this study uses actual cyber liability insurance policy reported claims to illuminate the real costs of such incidents. It is our hope that actuaries, risk managers and others working in the field of data security will use this information to
“Last year, privacy breaches ran
about 1-2 per week. This year, it
is more like 6-8 per week.”
“... this study is both timely and
important because it ... demonstrates
the real dollars that are being spent
both dealing with the event as well
as ultimate damages ...”
well as ultimate damages, and dispels the myth that data breach events don’t carry significant damages to organizations that are affected,” commented Norm Rafsol, Executive Vice President of ACE Professional Risk.
About this Study
For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, what caused the loss, and which business sector suffered the incident. We also looked at the number of records exposed and the associated crisis services(forensics, notification, credit monitoring, and legal counsel), legal damages(defense and settlement), business interruption costs, and fines(PCI & regulatory). Lastly, we asked leaders in the industry representing insurance carriers, law firms, general counsel and cyber breach consultants to offer their insights into recent developments and trends in breach events.
This report summarizes our findings for a sampling of data breach insurance claims occurring between 2005 and 2010 in a variety of industries, including airlines, consulting, education, financial services, retail, manufacturing, information technology and healthcare.
This study, although limited, is the first of its kind, focusing on covered events and actual claims payouts. We asked the major underwriters of cyber liability to submit claims payout information based on the following criteria:
• The incident occurred between 2005 and 2010
• The victimized organization had some form of cyber or privacy liability coverage
• A legitimate claim was filed
We received claims information for 117 events that fit our selection criteria. Of those, 77 events included a detailed breakout of what was paid on the claim. We used our entire sampling of 117 events to analyze the type of data breached, the cause of data loss and the business sectors affected. We used the smaller sampling (77 events) to evaluate the payouts associated with the events—again based on type of data breached, the cause of data loss and the business sectors affected.
The Big Picture
Based on the claims payout data submitted for this study, the average cost for a data breach was $2.4 million. We calculated that average using 116 of the 117 events in our sampling. The one incident we excluded from our calculation was an outlier incident: a billion dollar business interruption event.
The average cost per record was $1.36 when we considered all events in our sampling. However, when we excluded outlier events (those which exposed millions of records), the average cost per record was $5.00. The number of records exposed ranged from 100 to 12
million. While the average number of records exposed was 1.7 million, the typical number of records exposed was 100,000.
Legal damages represented the single largest component of costs. The average cost for legal defense was $500,000. The average legal settlement was $1 million.
Crisis services represented the second largest component of costs. The average cost for crisis services, including forensics, notification, call center and legal counsel, was $800,000.
Type of Data Exposed
More than half of the events involved the unauthorized disclosure of PII(personally identifiable information). Approximately 75 percent of the records exposed contained credit card information. “From our perspective, the retail sector is a large target since retailers
store PII data that is not always protected through firewalls or encryption,” says Jason Krause, Assistant Vice President, Arch Insurance. “With breach events such as TJ Maxx, however, which increased awareness, this has started to change.”
PHI(personal health information) accounted for the second largest type of data, comprising 21 percent of breach incidents. According to Elizabeth Kim, Head of Claims for Technology, Media and Telecommunications at Hiscox USA, increased regulations such as HITECH(Health Information Technology for Economic and Clinical Health) are driving the next wave of third-party liability lawsuits. “We are starting to see an uptick in emotional distress cases as a result of increased public awareness of healthcare privacy issues since the passage of HITECH,” said Kim. Although crisis services associated with PII, PHIand credit carddata breaches were significant, much of the costs were due to legal damages awarded.
“”From our perspective, the retail
sector is a large target since
retailers store PII data that is
not always protected...”
“We are starting to see an uptick
in emotional distress cases as a
result of increased public awareness
of healthcare privacy issues since
the passage of HITECH.”
Cause of Data Loss
The cause of loss varied in our sampling, but ninety-five percent of the breaches were caused by one of three things: hackers, rogue employees, and loss/theft of equipment. Hackerscaused 32 percent of breach events and were responsible for 75 percent of all exposed records. Industry experts concur that these incidents can be directly attributed to increased use of malware.
According to Diamond, 36 percent of the attacks her claims department sees are from hackers. “With a hacking event you need forensics to determine the cause. In addition, you cannot underestimate the importance of a qualified attorney to advise you on compliance, crisis management and contingency planning. Although these expenses are increasing, they are necessary,” Diamond says.
Malicious breaches by rogue employees—due to firings, downsizing, generally poor economic conditions or the relative ease of selling stolen information—are another growing
area. Our findings show rogue employees to be the second largest cause of breaches, comprising 19 percent of breach events.
Lastly, loss or theftis right at the top of the list. According to Meredith Schnur, Vice President, Professional Risk Group, Wells Fargo Insurance Services, “In the last six months, we’ve had six to ten data breach claims reported from lost thumb drives, missing laptops and missing hard copy reports.” Lost or stolen equipment made up 15 percent of data breach incidents in our sampling and accounted for 10 percent of all personal records exposed. Noting slightly more frequency in this category was Richard Sheridan, a Vice President of Professional Liability Claims for ACE, who noted, “33% of our reported data breach incidents arose from lost or stolen items like laptops, backup tapes, USB drives and smartphones – with another 7% arising from lost paper documents. This demonstrates that many of these incidents are not protected by firewalls and require additional physical controls as well.”
“33% of our reported data
breach incidents arose from lost or
stolen items like laptops, backup
tapes, USB drives and
smart-phones – with another 7% arising
from lost paper documents. ...”
Business Sectors Affected
More than 60 percent of breaches in our sampling occurred in financial services, healthcare and retail. A full 88 percent (122 million) of records exposed occurred in financial services alone. Costs across business sectors were fairly spread between crisis services, legal damages and first-party losses. However, the average cost for legal damages in these incidents was significantly higher than the average cost for crisis services. Average expenses per breach for crisis services were about $200,000 per service (forensics, notification, credit monitoring, and legal counsel), while legal damages ranged between $450,000 and $1,000,000.
Type of Data Exposed
The type of data exposed included PII(personally identifiable information such as: social security number, credit card, and address), PHI(personal health information), credit card information only, financialinformation, and other. PII, PHI, credit card and financial information made up almost 80 percent of the number of incidents reported with a total of 138 million exposed records.
PII was exposed in 37 percent of reported incidents and accounted for 13 percent (18 million) of records exposed.
In one event, a website development company disabled security elements to apply customer-requested modifications to the website. Upon completion of the maintenance, the company failed to re-install security measures resulting in a breach that went unnoticed for five months.
In another incident, two hackers cracked the computer systems of a major business research firm and subsequently obtained confidential corporate records. With the help of cyber-crime investigators, the hackers were identified, apprehended and prosecuted. The research firm spent more than $1,000,000 in investigative and public relations fees.
PHI data comprised 21 percent of reported incidents, but less than one percent (1.2 million) of records exposed.
In one incident, a doctor's practice sustained a network security breach. The attacker obtained patient records, including financial information and health benefits account data. The data was resold to individuals who used benefit
information to fraudulently obtain medical services. As a result, the legitimate patients sued, seeking compensation for emotional distress and other consequential damages. In addition, the legitimate patients’ health insurance carriers sued the doctor's practice to recover reimbursements made for fraudulently obtained health services.
Credit Card Data
Credit card data accounted for only 16 percent of the actual data breach claim incidents but attributed to 75 percent (104 million records) of the records exposed.
In one incident, a hacker penetrated an online retailer's network security to steal credit card information from a database containing stored transaction data. The information was then used to make purchases and fraudulently obtain loans in the cardholder's name. Cardholders sued the retailer to recover their cost to repair credit
and discharge fraudulent loans, while also seeking damages for emotional distress. The banks that issued the cards also sued the retailer to recover card re-issuance and cardholder notification costs.
Scenario Costs Crisis services 40% Legal damages 57% Associated fines 3% Scenario Costs Crisis services 24% Legal damages 41% First-party losses 35% Scenario Costs Crisis services 31% Legal damages 65% Associated fines 4%
Other Financial Data
Financial data comprised four percent of the reported incidents, with approximately 10 percent (13 million) of total records exposed.
In one case, an offshore ID theft ring installed spyware on a bank's network. The spyware captured confidential information, including passwords, login data and account details exchanged between the bank and its customers. Harvested data was subsequently
used to deplete the customers' bank accounts and fraudulently obtain loans in their names at other banks. Customers sued the bank for consequential damages resulting from a failure to protect their private financial information.
Crisis services 24%
Legal damages 41%
Cause of Data Loss
The cause of loss included hackers, lost or stolen equipment, rogue employees, business interruption, and staff mistakes, among others. 95 percent (132 million) of all records exposed were attributable to hackers, rogue employees, and loss/theft of equipment.
Hackers caused 32 percent of the reported incidents, but 76 percent (105 million) of records exposed.
In one incident, a West Coast insurance company filed a civil lawsuit for $800,000 in damages caused by a former employee who hacked into the company’s computer system to access confidential information. The employee devised an "industrial espionage" scheme to obtain intellectual property and confidential data that was forwarded to competitors. In another case, a non-profit charity accepted donations that were charged to the donor's credit card.
The charity retained donor information, including credit card numbers, to support pre-authorized recurring donations. A hacker penetrated the charity's network security and copied the retained card data, which enabled an ID theft ring to withdraw funds from donors' bank accounts. The donors sued the charity to recover stolen funds and the cost to repair their credit history.
Rogue employees caused 19 percent of reported incidents and were responsible for 10 percent (14 million) of records exposed.
A recent example involved a disgruntled employee of a Fortune 1000 firm who downloaded malicious code onto the firm’s network, plus the networks of the firm’s clients and vendors. The code launched confidential information into the public domain and destroyed some critical corporate applications, resulting in more than $9,000,000 in third-party claims.
Loss or Theft
Lost or stolen equipment accounted for 15 percent of reported incidents and 10 percent (13 million) of records exposed.
In one incident, an employee of a medical college lost an iPad while traveling from a teaching hospital to the college office. The iPad contained personally identifiable information of 1,800 applicants for hospital residency. The college
alerted the hospital, notified the affected individuals and contacted credit and identity monitoring services. Credit monitoring costs for the breach totaled $57,000.
Scenario Costs Crisis services 29% Legal damages 71% Scenario Costs Crisis services 87% Legal damages 13% Scenario Costs Crisis services 21% Legal damages 43% First-party losses 36%
Staff mistakes caused seven percent of the breach events, but accounted for only two percent (2,749) of records exposed.
One such incident involved a city school, where the confidential information of 98,000 students was accidentally published on the school’s website. The school hired forensic experts to determine the number of students affected and the nature of data exposed. Additionally, the school sent notification letters to all affected students and established a call center to respond to their questions and concerns.
Business interruption incidents comprised eight percent of the breach events, yet contributed nothing to the number of records exposed.
One recent example involved a computer manufacturer that used its network to control production of custom chips. A virus infected the manufacturer's network, causing the firm’s computer memory chips to also be infected. Before the problem was identified, the firm shipped virus-laden chips to its customers who subsequently installed the now-malicious components in their own products. The manufacturer's customers sued, seeking to recover the costs of product recall, product replacement, legal defense and damages awarded. Costs attributed to business interruption incidents were all first-party losses.
Crisis services 89%
Legal damages 5%
Business Sectors Affected
There were five primary business sectors impacted by data breach incidents: healthcare, financial services, retail, IT/technology and education. Approximately 96 percent (133 million) of records exposed came from these five sectors.
Twenty-four percent of the breach incidents occurred in the healthcare sector, yet less than one percent (463,000) records were exposed. Lost or stolen equipment made up the largest percentage of healthcare incidents including misplaced medical tapes, and lost or stolen laptops and thumb drives.
Rogue employees accounted for almost a quarter of the incidents, with patient records illegally being resold to identity theft rings. In one example, 40,000 records were compromised. Hacking caused roughly 20 percent of incidents, including: slandering targeted employees through email intrusions, introduction of malicious software, corruption of medical records databases, and theft of benefit information for the
purposes of resale. Almost 15 percent of the healthcare breaches were due to inadequate security, system glitches, or employee negligence, including an inadvertent website posting and the email delivery of patient records and data. In one of the incidents, the company failed to inform, through timely notifi-cation, that a breach occurred resulting in fines levied against the company.
Although only 22 percent of reported incidents occurred in financial services, this sector accounted for 88 percent (122 million) of records exposed.
Most of the breaches occurred due to hackers, lost or stolen equipment, and rogue employees. Hacker incidents involved stolen credit cards, inflated balances on pre-paid debit cards and extortion. In one incident, hackers altered the allowable balance on 200 debit cards to $300,000 (each), and then performed 12,000 withdrawal transactions at hundreds of ATMs in 10 countries over a span of two weeks. In another
case, customer information was stolen from a server while in the custody of a vendor who was investigating a breach. Other breaches in financial services were due to lost or stolen equipment that contained PII information. In one such incident, an employee stole 4 million identities off a thumb drive for the purpose of resale. In another, a lost laptop contained 40,000 personal records. Scenario Costs Crisis services 51% Legal damages 46% Associated fines 3% Scenario Costs Crisis services 43% Legal damages 43% First-party losses 11% Associated fines 3%
The retail sector accounted for 15 percent of reported breaches and seven percent (10 million) of records exposed. Breach events in this sector affected both brick-and-mortar shops and online stores.
Almost half the incidents in this sector were caused by rogue employees and hackers. In one incident, a rogue employee at a large consumer reporting agency stole four million customer records for resale purposes. In another incident, hackers gained access to the computer systems of a dozen hotel locations and were able to access the names and credit card numbers
of approximately 500,000 individuals. The hotel chain incurred over $1 million in crisis management-related expenses.
Hacking represented the bulk of breach activity in this sector, with business interruption second. A British ISP shut down its entire operation after a massive DoS attack crippled its network for several days. The ISP told its customers
that because its insurance would not cover the cost of bringing its servers back online, it was forced to file for bankruptcy.
In another incident, a hacker overwhelmed several large websites through multiple distributed denial of service (DDoS) attacks. The culprit hijacked various
computers throughout the world to bombard target servers with seemingly legitimate requests for data.
In the education sector, 75 percent of breaches were due to staff mistakes. One breach included the accidental disbursement of students’ PII through website and email errors. Expenses incurred included forensics, notification and credit monitoring. Legal damages for one of the cases were $250,000.
Scenario Costs Crisis services 11% Legal damages 34% First-party losses 55% Scenario Costs First-party losses 98% Associated fines 2% Scenario Costs Crisis services 54% Legal damages 46%
Despite increasing awareness around cyber security and the increasing frequency of data breach events, it has been difficult to assess the cost to companies when such incidents occur, due to the lack of hard data on the subject. This study lays the groundwork for risk management professionals and insurance underwriters to understand the true impact of data insecurity.
An empirical look at actual data breach events that occurred between 2005 and 2010 in organizations that had cyber or privacy liability coverage reveals that companies spent on average $2.4 million per event. The healthcare, financial and retail sectors and records containing PII, PHI and credit card information were most at risk, with hackers and rogue employees and contractors responsible for the majority of data loss.
While this small sample covers only 77 data breach incidents in that five-year span, it demonstrates the areas where companies can better focus their cyber risk management practices and use these findings to guide the development of their data breach policies and action plans to guard against these events in the future.
Mark Greisiger is president of Network Standard Corp., which does business as NetDiligence®, a
Philadelphia-based firm that provides cyber risk assessment services for chief financial officers and risk managers to help assess whether their organizations deploy reasonable and prudent safeguards to mitigate data breach losses and liability risk. Since 2001, NetDiligence services have been used by insurers in the United States and the United Kingdom that offer data and privacy risk insurance products, providing loss control services to their insured business clients. Prior to starting NetDiligence, Mr. Greisiger worked for more than a decade directly in the insurance industry where he developed and underewrote a ‘hacker insurance’ product.
A Company of Network Standard Corporation P.O. Box 204
NetDiligence’s eRisk Hub® web portal helps companies respond to data breaches quickly, efficiently and