The Green Sheet Online Edition
February 23, 2009 • Issue 09:02:02
Insuring against compromise
According to business and e-commerce attorney Holli Targan, some ISOs and processors are now offering payment card data breach insurance programs to their merchant customers. Data breach, or cyber liability, insurance typically covers losses incurred by a merchant due to fines imposed by Visa Inc. and MasterCard Worldwide and issuing banks' card replacement costs. It also protects companies against most forms of hacking, data theft or privacy violations.
But by offering this insurance to merchants, ISOs may be unwittingly subjecting themselves to state insurance regulation.
"Well, sometimes the state laws say that if the ISO markets the insurance they have to be licensed as an insurance agent," Targan said. "Most states require that insurance agents be licensed and each state law specifies activities that qualify a company as an insurance agent. But there are ways of structuring the offering by the ISO so that they don't fall into that trap, and in a way that makes sure they are not deemed an insurance agent."
Targan said some insurance companies have indicated that ISOs don't need to be licensed to provide breach insurance to merchants. And while this may be true, it gives ISOs a false sense of security; they believe simply marketing the insurance qualifies them as agents under state law. Targan suggested that before ISOs proceed with data breach insurance programs, they conduct a thorough review of insurance statutes for the states in which they do business.
"It's really so state-law specific because every state insurance law is different," Targan said. "Talk to an insurance lawyer and get that person to help you interpret the state statutes. And examine the state insurance laws to make sure you're doing it the right way. Right now, I am not aware of any statutes that require such insurance; however, each state and each policy has its own coverage requirements and categories."
A numbers racket
Vimal Vaidya, founder and Chief Executive Officer at RedCannon Security Inc., said, "Data breaches remain the leading cause of financial losses in business, with over 75 percent of Fortune 1000 companies falling victim to data leakage, and this is not going to change without improvements in the enforcement of data security policies."
And consulting firm Vontu's 2007 Consumer Study on Data Security indicated 62 percent of respondents were notified that their confidential data had been lost or stolen; 36 percent said they would not use credit or debit cards to make a purchase with an unknown Web merchant; nearly half said they would not provide Social Security numbers on a Web site.
"We live in a wide-open world where information can very easily be copied, sent or shared, and over 100 million customers have been notified of a breach of their personal data," said Joseph Ansanelli, CEO of Vontu. "Smart companies understand this and are investing in solutions to protect against the loss of this sensitive data and ensure the trust of their customers."
As a result of the ever-increasing tide of consumer data compromises, many companies today sell a wide range of insurance coverage. TSYS Acquiring Solutions and The Royal Group Service Ltd. LLC offer coverage regardless of a company's Payment Card Industry (PCI) Data Security Standards (DSS) compliance status. Their joint program covers the mandatory forensic audit when a breach is suspected, as well as any PCI DSS fines resulting from a breach.
Some data breach insurance companies, like Charlotte, N.C.-based Premier Insurance Management Services, cover "soft" costs related to breaches, including expenses, fines and penalties arising from government and regulatory investigations, crisis management, public relations and customer notification.
Tracy Vispoli, Vice President of Chubb & Son, cautioned that a network security breach is not a matter of if, but when. Vispoli noted that new laws in nearly half the states require companies to disclose security breaches to their customers residing in those states.
"Network security breaches expose companies to class-action lawsuits, as well as irreversible damage to the corporate brand," Vispoli said. "And these new laws add another layer of responsibility and cost by mandating that companies notify customers of actual or suspected security breaches. It's time for financial institutions to further tighten their data security controls and to prepare for the significant financial cost of this risk."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.