Lost vagueness

Last week, Information Commissioner Richard Thomas announced that 277 cases of data breaches had been reported to his office since the loss by HM Revenue and Customs of 25 million child benefit records last year. The NHS, Cotton Traders, Marks & Spencer, Ernst & Young and the Ministry of Defence are only a few of the other names to have hit the headlines in recent months and there are many more behind the scenes.

While exposes of government blunders have been the most prevalent, data loss is occurring across both the public and private sectors. No one is immune. In fact, the former spends more on IT security and risk management than any other sector; it is purely the sector's obligation to be accountable that leaves it more vulnerable to public scrutiny. In the commercial sector, however, there is no such agenda and pressures to divulge data loss cases are inconsistent.

Alarmingly, whether the case involves big business or a government agency, the cause is typically human error. A document left on a train or an unencrypted disk misplaced in the post is hardly elaborate and sophisticated subterfuge. Hacking remains a threat but these incidents are splashed across front pages because of the casual and often careless way they are occurring.

In the US, data breach notification laws exist in the majority of states, so that any organisation that loses personal data is obliged to inform the individuals concerned - or face serious fines. The intention is to allow those affected to take proactive steps to protect themselves against fraud but the inevitable side-effects are class action lawsuits, fuelled by 'ambulance chasing' lawyers. Expectations for redress are raised accordingly.

Data loss frequency

Since these US notification laws were introduced, it has become apparent just how frequently data loss occurs. So it is fair to surmise that the UK is only seeing the tip of the iceberg. But this is on the cusp of change. Media attention, the situation in the US, changes to European Union and UK legislation and action by credit card companies have combined to raise the stakes for companies that lose data. No longer is this solely a reputational issue to be kept as low profile as possible; the changing legal landscape means losing data could now have crippling financial implications.

Following the lead of the US, European privacy breach notification laws are now being seriously considered. Discussions regarding amendment of the E-privacy Directive are set to force internet service providers and telecommunications companies to notify in the event of a breach. This is widely considered to be a precursor to a full-blown notification law across Europe.

The law is also changing at a national level. The Information Commissioner's Office has been granted new powers to impose fines on organisations that lose personal data and, following the amendment of the Criminal Justice and Immigration Act, it also has the power to issue enforcement notices for breaches of the Data Protection Act. These can include notification requirements as well as remedial security actions. For example, a recent case involving an unencrypted laptop stolen from the home of an M&S contractor led to an enforcement order compelling the retailer to encrypt all its laptops or face criminal charges.

With pressure also building from the private sector, major credit card operators have now formed the Payment Card Industry Security Standards Council, which allows them to issue significant fines against any company that processes or stores credit card information and has a security breach. This is a global standard that all merchants have to take seriously; PCI-related fines have the potential to render a retailer bankrupt.

Neither business nor government can afford to be associated with data loss, as shown by the recent case of PA Consulting losing a memory stick containing prisoners' records, leading to the loss of a £1.5m contract. The stakes are simply getting too high.

These changes have taken place in a relatively short space of time; the UK's 'data footprint' has changed beyond recognition over recent years. Personal, sensitive information is held in hundreds of locations by thousands of different agencies and organisations and we've seen how apparently easy it is to lose. Speaking on the Today programme, Mr Thomas referred to access to personal information as a toxic liability for organisations. However, this 'toxic liability' is not one that many companies are adequately insured for.

Financial risk

Data is an intangible asset that leads to financial loss and is, therefore, not covered under standard general liability policies. These require physical triggers and cover claims resulting from bodily injury or tangible property damage. Professional indemnity insurance often includes some cover for breaches of privacy but this is usually very restricted and penalties, such as DPA and regulatory fines, are often excluded. Contractual liability - for example, credit card fines or breaches of security provisions contained within outsourcing agreements - is a common and serious exclusion, while hacking exclusions are standard.

To compound matters, standard policies also include no cover for first-party losses, such as privacy breach notification costs, credit monitoring services and brand protection - all of which are vital in responding to a data loss incident.

There is a real need and opportunity for dedicated privacy policies and although there is a lack of providers at the moment, the expertise does exist within specialist insurers. Again, the US example shows a more highly evolved picture. The insurance market in the US has reacted to this emerging risk and a number of standalone privacy policies that respond to these specific exposures have been developed. Privacy cover is rapidly becoming an integral part of any commercial insurance programme.

It is only a matter of time before there is legislation regarding notifications in this jurisdiction; even now, the US state laws could apply to any UK company that loses the data of their residents. Brokers should also be mindful of the possible errors and omissions risk of leaving existing clients with potentially millions of pounds of uninsured losses.

With five million UK companies, the majority of which hold private or sensitive data in one form or another, it is time for the insurance industry to realise that insuring privacy is not about blacked-out windows and mirrored sunglasses. It is about delivering significant and tangible growth to their businesses.

- Graeme Newman is business development director at CFC Underwriting.