Some believe that Europe continues to lag behind the US in terms of data security. Matthew Hogg explores the likely triggers for improved levels of data security in Europe.
According to a recent Pricewaterhouse Coopers report, European companies in general still lag behind their counterparts in other parts of the world, notably the US, when it comes to their approach to data security. And, despite high profile cases - as well as significant fines - involving major data security breaches in both the public and private sectors in Europe, it appears that European businesses still buy less cover for data loss than companies in the US when it comes to insuring for third party liability.
As the European Union begins to more closely address issues of data security and discuss the introduction of a more harmonised regulatory regime throughout its member states, will these actions be a catalyst? Will they prompt European companies to take a more proactive stance towards the systematic risk management of customer and employee personal data?
Losing personal information
There are many examples of companies and organisations suffering significant data breaches. In the UK, for example, the government has experienced a number of high profile incidents, not least the loss of personal details for more than 25 million people in 2007. This occurred when disks, crammed with personal information such as bank details and National Insurance numbers, went astray.
More recently, organisations from an array of industry sectors including financial institutions and large retailers have all experienced breaches. Organisations in the education, healthcare and government sectors are particularly vulnerable to suffering costly implications from a high profile data security breach, given the amount and types of personal data they hold, but the private sector is certainly not immune.
Given the high profile nature of many of these losses, the next question asked might be around the rigour of the legal and regulatory regimes in place in both the US and Europe.
Powers do exist
Despite PwC's findings, Europe's approach to data security from a legal and regulatory standpoint is strong in many ways. For example, when it comes to the roles and responsibilities of the data holder, European directives provide some consistency across member states. In a world where data regularly crosses geographic and legal boundaries, this can be invaluable.
In the UK the Information Commissioner's Office has the power to impose substantial fines of up to £500 000 for serious breaches of the Data Protection Act and, separately, the Financial Services Authority has the power to levy even larger fines in its regulatory environment. Other European data registrars have similar powers.
In the US, there is not a uniform federal approach to data security, although it has a strong industry-sector focus in areas such as healthcare and financial institutions. However, the US appears to up its game at a state law level, particularly with regards to the public notification of data breaches.
A big difference between Europe and the US are the rules around notification. The majority of states in the US (46) have notification laws, which typically require data subjects to be notified should personally identifiable unencrypted information on them be potentially exposed. In a number of states there is also a legal obligation to notify the relevant governmental body of any such potential breach.
Additionally, best practice has led to a rise in the cost of notification given the trend of writing to each individual and the offering of credit monitoring services. According to the Ponemon Institute, this can be as much as $204 for each customer's or employee's data loss and the average cost to an organisation in the US of a major data breach is more than $6.75m.
In Europe, compulsory notification rules are patchy. Some countries require notification in certain circumstances, but in most cases only for particularly serious breaches and/or for certain types of data. A different approach to notification may, therefore, be one of the major reasons why insurance penetration for third party liability cover is not as advanced in Europe as it is in the US.
Nevertheless, the implications for poor data security to a business are far-reaching. They include potential fines, penalties, damages, settlements and legal costs when facing either a disenchanted data subject or regulatory body in or out of court. Additionally they can include notification costs, credit monitoring expenses, IT audits and the resuscitation of a damaged reputation. Furthermore, poor security management can cause significant direct financial loss to the business as a result of lost or damaged data, and significant business interruptions.
On both sides of the Atlantic, insurance purchase for first party cyber risk, such as business interruption and loss of digital assets, remains relatively low despite increases in take-up. In part this is because many businesses perceive the reputational and public impact of a loss of IT systems to be limited, unless, for instance, the business happens to be an internet company that transacts exclusively over the web.
Given the modern dependence on IT systems and data, this perception is surprising particularly where the business necessitates inventory management, logistical distribution and sales software. Interestingly, enquiries about first party cover have increased recently from the energy and utilities sectors, which have grown nervous since the arrival of the Stuxnet computer virus that has caused such havoc with Iran's nuclear facilities. Again, it would appear that a topical risk is often an insured risk.
There is more of a drive, however, for third party liability privacy cover - which insures against liabilities in the event of a data breach in the US, which is being driven once more by the notification laws there. Surprisingly, European multi-nationals operating in the US are not showing as much appetite for this cover. Given that they are subject to the same data breach rules that US companies are, this could be a cause for concern. Again insurance appears to provide a tool to businesses that wish to satisfy stakeholders that risk transfer is arranged for the most topical and publicly demonstrable risks.
Waiting for the EU
The big question then, given that notification appears to be the real driver behind the take-up of third party cover, is whether notification rules will be harmonised across Europe when the EU comes to further legislate in this area. The lack of a uniform regulatory status of notification requirements is something the European Parliament has, for some time, said it will target, but it will not be announcing its position on a review until next year. What the new rules will entail is at best a guessing game, but it is unlikely we will see compulsory notification laws in the immediate future.
In their absence it might be that the rising media prominence of data security overtakes the regulatory agenda and persuades more European companies to buy protection. The growing prominence of cyber crime means that the ‘it won't happen to us' attitude will surely be questioned should a significant breach hit a western government or major corporation. In time, the likes of Stuxnet, or the recent ‘Here you have' virus, which supposedly affected a number of multi-national companies, may do more to grow the market for cyber cover than any new EU regulation.
Matthew Hogg is the vice president for strategic assets at Liberty International Underwriters
- Top 100 Insurtech: Quarter four update
- Charles Taylor bolsters liability team by hiring senior sextet from Vericlaim
- Roundtable: Is a single customer view taking off in insurance?
- I work in insurance: Stephanie Horton, River Canal Rescue
- Insurtech diary: Getting stuck into insurance
- Analysis: The mystery of the missing Insurance Fraud Taskforce report
- Gallagher Bassett acquires claims management firm