PCI Impact Brings Insurance Protection Offering

What does it say about the impact of PCI regulations on small to midsize businesses when an insurance company begins offering "card-compromise" coverage?I was surprised several years ago when big insurers began offering data breach policies, but now there's a PCI-specific policy covering the loss of cardholder data. According to the DigitalTransactionsNews article "With Breaches Rising, Insurer Offers Card-Compromise Coverage," a merchant with the new policy could recoup about $160,000 in expenses resulting from a breach.

That's it? How many of you out there have had to deal with a breach? How many records did it involve, how big would you consider your company, and how much did the breach cost? Does $160,000 even scratch the surface? If you consider the costs per affected user, that number could easily get passed with a thorough forensic investigation, covering the costs of notifying users, providing "free" credit monitoring to customers, beefing up security to prevent this type of incident from occurring again, plus covering any potential lawsuits resulting from disgruntled customers who suffered identity theft.

In the past, I've seen commentary about a loss of business due to a data breach, but I'm not sure the statistics support this. Take TJX, for example. The breach didn't hurt the company's sales all that much. I've even chastised family members and explained what happened, but they're not very interested, stating that their credit card providers should cover any fraudulent charges incurred due to theft. Along the lines of lost customers, the insurance from Fireman's Fund Insurance Co. includes up to $5,000 for promotional expenses to help lure back customers.

With all of the included extras, such as the $50,000 for breach-related investigation, $100,000 for PCI fines, $5,000 for promotional expenses, $2,500 for bank service charges, and $10,000 for public relations, the coverage seems inexpensive. According to the article:

"Fireman's sets premiums based on a business' annual sales. A 10-store restaurant chain might pay about 0 annually for the core data-compromise coverage...The card coverage will cost anywhere from 5 per account on sales below million to 0 for businesses with sales above million."

The question, now, is whether the coverage will lead to what the insurance trade calls "moral hazard," meaning companies may find it cheaper to buy coverage than put in the necessary protections to prevent the breach and card loss. To help counter this problem, Fireman's requires a business to have 12 months of PCI compliance under its belt and to document any previous data breaches.

This is only the beginning. With the increasing importance of PCI compliance for businesses, more insurance companies are going to come out of the woodwork offering similar policies. I wonder if we'll see a change in legislative requirements that might one day require businesses to carry this sort of insurance, like states require drivers to carry insurance on their vehicles. What do you think?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.