That's it? How many of you out there have had to deal with a breach? How many records did it involve, how big would you consider your company, and how much did the breach cost? Does $160,000 even scratch the surface? If you consider the costs per affected user, that number could easily get passed with a thorough forensic investigation, covering the costs of notifying users, providing "free" credit monitoring to customers, beefing up security to prevent this type of incident from occurring again, plus covering any potential lawsuits resulting from disgruntled customers who suffered identity theft.
In the past, I've seen commentary about a loss of business due to a data breach, but I'm not sure the statistics support this. Take TJX, for example. The breach didn't hurt the company's sales all that much. I've even chastised family members and explained what happened, but they're not very interested, stating that their credit card providers should cover any fraudulent charges incurred due to theft. Along the lines of lost customers, the insurance from Fireman's Fund Insurance Co. includes up to $5,000 for promotional expenses to help lure back customers.
With all of the included extras, such as the $50,000 for breach-related investigation, $100,000 for PCI fines, $5,000 for promotional expenses, $2,500 for bank service charges, and $10,000 for public relations, the coverage seems inexpensive. According to the article:
"Fireman's sets premiums based on a business' annual sales. A 10-store restaurant chain might pay about $300 annually for the core data-compromise coverage...The card coverage will cost anywhere from $175 per account on sales below $1 million to $750 for businesses with sales above $15 million."
The question, now, is whether the coverage will lead to what the insurance trade calls "moral hazard," meaning companies may find it cheaper to buy coverage than put in the necessary protections to prevent the breach and card loss. To help counter this problem, Fireman's requires a business to have 12 months of PCI compliance under its belt and to document any previous data breaches.
This is only the beginning. With the increasing importance of PCI compliance for businesses, more insurance companies are going to come out of the woodwork offering similar policies. I wonder if we'll see a change in legislative requirements that might one day require businesses to carry this sort of insurance, like states require drivers to carry insurance on their vehicles. What do you think?
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.