Zurich explains how not to get sued over privacy

Email Print

19 November 2012

Companies are six times less likely to be sued after data breaches if they provide free services to monitor accounts for suspicious transactions, according to Zurich.

The finding comes from a study by Carnegie Mellon and Temple universities in the US of lawsuits after companies lost or compromised people’s personal information.

Individuals are 3.5 times more likely to sue if they suffer financial harm, Zurich National Underwriting Manager Financial Institutions Martin Zschech told brokers at a Melbourne forum last week.

They are three times more likely to litigate if the company is thought to have been negligent, rather than being the “unfortunate victim” of hardware theft.

And people are six times more likely to sue if financial data is compromised, compared with other types of personal information such as medical records.

Mr Zschech also referred to a study by cyber risk company NetDiligence showing 23% of data breaches are caused by hackers, while 19% are from lost devices.

Some 26% of breaches happen in the financial services industry, with 20% in healthcare.

He says research by the Ponemon Institute found the average cost of a data breach is $US194 ($186) per record.

Mr Zschech says in Zurich’s experience notification costs average just $1 per record but credit monitoring as a result of compromised credit card details costs $25-30 per record, not including costs such as crisis management and public relations.

First-party costs are a greater cause of paid loss than third-party costs, in which the insured is legally liable for the loss of a third party.

“But don’t forget about low-tech breaches,” Mr Zschech said. The leading cause of paid loss for Zurich is wrongly addressed emails or letters containing private information.

He says Zurich calls its policy security and privacy protection insurance, and it is “much more than cyber risks”.

Global Chief Underwriting Officer Professional Liability Lori Bailey gave forum delegates an international perspective. “In the US, if you have a national data breach, there are 46 state laws to comply with.”

Changes to the EU data protection legal framework are also under way, she says.

It will call for regulators to be notified of data breaches as soon as possible (within 24 hours if feasible), force companies with more than 250 employees to appoint a data protection officer and impose penalties up to 2% of global annual turnover for failure to comply.