This article also appeared in Advisen (May 30, 2014).
If the tail-end of 2013 wasn’t rocky enough for data security, 2014 thus far has offered no reprieve—ominous and regular reports of massive data breaches affecting all industries and all types of information holders fill the news. One recent report indicated that there were more than 350 million stolen credit card credentials available for purchase in underworld markets. Another report indicated that for 2013, identity theft continued to be the number one consumer complaint tracked by the Federal Trade Commission—there were more complaints on this front than against lenders and others often cited (whether rightly or wrongly) by consumers for anti-social behavior.
Understandably, most insurance and risk management efforts with regard to cybersecurity have focused on the immediate losses occasioned by data breaches. Paying for the almost instant costs of state notification law compliance, forensic investigation, call centers and reimbursement of fraudulent account charges has been the central focus of most data security insurance coverage and risk management assessments. But as data breaches grow large enough in some cases to savage a company’s bottom line, management liability insurance (D&O) and senior level governance cannot be overlooked. In fact, not only must “management risk management” be a consideration for almost every entity, it now needs to be a central aspect of ongoing risk management assessment.