Legal damages accounted for the majority of the $3.7 million average cost per data breach that occurred between 2009 and 2011, notes a new whitepaper from NetDiligence, based in Philadelphia.
Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payout for Covered Data Breaches explores 137 cyber liability insurance policy claims that occurred between 2009 and 2011 and were provided by major underwriters of cyber liability. Cost averages are based on 58 events, for which the insurer provided a detailed breakout of what was paid on the claim.
The largest component of costs relate to legal damages, with the average cost for legal defence being $582,000 (up from $500,000 in 2010) and the average legal settlement being $2.1 million (more than doubling the $1 million in 2010).
Claims submitted in 2011, based on incidents that occurred from 2009 through 2011, show the average number of records exposed per incident was 1.4 million, down 18% from 2010; the average cost per record was $3.94, up from the $1.36; and average cost per incident was $3.7 million, up from $2.4 million. The typical breach, the whitepaper notes, ranges from $25 to $200,000.
Mark Greisiger, president of NetDiligence, writes that the $3.7 million per breach average figure is considerably lower than the average $5.5 million and $194 per record reported by the Ponemon Institute’s Seventh Annual U.S. Cost of a Data Breach Study. Griesiger notes, however, that Ponemon uses data from the consumer perspective (not from the insurer’s perspective) and the NetDiligence study focuses primarily on insured per breach costs (not per record costs).
Other study findings include the following: personal identification information is the most typically exposed data type, followed by private health information; the majority of reported breaches were caused by three things, hackers (23%), lost laptops/devices (19%) and other, such as web and personal device data loss, (18%); and 56% of claims submitted occurred in financial services, healthcare or retail.
Already in 2012, there have been some very large data breaches involving records, passwords or credit cards, the whitepaper notes. These breaches ranged from 400,000 passwords at Yahoo! to 24 million records at Zappos.
“Despite increasing awareness around cyber security and the increasing frequency of data breach events, it has been difficult to fully assess the insurance cost (severity) of these incidents,” the whitepaper notes.
Still, NetDiligence cites a number of examples of actual or potential large costs, including one in Canada. Lawyers for Honda customers filed a $200-million class action lawsuit in May 2011 accusing the company of putting 283,000 customers at risk, in part by waiting two months to inform them of a data exposure.
For insurers, 2011 revealed both worrisome and welcome trends. Worrisome was that data security is being moved out of the C-suite and relegated to front-line managers; welcome is that clients are more aware of when to call about a data breach and are, generally, more cooperative in working with insurers to communicate breaches and trust recommendations.