Identity Crisis

Most consumers, unless they have been sleeping under a rock for the past two years, have read or heard media reports of unscrupulous identity thieves preying on common but unprotected electronic transaction and data storage practices in the wired world. The specific techniques may vary — from the hands-on practice of dumpster-diving to the more elaborate world of hacking and phishing (luring people to Web sites). The end result is the same: Confidential data is stolen and used fraudulently to make money.

Recent reports of serious data security breaches and the consequent potential for identity theft have underlined the extent of the problem. The media have widely reported examples of confidential information missing in action, including:

* the April 2007 discovery of Rogers Cable customer files in a Toronto parking lot, complete with drivers licence information and social insurance numbers;

* the announcement in January that hackers accessed the computer systems of U.S. discount retailer TJX Cos., the parent company of Winners and HomeSense, potentially compromising the credit cards of millions of Canadians; or

* the loss in transit, also in January, of a computer hard drive by CIBC investment subsidiary Talvest Mutual Funds, containing the personal information of about 470,000 investors.

IDENTITY THEFT BANDWAGON

Many insurers during the past year have hopped on the bandwagon of identity theft protection, offering endorsements or automatic ‘read-ins’ to standard personal property policies for homeowners, tenants and condo owners. It is hard, in fact, to find an insurer that has not developed an identity theft product.

“We were one of the first out there,” says Brooke Hanson, product manager, home insurance for British Columbia Automobile Association (BCAA). The BCAA launched its identity theft insurance product in March 2005 as an optional add-on to the policies of its 750,000 members. “It’s nice to see that everyone has got on board,” she says.

Since then, a spate of insurance companies offered similar identity theft protection throughout late last year and well into this year. Product structure generally falls into two categories: (1) it is offered as an endorsement for $30-40 per year, such as through BCAA or ING Canada, or (2) it is placed as an automatic addition to existing homeowner policies, which is the route preferred by companies like Dominion of Canada General Insurance Company, Royal & SunAlliance and The Wawanesa Mutual Insurance Company.

“With the advent of the electronic age, it has really made identity theft one of the fastest-growing crimes,” says Martin Campbell, manager of customer segments for Royal & SunAlliance Canada, which introduced its product in November 2006. “From that angle, it just makes sense that insurers cover it. I pretty much look at it as a must-have coverage.”

Dominion of Canada automatically includes it in all personal residential policies, says Brigid Murphy, senior vice president with Dominion of Canada, which added identity theft in September 2006. “Our sense was that our brokers were asking about it because they were getting questions about it from policyholders.”

The heightened awareness of identity theft a mong consumers was leading to requests from policyholders and from brokers to develop a solution, says Chris Ross, manager of product development, personal lines, ING Canada. “We actually already identified identity theft as a coverage we wanted to develop based on media and some independent consumer surveys done in the last couple of years.”

A U.S.-based survey from J.D. Power and Associates in October 2006 revealed that more than 40% of consumers would like their homeowners’ insurance carrier to offer coverage for identity theft.

Ross notes that ING has seen “a lot of interest” in the endorsement since it was introduced in September 2006, saying “we are happy with the traction this product has received.”

The primary goal of these policies is to expedite the recovery process for victims of identity theft by offering coverage for lost wage reimbursement — i.e. the wages lost as a result of taking time off from work to deal with the fraud — notary and certified mail charges for affidavits, loan reapplication fees, long distance telephone charges and legal assistance services.

Many say the risk is quite palpable for Canadian consumers. According to Phonebusters, a national anti-fraud organization run by the RCMP and Ontario Provincial Police, there were more than 32,000 identity theft complaints in Canada between 2004 and 2006, resulting in more than Cdn$43 million in estimated losses. Two major credit bureaus, Equifax and Trans Union, indicate that they each receive approximately 1,400 to 1,800 Canadian identity theft complaints every month.

Statistics indicating how much this actually costs the average victim of identity theft are inconsistent. According to the Identity Theft Resource Center in San Diego, it takes an individual almost 600 hours and US$1,400 in out-of-pocket expenses to recover from identity theft. Another survey from Nationwide Mutual Insurance in the United States says it takes victims of identity theft an average of only 81 hours to recover from an incident.

In Canada, the policy limits for identity theft homeowner riders or read-ins vary from Cdn$10,000 to Cdn$30,000. Coverage for lost wages also ranges from Cdn$2,000 to Cdn$5,000 per policy; companies like ING Canada are on the higher end of income replacement. “We decided to be a bit more generous than the usual,” Ross notes.

Royal & SunAlliance is one of the few that extends its coverage to financial losses, although credit card and debit card providers have standard agreements to reimburse customers if fraud is reported. Wawanesa offers its current home insurance policyholders Cdn$10,000 automatically, but allows customers to increase limits in Cdn$5,000 increments (at a premium cost of $10 per incremental increase), according to John Bjornson, Wawanesa’s vice president of marketing and property underwriting.

BCAA’s Hanson says her company is researching the possibility of a standalone identity theft product “for perhaps the younger generation that dosen’t carry homeowners’ insurance. If we do go with it, it would likely be within the next six months.” Others, such as ING’s Ross, say the relatively low premium charged for the identity theft endorsement precludes the creation of a standalone policy.

This begs the question: If the risk of identity theft is apparently so prevalent, why is the coverage pricing so modest or automatically read in to existing policies? Some critics contend that identity theft insurance is a “throw-away” product, with little or no value, since services like telephone charges are redundant in today’s toll-free world.

A June 2006 report by the Public Interest Advocacy Centre (PIAC) in Ottawa argues that “identity theft insurance as it now stands is of questionable value, given that its major potential claims items — that is, payment for time off work to resolve identity theft issues, as well as legal assistance — are capped at low recovery levels.” PIAC authors John Lawford and Jim Dingwall note that “most identity theft victims do not actually need full legal defence services to recover from identity theft.”

The PIAC authors go further, asserting that identity theft insurance products for homeowners “shift costs to consumers from business…Corporations may be the real parties in need of identity theft insurance, in the form of data breach insurance, (which) might encourage corporations to institute best practices for information handling.”

Current coverage for business in the form of the traditional Commercial General Liability (CGL) policy offers extremely limited protection for data security and theft. Courts have generally held that data is not “tangible property” as defined in the CGL, thus liability arising out of theft of third-partie
s’ electronic data would typically not be covered. Other types of invasion of privacy outside the scope of the CGL include wrongful disclosure and not maintaining proper computer security.

COVERAGE FOR BUSINESSES

There are recent examples of insurance companies offering identity theft protection for Canadian business owners. In March 2006, St. Paul Travelers Canada introduced its identity fraud expense coverage master policy available to financial institutions, commercial businesses and business associations. It provides reimbursement limits up to Cdn$25,000 per covered person to restore financial health and credit history. Gore Mutual Insurance Company also launched a commercial identity theft product in March 2007.

The modest limits of these commercial coverages are clearly targeted to smaller businesses. For larger companies, the most appropriate protection is specialized cyber insurance offered through products such as AIG’s NetAdvantage, Chubb’s Cyber Security, Lloyd’s Enterprise Privacy Protection and Zurich North America’s E-Risk Edge. Here, however, the market for data theft protection has not seen significant growth.

“After only a few years of experience with cyber-incident insurance coverage, it is clear that a sizeable market for the product has yet to emerge,” according to a research report from the Institute for Catastrophic Loss Reduction in 2004. “Cyber premiums range from Cdn$7,000 to Cdn$85,000 per Cdn$1.5-million worth of coverage, depending on the size and exposure of each company to online or electronic risk. Consequently, many companies look inward and self-insure their organizations.”

The Insurance Information Institute estimates that fewer than 20% of North American corporations have purchased cyber insurance.

Managing the risk internally and smoothing out corporate reputations in the wake of major security breaches may suit some businesses, but many legal experts say these realities are not good enough. In Canada, there are no laws for commercial operations to report data security breaches – even when these involve confidential client information.

MANDATORY NOTIFICATION

“The (Rogers case) is clearly just one more example in what’s becoming a litany of reasons why we need to have laws that require corporate notification of both authorities and individuals when personal information has been exposed in this manner,” Pippa Lawson, director of the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic, told the Canadian Press in April. “The question is: How many more similar breaches are happening that we don’t know about? Without a legal requirement…there’s no real incentive on organizations to disclose them.”

Even Canada’s privacy commissioner, Jennifer Stoddart, called for the federal government to toughen criminal legislation in a Mar. 1 news conference. Currently, thieves are rarely prosecuted because stealing information can only be punished if courts prove fraudsters intended to gain financial advantage from the data. Canada is also the only G8 country that has not enacted legislation against spam e-mail.

In what is widely regarded as a watershed event in the United States, Atlanta-based data aggregator Choice Point announced in February 2005 that it compromised the personal information of more than 160,000 consumers when it sold data to identity thieves posing as small business customers. Since then, more than 30 states have adopted mandatory notification laws for organizations suffering breaches in data security, including California, which is regarded as having the toughest disclosure laws.

In the absence of tough sanctions against identity theft in Canada, it is hardly surprising that insurance companies have sensed an opportunity to offer homeowners some avenue of recovery and protection. Whether they are simply capitalizing on public fear or truly offering a product with value is a question open for debate.

CLAIMS EXPERIENCE

How consumers actually use the product in terms of claims activity may signal the long-term usefulness of identity theft insurance. Insurance representatives interviewed for this article say most of the products have only been recently launched, and therefore not enough time has elapsed to fully evaluate claims. “All I can say is it looks like it will be a coverage that can be used,” notes Campbell. “We will certainly know a lot more in the next few years.”

Dominion of Canada’s Murphy says “we have had no claims; we would expect to have very few claims.” BCAA’s Hanson, whose product has been in the market for over two years now, says claims experience “has been relatively static. It is not like water damage or anything like that.”

U.S. estimates confirm the absence of any projected spike in claims frequency or severity for identity theft insurance. According to the Insurance Information Institute, reimbursement for financial fraud accounted for just 0.04% of total payouts on homeowners’ insurance, as reported in Forbes magazine.

Insurers note they are also helping consumers with prevention and information tips to keep them up to date as identity thieves become more sophisticated. ING’s Ross cites a joint survey from AOL and the National Cyber Security Alliance in the U.S. that showed one in four Americans were targets of scam e-mail attacks. The survey also showed that more than 70% of people who received such scam e-mails thought they were from legitimate companies, putting them at high risk of losing sensitive personal information to identity thieves.

“We think there is an education process that we can embed as part of our value proposition to customers,” Ross concludes. “Some of the independent surveys done in the last couple of years show consumers are becoming more aware, but they are not necessarily aware of all the various threats posed by identity theft. As the issue of identity theft evolves, there is the potential for this product to evolve.”