A New Product: A "Security And Privacy Policy"

Editor: You have long been a pioneer in structuring insurance products for emerging technologies and newly emerging risks. Please tell our readers about some of the early products you created to protect against risks from Public Key Infrastructure and risks from computer intrusion.

Economidis: I've done a lot of work in technology. One of the policies I put together was a warranty insurance program for the first Public Key Infrastructure (PKI) signatures (e-signatures) that were issued. A PKI certificate was accompanied by a guarantee from the company issuing it to the effect that should a certificate holder incur a financial loss in using it, they would be indemnified for that loss. Behind the scenes, that company's obligations under that guarantee were insured by an insurance company on a warranty indemnification basis. Designing the policy required an understanding of PKI - how it worked, what the risks were, where the failure points were and a calculation of the odds of getting a claim for a financial loss arising out of the use of a PKI certificate.

I was also part of a team that introduced to market the first admitted insurance policy providing first-party coverage for computer intrusion. First party coverage would pay the insured's direct loss resulting from a computer intrusion. Previously there were only third-party policies that would provide coverage for legal liabilities for damages to others arising out of computer intrusion.

Editor: Why did AIG recognize early on the need to issue commercial policies for protecting businesses from security and privacy violations?

Economidis: The need arose during the dot.com era when AIG executives, notably Ty Sagalow, began to realize that there was a disconnect between the insurance that was being provided and the direction that businesses were going. Traditional insurance was built around physical perils - direct physical loss and damage to tangible property. But more and more business was being conducted electronically. There was a whole new set of perils that weren't contemplated in traditional policy forms. Clearly, traditional physical perils were not going away, but there was an obvious need to cover risks that were not well covered by traditional insurance policies.

Editor: What are the dangers and potential liabilities companies face when handling private information of clients, vendors and employees?

Economidis: There are many dangers, most notably the wrongful disclosure of privileged information. More than ever businesses have a duty to protect information in their possession. We see with more frequency disclosure incidents that are resulting in either claims being made against the company for the disclosure of that information or at best an embarrassing, high profile public relations problem when this information has been disclosed. In many states companies are required to notify consumers when there has been a release of this information. In complying with mandatory consumer notification laws, companies get into a very precarious public relations issue in trying to explain what happened and why. We see consumer groups and others making claims against entities for the resulting release of the information.

Editor: What are the usual data sources that persons practicing identity theft customarily prey upon?

Economidis: Identity thieves most often purchase the information from brokers that specialize in the trade of stolen personal identity information. There was a recent article in The New York Times called "Countless Dens of Uncatchable Thieves." It talked about the problems with the trade in stolen personal identity information. One of the examples cited told how you could buy all of the pertinent account information for a credit union account with a $31,000 balance - the social security number, the name on the account, the account number, the balance amount - from a broker who specializes in the sale of stolen consumer identification. That information was for sale for $400. One of the things that this article highlighted was that the brokers that trade in this information are located in Eastern Europe and Russia where they are very hard to track down and prosecute. They trade in this information over the Internet in an open marketplace.

There are groups of people who specialize in collecting information and selling it to the brokers. One example is a group that was paying bank workers bounties to turn over account information. In a case reported by the Associated Press, one ring in North Jersey was paying bank workers only $10 per account. When the authorities finally broke up the ring, they discovered a database of 700,000 records that had been put together over a number of years. So, one principal source of stolen identity information is employees that work for banks or other businesses who are bribed to turn over the information.

The second source for identity theft comes in the form of inadvertent or wrongful disclosures by other entities. A recent example includes a large credit organization that was inadvertently selling credit information to identity thieves. The identity thieves posed as legitimate small businesses, setting up accounts with the credit organization to purchase ordinary credit information.

A third source is computer hackers. This is how Paris Hilton's information was stolen by a hacker who published her cell phone number and her address book on the Internet. There are computer hackers who make their money hacking into large databases, stealing the information and then selling it to brokers who will in turn sell it to those who will engage in identity theft. So, there is a stream of commerce with the specialization of labor fueling a whole industry of identity theft and fraud.

In addition to the personally identifiable information, there is a lot of trade in the theft of stolen credit card information. There are some very discernible damages arising out of the theft of credit card information. In one example, a large retailer based in the northeast U.S., was responsible for a large release of credit card information several years ago. According to USA Today , 14 banks and credit unions are making claims against that retailer for the cost of re-issuing credit and debit cards as well as for the cost of increased fraud using those credit and debit card numbers after they were released. The retailer has now made charges to its financial statements in the amount of $9.5 million for the cost of legal liability as well as the cost of defending those claims.

And then there is dumpster diving. There are people who have found that a great way to get information is to go through discarded records in dumpsters. The scariest thing that people should be aware of is that once this information gets out, there is a refined black market of how this information is traded.

Editor: Is there a body of laws that would hold these people culpable?

Economidis: Absolutely. Everybody in this stream of commerce is engaged in some sort of illegal behavior. The problem is trying to catch them. Unless you happen to break up an identity theft ring that has already compiled 700,000 records, it is very hard to identify and prosecute employees that may write down some account information in the normal course of their job and then leave the premises and turn it over to somebody else for illicit purposes.

Editor: What protections against privacy violations and data theft can commercial general liability and professional liability insurance usually offer their insureds?

Economidis: The answer is "not much." Commercial general liability (CGL) policies provide two types of coverage. The first is bodily injury and property damage. Information is intangible and hence is not covered. The second area of coverage is personal and advertising injury, providing coverage for an insured's legal liability for specific perils such as libel, slander and copyright infringement. It does provide coverage for invasion of privacy, but only invasion of privacy in published materials. Other types of invasion of privacy which are outside the scope of the CGL include wrongful disclosure, the theft of records, not maintaining proper computer security, etc.

Professional liability insurance also does not provide much coverage, depending on the exact profession. It is important to note that the policy only provides coverage for professional services as described in the policy, unlike the CGL policy which applies to all operations of the insured. Courts differentiate when they determine if there is coverage under a professional liability policy according to the intellectual ability of the professional to provide services in contrast with "ordinary business activities." Courts are likely to rule that coverage applies to acts arising from that intellectual ability but not for acts involved in ordinary business activities. For instance, architects have an intellectual ability to design and draw plans for buildings. They also do a lot of other business activities like run a premise, hire employees and operate a computer system. While they may be storing business or personal information on that computer system, it is unlikely that a court would find claims arising from a failure of computer security to be covered under an architect's professional liability policy.

Beyond that there are also exclusions in professional liability policies that may disclaim coverage. First, more policies have computer attack exclusions. Second, the vast majority have dishonest/fraudulent acts exclusions, which apply to the insured as well as the insured's employees. Most computer security incidents, about 60%, arise from acts by insiders.

Editor: How does AIG's "Security and Privacy Policy" offer greater protection?

Economidis: Security and Privacy coverage is specifically written for the type of issues we are talking about. It provides direct and unambiguous coverage for disclosures of information resulting from a failure of computer security, the wrongful disclosure of information by the insured or the failure to protect information by the insured. If an entity is worried about its legal liability as a result of the consumer or business information in its possession, this insurance provides affirmative coverage for those issues, which really is not provided by any other policy.

Editor: Are there some exclusions?

Economidis: Yes. There is a dishonest acts exclusion. However, that exclusion does not apply to the dishonest acts of the employees of the insured unless the officers or directors of the insured had knowledge or participated in the employee's wrongful act. The wrongful collection of personal information by the insured is also excluded. The focus of coverage is wrongful disclosure .

Editor: Does this protection only protect against third party liability?

Economidis: That is correct.

Editor: Which industries need this blanket type protection?

Economidis: Just about everybody needs it. First, financial institutions should have it due to the amount of third party information that they hold. Companies in the healthcare business should be considering this coverage since they have very personal health-related information of individuals as well as a great deal of financial information. Retailers, or anybody that maintains credit card information, should be considering this coverage as well. Finally, any company with employees should think about purchasing coverage. If you have employees, you have their personally identifiable information, and you may be legally liable for any release of that information. Those four groups comprise just about everybody.

Editor: How do you underwrite your exposure in view of the fact that there is so little experience history with this kind of policy?

Economidis: First, we start by identifying the better than average risk in the market and in doing so, we measure two types of controls. The first type is computer-security controls. We have a methodology for checking what controls should be in place to prevent a computer hacking intrusion or computer security issue that would result in the disclosure of information.

The second type is controls over the soft exposures of handling personal information. Soft exposures are employee misuse or the inadvertent disclosure of information. We look for a good corporate privacy policy because it provides the lynchpin of detailing to the organization what information is held, where it is held, who is responsible for it, and how that information will be controlled. Then we look for someone who is responsible for enforcing that policy. We want to see a chief privacy officer or a C-level officer who has been given affirmative responsibility for maintaining the policy. We also consider factors that confirm that the controls in place are working - audits or internal checks - to ensure that the policy is being conformed to. Additionally, we assess the potential insured's hiring practices to affirm that the vendors or other companies they do business with have adequate privacy policies and security controls.

Published June 1, 2006.