Notification costs are one of the biggest issues facing organisations when looking to insure against the impacts of a data breach, yet for many the issue is a complex and confusing one.
The big question many businesses are asking is who is ultimately responsible for notification costs in a breach where customer data has been accessed?
Let’s start with defining what the law around notification is. Regulation varies from region to region, but the overall definition of notification laws are those that require entities which have suffered a data breach to notify their customers/relevant parties about the breach, usually within a certain time period.
These laws have been active in most US states since 2002, but for many other regions such as Europe they are catching up in terms of implementation and size of fines that organisations face should they not comply with their local regulation.
Simply put, if you are breached, you have to tell every single party whose data has been accessed or stolen – which comes at a price. For retailers holding millions of customer email/credit card details, you can see where the cost can mount up.
With many organisations involved in the chain of a business transaction, the liability for notification costs can vary. In a typical consumer-vendor business transaction, the card issuer, the merchant bank, and the point-of-sale card reader (so essentially the vendor) all have responsibility to keep the details of the transaction secure.
Liability for notification costs can then vary depending on how secure each member in the chain is. If the card issuer has sent the consumer a chip-and-pin card which they are using, yet the retailer still uses an out-of-date magnetic stripe card reader, then the liability for notification costs in the event of a breach would lie with the retailer, as they would be the weakest link in the chain.
This liability shift is about to become more relevant to any organisation taking payments via card readers. Effective Oct 1 2015 organisations in the US will be required to install card readers to read EMV (Europay Mastercard Visa) chips, forcing the US to catch-up with chip-and-pin technology like most of Europe. Following this deadline, the liability for who is responsible for losses such as notifications will fall on whoever is the least compliant in a fraudulent transaction.
So what does this mean from an insurance perspective? One of the key points organisations need to consider when buying cyber insurance is to look at the notification levels offered in the coverage. Many policies will have a specific limit regarding how many individual notification costs they will cover. It is important to make sure your broker understands what sort of notification levels you will be looking at should a breach occur, and also where any potential liabilities may arise due to your network security.
A good cyber policy will often include some manner of breach response service as well; a third party which specialises in providing the services required directly after a breach is first identified, such as IT forensics and data monitoring. This will help to minimise the number of notifications if the breach is still in progress, and also help with advice as to who will be liable for the notification costs. Post-breach is a crucial time to be proactive in cleaning up the mess, which insurers will look favourably on when it comes to paying out a claim.
Notification costs can be some of the most costly elements of a breach, so it is important to make sure your organisation understands where it is exposed, what it is doing to prevent a breach, and the plan of action should one occur.
Jack Elliott-Frey is a cyber broker with Safeonline LLP.
