Friday, 8 June 2012
German regulators get tough on cyber data breaches but risk transfer options are limited
German companies that have lost clients’ data due to cyber attacks or an internal error would be well advised to take legal obligations seriously when it comes to informing customers about the loss as regulators are upping their game, experts warn.
“Recent data incidents indicate that regulators adopt a hard line when it comes to prosecution,” said Jens Krickhahn, Underwriting Manager, Technology, Media and Telecommunications at the German subsidiary of UK-based insurer Hiscox.
Speaking at a Lloyd’s cyber risk conference in Frankfurt he said that federal and state data protection commissioners take data loss incidents more seriously than five to six years ago.
This is mainly due to a change in the German Federal Data Protection Act (Bundesdatenschutzgesetz) that was introduced in 2009, said Mr Krickhahn. Now if a company discovers a data breach it has to inform not only the authorities but the individual clients whose data has been lost.
“The cost of sending a letter to an individual involved in the data breach is not enormous,” said Simon Milner, Partner at London-based insurance broker JLT Specialty. “But when you have 25 million records that have been compromised, that is quite a lot of notification costs.”
When the amount of data lost is considerable, the company also has to report the incident to the press. “Some lawyers advise big companies that handle lots of data to book a double page in the Frankfurter Allgemeine Zeitung or Sueddeutsche Zeitung in advance,” said Mr Krickhahn.
The company will also be held liable if a data loss is based on the actions of an external service provider. “The fact that a company outsourced the handling of client’s data is not an excuse,” he said. Since the company is the contractual partner of the client it has the responsibility to make sure that the data is secure.
According to the Data Protection Act breaches can be punished as a regulatory offence with considerable fines of between €50,000 to €300,000.
“Germany is the only country which has such extensive information obligations,” said Mr Krickhahn. In other European countries only companies from the telecommunication industry are forced by law to notify customers that their data has been lost. “In Germany every company has to inform clients and regulators, regardless of which industry sector they belong to,” he said.
The country has rushed ahead of a planned European Commission directive for regulating the processing and movement of personal data that will tighten laws across the European Union. The directive is still in its early stages, but according to the draft companies will have to notify authorities of a data breach within 24 hours of occurrence, or face a fine of up to 2% of their worldwide turnover.
Mr Krickhahn believes that the 24-hour deadline is too tight. “It is not feasible,” he said. “Companies usually do not know by then that a data breach has happened.” According to a study by PriceWaterhouseCoopers it takes on average 156 days between a data law violation and its discovery. “And even if a company finds out about the violation very quickly, it has to clarify with forensic experts what exactly has happened before informing the authorities,” said Mr Krickhahn.
In Germany, and likely across Europe following the forthcoming EC directive, regulatory authorities will dish out punishment commensurate with how each company handles a data breach.
“The reaction of the data protection authority depends on how you handle the incident,” Mr Krickhahn told the risk managers attending the Frankfurt conference. In Germany data protection authorities can, in some circumstances, be regarded as friends of the companies and they also provide advice to enterprises.
“If a company complies with its information duties, hires experts to analyse the data breach and cooperates with the authorities, nothing serious will happen,” he said. However if a company does not do that the fine of up to €300,000 can go up by additional administrative offenses. “Lately there was an incident where a company had to pay €1.2m because it handled the data security violation badly,” said Mr Krickhahn.
Claims can also be directed against the management of a company. “Managing directors and board members have to take care of IT security and the handling of clients’ data,” he said. “If they neglect these duties they can be made personally liable.” According to Mr Krickhahn’s experience most companies have acknowledged this risk by now. “In a lot of companies data protection is located at the top of an enterprise’s hierarchy.”
However, legal considerations are not the only concern following a data loss. Auditors may refuse to issue audit certificates and the company may encounter problems with its ratings if the data loss reveals problems with IT security.
The company may also suffer business interruption when the server structure breaks down due to a hacker attack, or may be blackmailed by criminals who have stolen data. Most companies eventually bear the costs of forensic experts, specialised lawyers and public relations teams to help limit damage to reputation. In addition clients whose data has been lost may claim compensation. According to the research firm Ponemon Institute an average data loss incident was between €3.4m and €3.6m in 2010.
Companies such as hotels or retailers, which handle credit card data of clients, may also face high claims from the credit card industry if data is stolen and used by criminals to steal money.
“The credit card industry has special software tools with which they can easily find out which company has been the source of the data loss,” said Mr Krickhahn. “It will demand that the enterprise pays for the damage.”
Usually the credit card industry has contractual liability agreements demanding certain companies bear the costs for the necessary replacement of any cards, which can be up to €25 per card. If millions of cards are affected this can become quite costly. “With an ordinary liability insurance policy you won’t get far here,” said Krickhahn. This is because the policies often only cover legal liability claims, not contractual ones.
In addition, the credit card industry will claim the amounts stolen from its clients back from the company from which the data leaked. If the organisation violated the so-called Payment Card Industry Data Security Standards (PCI DSS) additional fines may follow. “They specify how companies have to handle credit card data, such as how it has to be encrypted while being transported electronically and how it has to be hosted,” he said. “If standards are not met, the credit card industry can impose penalties.”
The credit card industry also has tough guidelines when it comes to the handling of data losses. If data for more than 10,000 credit card accounts is breached the responsible company must call in external forensic experts to analyse the data breach and submit a report within seven days. The whole incident must be settled within 90 days, including financial compensation.
“The problem is that there are only five or six companies in Germany that specialise in forensic data analysis,” said Mr Krickhahn. There is the danger that they will be already occupied with other claims. The same is true for lawyers that specialise in data loss. “In Germany there are only ten to fifteen of them,” said Mr Krickhahn.
Thus it is important that the costs for forensic experts or lawyers are covered when companies go for specialised cyber risk insurances and that the insurer will provide access to these specialists. “It is crucial that insurers have service-level agreements in place to ensure that 24 hours after a claim notification the experts are on-site,” said the insurer.
The market for cover against cyber risks is still very small in Germany. “There are very few insurers in Germany who deal with cyber risks,” said Mr Krickhahn. Ordinary liability or business interruption policies usually do not include such risks.
“Companies believe that the insurance they already have should afford some protection for the cyber loss, but they do not do so,” said JLT’s Mr Miller. “When policies that protect property and liability were written years ago they were not intended to cover internet or computing liability or risk sustained from the loss of data.” Most policies only cover physical damage like losses from fire, lightning or windstorm and bodily injuries. But losses evolving from cyber risks are often purely financial.
Professional indemnity policies are the exemption. “Those who manufacture software probably purchase such a professional indemnity policy which may give them some negligence cover in the event of the breach,” said Mr Milner. However, other companies have to buy special cyber risk insurance.
To date only a few insurers, including Hiscox and Allianz, have developed concepts for special cyber insurances dedicated to the German market. As a consequence capacity in the German market is very limited.
“I would be glad if there were more insurers in Germany offering cyber risk policies, not only because we would have more capacity then,” said the broker. “Competition is good for business.” If more risk carriers were active in the market, more innovative cover would evolve for cyber risk insurance.
To date the policies in the German market are a mix between first party cover and third party liability. The concepts include, in most cases, cover for first party losses like business interruption and other costs that may arise in connection with a data incident such as expenses for forensic experts, lawyers and credit monitoring, in cases where credit card data has been stolen. A lot of insurers pay preventive crisis management measures as well.
“Also legal information duties vis-á-vis the data owner and the authorities are insured through these concepts, as well as the cost of research for the clients whose data has been lost,” said Mr Krickhahn. On the third party liability side contractual liability agreements with credit card companies and banks can be covered in most cases.
Mr Krickhahn stressed buyers should ensure that financial losses are included in the cyber risk policy as well as cover for immaterial damages such as compensation for pain and suffering. “You don’t know how much the loss of data will hurt clients,” he said. “Perhaps they cannot sleep anymore and claim compensation for pain and suffering, or are bullied because their data is being published and it has become known that they have a disease or something like that.”
The demand for cyber risk cover is increasing, said Mr Krickhahn. “Looking at Germany we have seen an increase in submissions from the hotel and leisure industry,” he said. “They realise that they have issues with PCI standards and contractual liability.” In addition, companies involved with a lot of e-commerce are buying protection.
Bigger companies tend to have more problems buying cyber risk cover than smaller ones. “The difficulty is that this kind of protection is a completely new product in the insurance industry,” said Mr Krickhahn. Normally bigger companies have agreed their current budgets based on the costs they had the year before. When risk managers want to buy additional protection they have to go to the management board to get approval. “So it takes a bit longer for bigger companies to get the cover,” he said. “Smaller companies usually buy much faster.”
However, not all risk managers are happy with the standalone cover currently offered in the market. Some think it would be better to include cyber risks in existing business interruption and liability policies and criticise insurers for needing vast amounts of information in order to provide cover.
Mr Krickhahn argued that the information requirements are actually not very high. “There are questionnaires between two and three pages long in which some things about the security are being asked like the handling of data, what kind of data security system is in place, if there are special directives and if there are administrative rights for certain groups of people.” he said.
However, when companies handle a lot of credit card data, a more profound risk assessment may be necessary with external experts examining the situation on-site, he conceded.
- More Germany News
- More Risk Management News
- More Regulation News
- More Insurance News
- More Cyber News