Mega-breaches, including the recent hacking attack on Anthem Inc., always result in an uptick of interest in cyber-insurance; but determining how much coverage to buy is an ongoing challenge, says data privacy attorney Marc Voses.
"Every single industry after an event like this sees an uptick in the interest in purchasing cyber- insurance," says Voses, a partner at law firm Kaufman Dolowich & Voluck, LLP. "Over the years since cyber-insurance has been made available, the limits [for dollar value of coverage] ... are increasing at an exponential rate."
After the Target data breach, "the retail industry went streaming into the brokers wanting to find out more about the products and shift more risk onto the insurance carriers in the event of a data breach," Voses says.
Organizations considering cyber-insurance need to ponder how much is enough to offset the potential costs involved not only with breach response expenses, such as notification, but also potential lawsuits and government fines, he says in an interview with Information Security Media Group.
In the aftermath of the Anthem incident, several class action lawsuits already have been filed, including a suit seeking $5 billion that was filed in California just one day after Anthem announced the breach, he notes.
For Home Depot, breach-related expenses are estimated at about $70 million so far, while the company reportedly had cyber-insurance coverage for $100 million, Voses says. In the Target breach, expenses are estimated at about $150 million, which apparently exceeds the company's cyber-insurance coverage, which was reportedly only $40 million, he notes.
In this interview, Voses also discusses:
- Possible regulatory investigations and other government actions that might result from the Anthem breach;
- What the HIPAA security rule says about the use of data encryption to prevent breaches;
- The key privacy and other lessons that are emerging from the Anthem breach so far.
Voses is a partner at the New York City office of national law firm Kaufman Dolowich & Voluck, representing domestic and international insurers and reinsurers, and their insureds, in coverage and liability disputes. He is a litigator who has been called upon to address complex coverage and liability issues involving cyber, data and privacy exposures, management and professional liabilities, environmental liabilities and commercial general liability matters.