The 'cyber' risks of outsourcing: outsourcing does not mean out of mind when it comes to cyberliabilities. Instead, companies with databases full of client and employee information should be even more wary

Risk & Insurance, Sept 1, 2007 by Brian Branner, Emily Freeman

Further, the customer should negotiate with vendors on indemnification, limitation of liability provisions, and warranties and representation not just on performance risk, but on security and confidentiality risk as well.

Finally, customers should require their vendors have the appropriate insurance to respond to performance failures and security/privacy breaches. Simply asking for "technology errors and omissions" or "professional liability" will not guarantee that the vendor has strong and affirmative coverage for data protection.

Instead, specify the types of risks, including identity theft, unauthorized access and use, transmission of malicious code and insiders as perpetrators, for example. The reason is that there is no standardized coverage for data-protection risks within professional liability policies. It can vary from none, poor, adequate to superior. Limits requirements should start at $1 million, but be increased based upon the aggregate exposure and operations of the vendor. Waiving of requirements for insurance should be escalated to senior levels and done with thorough consideration, given the risks mentioned above.

As customers cannot rely on the insurance and indemnification provided by their vendors, they should also have their own insurance in place to address their own direct risks and vicarious liability, including the possibility that the vendor becomes insolvent. Traditional commercial general liability or crime insurance will not cover the consequential financial loss associated with data crimes.

In fact, over the last five years, the general liability policy has restricted coverage with respect to Internet activities. Crime coverage was really designed to cover theft of tangible property, money and securities where the perpetrator and the intent of the perpetrator was manifest and known.

PRODUCT EVOLUTIONS

Traditional insurance is not addressing growing data-protection risks in the age of network-based technology. Fortunately, insurance products have evolved to address data protection risks, commonly called cyberinsurance. The term "cyber" is really a bit of a misnomer as these policies need to address not only a breach in a computer system, but also a lost laptop/personal digital assistant or theft of hard-copy data.

The better policies provide broad coverage for security and privacy liability, including a sublimit for regulatory defense and notification costs. There are a number of insurers that offer policy forms with widely varying scope, claims management approach and exclusions. Clients should consider underwriters who provide strong, affirmative coverage that provides a balanced approach to management of claims and defense.

Coverage should include areas such as breach in confidential employee information, data theft following a theft of a mobile device, insiders as perpetrators and vicarious liability for breach of security by a vendor. The policies should also address privacy violations associated with collection, notice, use, disclosure and correction of personal information about individuals. For global companies, privacy risk is considerably greater in some countries and regions, such as Canada and the European Union.