Financial Services Group Under lock and key: risk transfer solutions to limit liability
for security and privacy data breaches
For more information Data security increasingly provincial legislation. In accordance
at risk with these statutes, businesses must
National ensure that safeguards are implemented
There isn’t a day that goes by without to protect personal information against
Senior Vice President,
news of a privacy breach in some part loss or theft, as well as unauthorized use,
National Director of the world. In fact, a whole cottage distribution and disclosure. The public
416.868.2479 industry has evolved, whereby hundreds of sector and governments are regulated by
firstname.lastname@example.org websites regularly monitor data security the Privacy Act, and there are a number
breaches. Canada has not been immune of other statutes that deal specifically with
David A. Griffiths
Senior Vice President to the privacy breach phenomenon, as the treatment of personal information by
National Consulting Director evidenced by the fact that such breaches health care providers.
416.868.5554 have more than doubled in this country
email@example.com since 2008 according to a June 2008,
survey conducted by CA Canada. Most Enforcement of regulations
Mark LeSaevage recently, the Heartland Payment Systems Provincial and federal privacy
Vice President breach has affected over 140 banks and commissioners, who oversee the
416.868.5795 credit unions, including many from application of privacy legislation, have the
firstname.lastname@example.org Canada. Companies and government right to conduct investigations of alleged
Québec agencies that have experienced privacy violations of privacy laws, which can be
Bernard Dupré breaches over the past two years include quite costly as well as embarrassing. They
Vice President Canada Post, Bell Canada, Passport also have the right to refer non-compliance
514.840.7783 Canada, The Canadian Imperial Bank of to the courts, which have wide powers to
email@example.com award damages for privacy breaches.
Commerce, Air Canada, The Canadian Bar
Prairies Association, DaimlerChrysler Financial
Kathleen Cook Services Canada Inc., Club Monaco, and of Additional legislation
Prairie Region FSG Leader course Winners/HomeSense.
403.267.7878 Industry Canada has tabled a proposal
firstname.lastname@example.org that will amend PIPEDA to provide for
Current privacy regulations a national mandatory breach notification
Private-sector Canadian companies that law, and there are amendments in the
Senior Vice President deal with customer information must works for many existing statutes, setting
604.443.3353 abide by the provisions of the Personal out data management standards and
email@example.com Information Protection and Electronic spelling out the consequences of fraudulent
Documents Act (PIPEDA) or equivalent procurement of personal information.
Under lock and key: risk transfer solutions to limit liability for security and privacy data breaches
Risks to data security It is very important for these entities to review and audit their
existing insurance policies to determine what, if any, coverage they
Businesses are under increasing pressure to put data online in order
have for first and third party claims arising out of security and
to serve clients. This has resulted in a worldwide technology and
communications infrastructure that is vulnerable to both internal
and external risks.
Risk transfer solutions
With that in mind, companies should take a detailed look at their Commercial general liability policies may appear to provide some
data security risk management practices and strategies as they coverage for third–party losses; however, U.S. courts have recently
pertain to sensitive, confidential or proprietary personal identifiable ruled that data is not considered tangible property under certain
information from customers, business partners, prospects or CGL policies and, as a result, have excluded coverage.
employees in the following areas:
Professional liability policies may cover a number of security
• collection • aggregation and privacy breach exposures faced by insureds while rendering
• processing • use professional services to their clients/customers, but may not respond
to claims for breaches that arise outside of that arena.
• transfer • storage
• distribution • destruction Fidelity, employment related practices, data processing, computer
fraud, advertising and kidnap and ransom policies are generally not
It is safe to say that most companies engage in some or all of these
intended to cover privacy and data breaches, and there are significant
activities, and thus are at risk for liability stemming from data
coverage gaps in each.
security and privacy breaches.
Lawsuits and third-party liability Privacy and data loss liability coverage
A number of insurance carriers have developed specific privacy
It should come as no surprise that most of the litigious activity
and data loss liability coverage products that provide coverage for
involving data security breaches is initiated out of the United States;
businesses when data in their care and control is compromised.
however, Canadians are catching on quickly. Class action lawsuits
were brought against Winners and HomeSense in almost every For the fullest coverage, it is important to determine whether these
Canadian province for damages arising out of the TJX security policies will respond to claims from employees, customers and
breach. The costs in connection with the potential liability to third corporate clients, as well as from the insured itself for damages,
parties for privacy and data breaches due to corporate negligence, is defense costs, administrative expenses, notification costs, crisis
a growing concern. expenses and credit monitoring expenses.
First-party losses Conclusion
Even if a security breach does not result in a lawsuit or regulatory In determining the most appropriate risk transfer solutions for
investigation, the first-party costs associated with internal companies seeking to limit their liability for security and privacy
investigations, public and investor damage control, discounted data breaches, it is highly recommended that advice be procured
services and lost employee productivity can be crippling. Ponemon from an experienced insurance professional. Only then can a
Institute research indicates that the cost of a data breach is now over decision be made as to whether an alteration and/or endorsement
$200 per compromised customer record. to an existing insurance product, or the placement of a specialized
stand-alone policy is most appropriate from a coverage and cost
Preparing for increased regulation and perspective.
Brian Rosenbaum LL.B
It is clear that the public is pushing for greater liability for those Aon Financial Services Group
responsible for security and privacy breaches. As a result, entities Director, Legal and Research Practice
that deal with personal, identifiable information should prepare
themselves for the prospect of increased regulation and enforcement
by government, as well as enforcement through private sector
This publication contains general information only and is intended to provide an overview of legal, liability and insurance issues. The information is not intended to constitute legal or other professional advice.