The Far-Reaching Effects of a Data Breach

By Shawn Dougherty January 20, 2014

Shawn DoughertyThe rapid growth of technology has created new threats for businesses around the world and made it easier than ever to lose money and damage a firm’s brand or reputation. Each week, our new Cyber Monday series will analyze these risks and discuss solutions designed to keep companies safe. This week we discuss the liabilities a company may face after a data breach.

During the holiday season, several large retailers revealed that they had suffered data breaches. And if the reports making the news late last week hold true, the impact of those breaches may be worse and far more reaching than originally thought.

How much will it cost those companies to address and recover from the breaches?

The answer depends not just on how much information was stolen but on how many lawsuits will arrive on their doorsteps. Two years ago, a federal appellate court ruled that DSW (Designer Shoe Warehouse) was entitled to more than $6.8 million in losses and interest from its insurer, after information from more than 1.4 million credit cards was stolen from the retailer in 2005. In 2007, information from more than 45 million credit card accounts was stolen from T.J.Maxx. The company spent $256 million to fix its computer system and deal with lawsuits, investigations, and other claims stemming from the breach.

Target — whose recent data breach may have affected as many as 110 million people — has already begun legal damage control. The company has promised that anyone whose information was stolen won’t have to pay for fraudulent charges and will receive a year of free credit report monitoring. But will that be enough? How can a company protect itself from damages and legal fees after a data breach?

Many insurers offer a solid option with cyber-liability policies that offer security breach liability coverage. This coverage protects the insured from the legal costs and damages of data breaches that reveal personal information and from viruses they might inadvertently send to customers. As I mentioned in last week’s blog post, this insurance would also cover information that people steal the old-fashioned way, such as taking paper files containing confidential personally identifiable information (PII) or protected health information (PHI) from an office.

Of course, a company will also likely face a number of other expenses after a data breach. Security breach expense coverage provides reimbursement for many of those costs, including notifying customers, running a call center, and providing credit report monitoring.

To learn more about these policies or other cyber risks, e-mail me at sdougherty@iso.com. Also, make sure to follow me on Twitter @doughertyshawn.

Stay tuned for the next blog post in our Cyber Monday Series.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.