Cyber crime: Litigation, liability and reputational risk
Size and strength does not offer immunity to the latest security threat.
Major organisations including Sony, Citigroup, Google, Mastercard, Dell Australia and RSA have all been victims of cyber crime in recent years;
experiencing significant data and
security breaches which have impacted
millions of customers.
Bank accounts, medical records and
contact information are among the data
which has been breached, exposing
these companies to litigation and
liability, significant financial recovery
costs, loss of future business and
Predominantly these data breaches
are the result of intentional attacks by
criminal hackers; however the theft of
hardware, such as desktop computers
and backup tapes, has also resulted
in data loss. Additionally, accidental
information exposure has also made
headlines with organisations misplacing
or losing data on laptops and failing to
erase hard drives.
While the media spotlight has
focused on data breaches within large
organisations, any business that keeps
sensitive data on employees, customers,
patients, students, partners or other
third parties can be liable for damages
if that information is breached,
regardless of the reason.
"Protecting data is no longer an IT
responsibility - it is the responsibility
of the CEO and CFO," says Kevin P.
Kalinich, Global Practice Leader - Cyber
Insurance, Aon Risk Solutions, Chicago.
Domestically, the financial implications
of data breaches have grown
consecutively over the past three years.
A report from security company
Symantec and the Ponemon Institute
on the Cost of Data Breach found 22
Australian companies from ten different
sectors suffered significant financial
losses from data breaches in 2011.
Findings from the study identified lost
or stolen devices as a common factor
in data breaches. Of the companies
surveyed 36 per cent who had
experienced data breaches attributed them to third parties, including
outsourcers, Cloud providers and
These findings were echoed by
Australian Privacy Commissioner
Timothy Pilgrim, who in April this year
said there is evidence to suggest that
data breeches are on the rise.
"The Office of the Australian Information
Commissioner was notified of 56 data
breaches in the last financial year,
equivalent to a data breach a week. This
is up from 44 in the previous year, an
increase of 27 per cent," Mr Pilgrim said.
New legislation is currently being
enacted across the United States, Europe
and the UK and will shortly reach
Australia. The legislation will require
organisations affected by a data breach
to contact each individual affected. The
magnitude of a task such as this should
a wide-scale breach occur would cause
many organisations to falter, exposing
them to severe penalties.
Traditional crime or civil liability
insurance policies may not extend to
cover cyber-specific breaches.
In Australia, there are a number of
cyber-security policies available, covering
a wide range of scenarios. A 'cybersecurity'
policy can complement an
organisation's risk management strategy
by transferring a proportion of the
financial risk from the business to the
insurer when a privacy breach occurs.
With the proposed Australian Privacy
Principles in mind, Aon strongly
recommends cover for the following
- liability for a privacy breach due
to the release or display of any
- liability for a privacy breach due
to an alleged failure to prevent
unauthorised access to a computer
- civil fines or civil penalties which the
business or an individual is ordered
to pay as a result of a privacy or
- customer notification expenses
(e.g. mail-outs), customer support
and credit monitoring
- the loss of data and the cost
of restoring it
- business interruption expenses in the event of a breach.
Each policy must be closely scrutinised,
however, to ensure there are no
qualifications or exclusions which would
effectively exclude cover, should a
breach occur in specified circumstances. For example, insurers may limit cover
to a computer connected to a network.
This would effectively exclude cover
for laptops, tablets and hand-held
devices, all of which could contain
"Common misconceptions exist within
organisations who don't believe they
could be a target for data breaches," says Stephen Trickey, National Leader,
Aon Financial Services Group in
"Certain organisations mistakenly
believe that because they have a
firewall, a quality IT team, or antivirus
protection, they will not be targeted.
Many organisations believe only online
retailers or specific industries such as
data storage or financial institutions
are vulnerable to data breaches."
"Hackers do not discriminate; they
are continually scanning networks
for vulnerabilities without a specific
target," says Trickey.
"An important message for all
corporations to heed is insurance costs
will increase exponentially following
a breach; retrospective coverage is
Aon has a range of specialist personnel
who can assist you to design,
negotiate and place a cyber-security
policy which, as far as possible,
appropriately covers you against
a breach of the Australian Privacy
Principles and other privacy legislation,
codes or standards due to the
electronic disclosure of, or electronic
access to, personal information.