The Business of a Data Breach

Colleges and universities are learning that nobody can prevent a data breach from ever happening. All they can do is really manage the risk. At leading institutions such as Western Michigan U that translates to IT people learning how to work with risk managers.

When a data breach involving student employee information occurred at Western Michigan University in Kalamazoo in mid-December 2009, a rather typical response followed. The university contracted with ID Experts, a vendor that specializes in handling the mop-up work. That included notifying by letter those people who were affected to let them know about the incident and providing a year-long membership in an identity theft protection and restoration program with a toll-free number, a special Web site providing updates for those affected, 12 months of credit monitoring, fraud restoration services, and a $30,000 insurance reimbursement component if anyone actually experienced identity theft as a result of the incident.

Frequently, a university suffering a security breach will also issue a press release outlining the basics of what happened and explaining how it was responding; that involves the work of PR specialists. Oftentimes an attorney with special cyber-security experience will be brought in to help the institution understand the potential legal ramifications. And the university's incident response team may bring in a forensics expert to examine the computers that exposed the data to understand how the security incident occurred in the first place.

Each one of those stages of data breach response costs money. According to Nicholas Economidis, who doesn't necessarily know the particulars of Western Michigan's incident but who has made a study of the subject, the mailing of the notification letters probably cost about a dollar a letter. Credit monitoring costs between $12 and $15 per person. A lawyer called in for advising the school will run "several thousand dollars." A good public relations firm to handle the PR aspects of the incident "isn't cheap." "And that's even before you get sued," added Economidis. "That's just helping you through the notification process." In other words, the final tally is significant, even for a small incident.

Economidis is an underwriter at Beazley Group, a specialty insurer whose product lines include one specifically to cover data breaches. If a client with this kind of insurance incurs expenses related to a data breach, after the deductible is reached--say, $25,000--Beazley would pay the rest.

According to Timothy Kellogg, the manager of business services for Western Michigan U, that particular incident cost the university about $50,000. And that incident involved only student employees, not the entire staff of 6,000 or the 26,000-student body. Kellogg's responsibilities include risk management, managing activities related to the properties used and owned by the university, and reviewing and approving contracts. With cyber incident insurance in place, that incident may have cost the university around $25,000, though Kellogg isn't saying.

Higher Ed Newcomers to Data Breach Insurance
Computer-related insurance has been around since the late 1990s, Economidis said. It surfaced as a separate kind of insurance product as soon as insurance companies figured out that their policies didn't do a great job of covering the non-tangible aspects of the Internet revolution, such as intellectual property. Early policies limited themselves to covering failures of computer security--the expenses that accrued when somebody was hacked in or infected by a computer virus. But concurrently, identity theft began to surface, and organizations realized that they were exposing themselves to legal liabilities related to the data they retained about their customers. So the insurance policies expanded to cover not just computer security, but also the theft or loss of personally identifiable information.

Colleges and universities are relative newcomers to data breach insurance. "It has really only come into vogue in the last two to three years," said Economidis. "They're certainly becoming aware of it in a hurry. Right now they're one of our biggest groups of new buyers."

However, this new business isn't just coming from campus risk managers, those people charged with figuring out what the biggest risks are and making sure the university is addressing them, according to Economidis. It's also being brought up by the financial people who have to pay the bills when something goes awry, compliance people who have to stay up on laws and regulations, and insurance brokers who advise schools on their policies.

Interestingly, the one role not included in Economidis' list is the CIO, the person ultimately in charge of making sure the breaches don't happen in the first place.

The Two Aspects of Risk Management: Financing and Controls
Risk management has two components, Economidis explained. One is risk financing, which asks, "How are we going to pay for a loss if it happens?" That's where insurance comes in. The other is risk control, which is anything that prevents a loss from happening in the first place. In the context of computer security, a risk control could be a firewall, encryption technology, and anything else that reduces the risk. Yet, he said. "you should never rely on just a risk control, because no risk control can guarantee you won't have a loss." Even though a building may have a sprinkler system in place, the university will also have fire insurance. The first component is the risk control; the second is the risk financing--a way to cover the cost of repair or replacement should a fire happen.

Understanding that point may just be where IT people are falling down on the job when it comes to data breaches. Although plenty of IT people "recognize that they can't control risk and welcome insurance, others see it as infringing on their territory," Economidis observed. "They're just so determined never to let a loss happen."

Yet the origin of a data breach is never totally in their control to begin with. "This is about more than just the computer systems," Economidis said. "Laptops get lost. Files get dumped into dumpsters instead of getting shredded. Paper files go missing. Employees who have authorization to use information as part of their job steal the information and sell it to identity thieves."

That's why, he said, Economidis believes that setting up communication channels between the IT and risk management organizations in a school will have positive results.

Bringing Risk People and IT People Together
Kellogg agreed. Shortly after the security incident at Western Michigan U, his school hosted a special event to do just that. Besides his job in business services, Kellogg is also the president of MUSIC, the Michigan Universities Self-Insurance Corp., which comprises 11 of the state's public universities. MUSIC was formed in 1987 to share the risks among all of the members. Instead of paying an insurance company for certain kinds of coverage, members pay their premiums into MUSIC and then get dividends from the money not paid out in claims. The organization also does group purchasing for other forms of insurance.

Two years ago, MUSIC did a group purchase for cyber risk insurance specifically to cover the universities in the event of a data breach. To educate its members--primarily risk managers, attorneys, and financial controllers--MUSIC hosted a daylong workshop on Western Michigan's campus, at which Economidis and others spoke. Along with MUSIC's usual participants, the campuses also invited their IT people to attend.

"You don't normally get IT and risk management people together," said Kellogg. "Like most universities, we have a response team here for data breaches. So practically our whole response team was here."

The agenda included sessions on cyber risk incident response; understanding cyber risk insurance and claim processing; tips on how to protect the university; and lessons learned from campus cyber risk incidents (at which a representative from Western Michigan spoke alongside others).

The goal of the event was to get the people at the participating institutions comfortable with the new form of insurance coverage and the service providers that would be called in to help out in the event of a security incident. For Kellogg that included IT people. "Our part as risk managers is really in support of the IT folks who have to put the entire response team and plan in place," he said. "We're just another part of the whole plan that they have put together. This [insurance] is another resource for them."

Economidis concurred. "If you haven't looked at this kind of insurance, you probably aren't asking yourself a lot of other tough questions. And possibly you're not managing your risk correctly."

Economidis said he reviews a lot of insurance applications from universities for cyber risk insurance, and he reports three areas where organizations could do a better job with their risk control.

The first is encryption of portable devices. "We think that's important--and probably the biggest issue that organizations are struggling with today," he said. That includes laptops and any other mechanism that allows university people to carry data on.

The second is security awareness training for users. "A lot of security failures happen because of what I'll call the careless or poor computing practices of the general staff. They don't know better. Somebody sends them something, they click it, and they download a virus," Economidis said. The carrier prefers to see that institutions have a standing security awareness program in place that includes a hiring orientation to review with employees what the computer usage policies are, as well as regular reminders once a year. Also, Economidis recommended a continuing awareness program where the IT organization sends out a monthly e-mail message that shares an example of something that somebody has done that has created a security problem.

Third, Beazley recommended a robust security testing program that includes an external vulnerability scanning application to scan computers from outside the firewall to determine what things they may be vulnerable to. "Generally, one of two things happens that tends to cause computer failures," Economidis said. "One is the appliances in the network--servers and routers--are not properly configured. Second, quite frequently, machines in computer network don't have the most recent software running on them. These scanners will automatically give you a list of things that can be seen from outside your network that you may want to fix. If the software can figure it out, so can a hacker, right?"

The fact that a security incident is so pricey can help the risk manager and CIO in partnership justify the expense of putting in new security controls. "One example could be encryption for laptops," Economidis pointed out. "Somebody might say, 'Do we need encryption for laptops?' If you have a lot of laptops, it's a lot of money. But when you realize that a certain percentage of laptops will go missing every year and if it's not encrypted, you may have to spend a lot of money notifying people, that helps put that expense into perspective."

That lesson is well learned at Western Michigan U. "Even though we have very strong secure systems, none of them is perfect," said Kellogg. A security event "could happen to anybody. And it will eventually happen to just about all of us at some point in time. If not, it's pure luck."

Featured