With Breaches Rising, Insurer Offers Card-Compromise Coverage

Fireman's Fund Insurance Co. this week unveiled what it says is the first coverage available to small and medium-sized businesses for losses from payment card data breaches. News of the policy came on the same day that a non-profit research organization reported that data breaches increased 47% last year. The idea behind the coverage, according to Brian Gerritsen, product director at Novato, Calif.-based Fireman's, is to give peace of mind to business owners who are diligent about complying with the Payment Card Industry data-security standard, or PCI, the card networks' uniform protection rules that all card acceptors are supposed to meet. “That's what we're really trying to insure against?business owners trying to do everything in their power to protect their customers' cardholder data, but still find themselves in a data-breach situation and out of compliance with the PCI standards or other security standards that may apply to them,” he tells Digital Transactions News. To get the coverage, however, a merchant must clear a number of hurdles. An applicant must already have property or liability coverage from Fireman's as well as the company's general data-breach policy first offered in 2006. The new payment card coverage is an add-on to that earlier product. Coverage is available to retailers and most other card-accepting merchants, but not schools and hospitals, says Gerritsen. The insurer excluded the former because of their high rate of data breaches and the latter because they hold extremely sensitive medical and personal data. If breached, a covered merchant could recoup about $160,000 in resulting expenses. That includes up to $50,000 for a PCI-specific forensic investigation, system scans and software, and hardware upgrades to get card security up to snuff. The policy also provides up to $100,000, with a 5% deductible, for PCI fines?”contractual penalties” in industry lingo?and related costs such as chargebacks and issuers' card-reissuance costs attributable to the breach. Coverage also includes $2,500 in bank service charges and up to $10,000 for public relations as the merchant tries to restore its reputation. The policy further provides up to $5,000 for promotional expenses such as gift cards or coupons the merchant may give to affected customers to lure them back. But covering businesses for data-breach losses does create the potential for what's called “moral hazard” in the insurance business. In this case, that means covering applicants that would find it cheaper and easier to slack off on card security and instead buy insurance. “Potential users should remember their responsibilities to ensure sound data-protection practices,” Brian Riley, an analyst with research firm TowerGroup Inc., an editorially independent unit of MasterCard Inc., tells Digital Transactions News via e-mail. “Shifting the risk should not dismiss their focus on PCI compliance.” Gerritsen says the company's underwriting accounts for that risk. Fireman's will ask the business to attest that it has been in compliance with PCI for the past 12 months and to attest that it is PCI-compliant as of the date of its insurance application. The insurer also asks the applicant to list any data breaches it has experienced. Fireman's doesn't ask the business to prove its PCI compliance upon application, but it will deny a claim if those attestations prove intentionally false after a breach. Fireman's sets premiums based on a business's annual sales. A 10-store restaurant chain might pay about $300 annually for the core data-compromise coverage, Gerritsen cites as an example. The card coverage will cost anywhere from $175 per account on sales below $1 million to $750 for businesses with sales above $15 million. As part of the new coverage, Fireman's is offering businesses data-security and breach-prevention consulting services from Chicago-based Trustwave, one of the biggest forensics investigators and PCI assessors, at what Gerritsen says is “preferred pricing.” Use of Trustwave's services isn't required, however. Giant insurers AIG and Chubb already provide “very sophisticated” data-breach coverage to Fortune 500 clients, says Gerritsen. Fireman's concentrates on smaller companies, providing property or liability insurance to about 26,000 commercial clients with up to several hundred million dollars in annual sales. About 20% of those customers take the data-breach coverage. Gerritsen wouldn't disclose how many claims Fireman's has had on that line or its payouts, but says the product is profitable. Meanwhile, the San Diego-based Identity Theft Resource Center on Jan. 6 reported tracking 656 data breaches of all types in 2008, compared with 446 in 2007. The number of known records potentially affected in those breaches, however, declined last year to 35.7 million from at least 127 million estimated by the IRTC 2007. How many of the 2008 records involved payment card data was not immediately available.