“It’s Not What You Think: The Surprising Diversity of Data Breach Causes”

Let’s play a word association game.  What is the first word that comes to mind when I say the phrase, “data breach”?  If you thought, “hacking,” you’re not the only one.  But according to many accounts, hacking accounts for only about a third of data breaches.

Plain old theft, in its more traditional, purse snatching form, accounts for another ten percent of breaches.  While laptop theft is the most common cause in this context, there have been many data breaches in the past year caused by the theft of desktop computers, thumb drivers and, of course, smart phones.  Obviously, thumb drives and phones are the easiest to snatch.  They are also increasingly becoming key operational elements in nearly every industry, and I expect the number of breaches caused by their theft to likewise trend upward.  Another ten percent of breaches are caused by “malicious insiders,” disgruntled current or former employees who damage or sell data for all of the obvious reasons.

You probably haven’t raised an eyebrow yet.  But we’ve only covered the causes of about half of data breaches.  What about the other half?

Approximately a quarter are caused by improper disposal of data, both in electronic and paper form.  The circumstances of these breaches range from somewhat complicated failures to properly wipe hardware (and subsequent restoration of the data) to simple failures to shred key documents or lock the dumpster.  Oops.  The last quarter of breaches are caused by – drumroll – accident.  Sending documents to the wrong recipient, office fires, warehouse flooding.  Double oops.

So what?

So, theft (whether from hacking, purse snatching or ticked-off employees), negligence and accidents are typically insured by traditional insurance like commercial general liability coverage, right?  Maybe.  When the resultant damage is loss or improper disclosure of data, as contrasted to damage to a person or a physical property, traditional policies increasingly exclude coverage.  Consider, for example,  ISO exclusion CG 21 06 05 14, which in 2014 began to exclude from CGL coverage “injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”  Translation – we don’t cover data breaches, no matter the cause.

The odds of finding coverage for data breach events in traditional insurance policies are getting worse.  Quickly.  If you haven’t already cannon-balled into the data privacy insurance pool, it’s time to at least dip your toe.  The water’s probably not as bad as you think.