FEATURE ARTICLE, DECEMBER 2005

PROTECTING YOUR CUSTOMERS AND YOUR COMPANY
What commercial real estate companies, particularly the finance and lending communities, should keep in mind regarding privacy protection for customers.
Roger Haynes

Millions of financial records have been mislaid or stolen in the past year, and a new event occurs weekly. Could it be that today's financial managers are more inept or is the sheer volume so high that more data is spilling over the sides? In either event, it is hard to feel comfortable with your personal financial information in the hands of even the largest of financial firms.

Today's financial services companies perform innumerable transactions, moving gigabits of data daily. These infrastructures function through many public and private networks, including wireless applications, often encrypted in transmission, but sometimes in clear text. Increasing dependence on technology, outsourced providers, and Internet-based services mean that the computer networks of financial service companies are under constant threat. Privacy and security-related risks are high on the list of boardroom issues. These risks expose financial services organizations to regulatory enforcement actions, liability claims and direct financial losses when they are forced to patch up a leak and repair damaged reputations and credit ratings.

IT security issues include unauthorized access of use of computer networks, identity theft, spyware, denial of service attacks, phishing, and malicious code; now regulators are piling on with heightened intensity in the wake of a serious breach of security with threatened fines, required blanket notifications and follow on credit monitoring costing hundreds of thousands or millions of dollars.

More than 20 bills are in Congress today, with more than 200 at the state level, all focused on financial security or identity theft. Notification procedures and requirements are a part of many of these bills and there seems to be an inconsistent approach, greatly magnifying the headache for financial services companies attempting to serve customers in multiple jurisdictions.

A variety of regulations are already established to increase protection of financial and personal data. Gramm-Leach-Bliley Act of 1999 (G-L-B) imposes major privacy and security requirements on financial services companies engaged in financial transactions and communications. The law limits the instances in which financial institutions may disclose non-public personal information about a consumer to non-affiliated third parties and requires them to disclose certain privacy policies and practices to all of its customers. G-L-B also requires financial institutions to have a security plan to protect the confidential integrity of customer information.

Some financial services companies may also be subject to privacy requirements for personal health information (as regulated by HIPAA).

According to the 2004 Federal Trade Commission annual report, identity theft and consumer fraud resulted in $548 million in losses to U.S. consumers. Identity theft complaints rose 15 percent over the prior year and remain the top consumer complaint. The average consumer victim of identity theft spends over 600 personal hours working to clear up credit issues to restore their good name.

What kind of problem can the theft of a consumer's identity pose? More than half of the concern is credit card fraud, taking over an existing credit account and running up big bills. The card industry has be dealing with this risk for a long time and has established a trade practice which limits the liability of the cardholder and merchants to some degree, but this is only the tip of the iceberg today. Another quarter of the dollar losses come from the theft of communications services, with fraudulent cell and other utility services ringing up big losses. Users of stolen IDs will also set up bank savings or checking accounts to issue fraudulent checks or even to take out consumer loans or car loans in the stolen identity. As you can imagine, this tangled web of interactive references and fraud upon fraud, can be very time consuming to unwind.

Traditional insurance policies may not provide adequate protection for privacy and security risks. Some of the privacy and ID theft risks emanate from traditional sources like negligence, employee theft, inadequate physical security or inadequate procedures in hiring or supervision. Traditional policies might be adequate to respond to some of these concerns, but many times they lack the appropriate definitions or coverage terms to respond to the key differences surrounding the loss of data and the consequential damages of that loss. New insurance coverage forms for Internet liability and cyber crime or extensions for these coverages applied to older insurance forms for crime, property loss and liability protection must be well integrated to provide an adequate defense, but there will always be gaps.

Some of the most prominent gaps are present because underwriters cannot adequately judge the risk, but others are being filled in as they are identified or as the market broadens to accept them. Many insurance carriers now provide Internet or cyber liability policies, but most of them are not geared to respond to claims from regulators with the coverage for fines and penalties or to provide the type of coverage that will absorb the costs associated with a broad-scale effort to provide credit monitoring services to consumers who “might” suffer an ID theft because their data is lost or stolen. Many underwriters find this to be akin to a public relations kind of loss or, perhaps they view it as an extension of the fines or penalty provisions and refuse to cover the expenses as a result. Coverage for fines or penalties is often viewed as against public policy (because it takes away the purpose of the fine, which is to punish) but some carriers are providing regulatory coverage to respond to certain aspects of this exposure.

Holders of private financial information, banks, insurers, broker dealers, mutual fund managers, all have concerns which fall in two main buckets of risk. The first is the loss of the data itself and any physical damage that might accompany the loss or destruction of the data. These risks are fairly well understood and managed in the traditional “first party” environment. Paying to repair or replace data or the devices that hold the data are reasonably straight forward insurance issues, as long as there exists the ability to recapture the data. A back up file or alternative source of the data can be tapped, and often the damage is minimal in those circumstances.

The liability, or so called “third party” exposure, is slightly more complicated. When the loss of private financial information does NOT involve the unauthorized intrusion into a covered computer system, things become very complicated in the modern word of insurance. If the theft of information or its destruction is by an employee, often the coverage for the recovery is not clear and if the data is simply copied or stolen in a hard copy version, most internet or cyber crime policies in the market today do not respond to the loss. Some will respond to the liability concerns and even pay the notification expenses and respond to regulatory suits, so a broad search of the market should bear some fruit.

The really large risk, often viewed as the threat of a class action lawsuit against the financial services company which alleges management negligence in the handling of private financial information, might be adequately covered by the firm's directors' and officers' liability insurance or the professional liability coverages. Here there are likely to be gaps in the details, such as a G-L-B or Privacy exclusion, a broad bodily injury exclusion which includes personal injury in its definition and eliminates coverage, a professional services exclusion or even a regulatory exclusion which cuts out a big part of the damages. A well crafted policy is the best defense in these circumstances, drawn up with the cooperation of your counsel and a broker well versed in the specifics of your industry and its regulatory environment.

Often, the biggest risk is the damage that can be done to the reputation of the firm involved in a large disclosure whether by third party intrusion or negligence. These lapses in security can radically undermine the public's sense of confidence in an institution. Some insurance policy will pay for the services of a public relations firm to help in these times of crisis, but the damage may be grave before the “spin” doctor arrives.

Roger Haynes is a senior vice president with William Gallagher Associates.


©2005 France Publications, Inc. Duplication or reproduction of this article not permitted without authorization from France Publications, Inc. For information on reprints of this article contact Barbara Sherer at (630) 554-6054.