Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Channels ▼
RSS

Data Insurance

By Kevin Savetz, March 09, 2002

Lawsuits, downtime, data that has been stolen or destroyed—data insurance helps tech companies recoup unexpected losses.

Data Insurance

Cover your most valuable assets—the intangible ones

by Kevin Savetz

May 2002

A business's most valuable asset isn't necessarily tangible. Perhaps it isn't a warehouse full of furniture, but a database of names, a directory of source code, an always-on Internet connection, or something equally ethereal. The owner of such a business might be surprised to find that none of these vital assets are covered by his or her insurance policy.

Traditional insurance products cover physical loss of tangible property. If a Web server is stolen or destroyed in a fire, the insurance company will pay to replace it. But all too often, the information stored on that server is worth much more than the hardware itself. But information isn't a tangible property, and regular insurance products aren't designed to cover that type of loss. For that, you need data insurance.

Data insurance, hacker insurance, or network security insurance—by any name, this type of coverage is a recent addition to insurance companies' offerings, and is relatively unknown among business owners. The idea is to protect the assets that are most valuable to e-businesses, such as electronic data and network connectivity.

We've all seen reports of stolen credit card databases in the news. These high-profile security breaches may be few and far between, but Internet security is a wide-scale problem for online businesses. And in the big picture, a stolen credit card file barely registers on the spectrum of bad stuff that can happen.

More than 52,000 Internet security incidents—in excess of 140 a day—were reported to the Computer Emergency Response Team Coordination Center (CERT/CC) in 2001, up from 21,000 in 2000. Those numbers are just a drop in the bucket. Most computer crimes aren't reported, and many more go undetected. When you consider that most hacking attempts are made by insiders, like disgruntled employees, the need for companies to prepare for risk becomes quite evident.

Not Your Father's Insurance Policy

Although the data insurance sector is new, it's gaining popularity as companies learn the real risks of doing business on the Internet. Network security insurance is the fastest growing product in the history of insurance giant American International Group (AIG), according to Ty Sagalow, executive vice president and COO of AIG's eBusiness Risk Solutions. Bruce Schneier, CTO at Counterpane Internet Security, believes that sooner or later, it will be unthinkable not to have an anti-hacking policy.

But for the moment, choosing a policy—or even finding an insurance company that understands what it means to insure data—can be a challenge. "Insurance products that deal with data insurance are emerging slowly," says Jack L. Strauss, president and CEO of SafeCorp, an information security consultancy. "There are few examples of standard products, and as such, their content from policy product to policy product varies greatly. Those that are offered in some standard fashion are over-constrained and ridiculously expensive. Also, the insurance industry as a whole moves at a glacial pace, even when they understand the target domain. And they don't get this space, as a group."

Counterpane's Schneier agrees. "There's more talk about this than actual policies being written." The market leader, AIG, claims 75 percent of the market. It has about 1,500 clients for its data insurance products, which have been available for two years.

How does a company determine whether it needs data insurance? "If, as a business, you don't use the Internet in any of your business operations—you don't have a Web site, you don't email outside the company, your computer room isn't connected to the outside world—then you don't need this insurance," Sagalow says. "But once you start using the Internet as part of your business strategy, the issue is not whether you need to buy this insurance for that risk, but rather, how much and what."

Coverage Types

Shoppers will find many types of coverage under the broad umbrella of data insurance. When a business is connected to the Internet, the possibilities for damage go far beyond the "cracker breaks into your server and steals something of value" scenario that has been so often publicized by the evening news. The major areas that a data insurance policy may cover include:

  • Legal liability to others. This covers damage done to others as a result of security lapses on your network. For instance, if a cracker breaks into your network and uses your servers and routers to launch a denial of service attack on another company, or if some one at your firm unwittingly passes on an email virus to the outside world, this coverage would safeguard you against any resulting lawsuits.

  • Web content liability. This protects against copyright, trademark, slander, and other suits that might result from information posted on your company's Web site. It can include the visible portion of your Web site—for example, erroneous information in an online manual that causes the product to explode—as well as behind-the-scenes technologies like meta tags and cookies. For instance, use of another company's trademarked names in your site's meta tags can invite legal action.

  • Professional liability. (Also known as errors and omissions coverage.) Like malpractice insurance for doctors, errors and omissions coverage protects those who render professional services to others for a fee. It covers you if you're sued for rendering services in a negligent way. For example, if your company publishes content created by an outside contractor or freelancer, errors and omissions coverage will protect you if that content is inaccurate and causes enough problems to attract the interest of litigators.

  • Network security property loss. This covers damage, corruption, or theft of data. For instance, if a hacker accesses your system and destroys, changes, or steals vital data. Such damage may not be immediately obvious. Some types of data corruption—an erased hard drive or modified home page—are meant to be noticed. Others, such as a former employee modifying data on a spreadsheet, may not be caught until much later.

  • Business interruption. Coverage can compensate you for losses incurred when your site or network goes down. If your company sells books on the Internet and your site goes down, most customers won't wait to buy. Your competition is just a click away. This coverage can reimburse you for profits lost during the downtime.

  • Crisis communication. During and following an Internet-related crisis, you may need to send the message to customers and shareholders that it's still safe to do business with you. Some insurance plans include crisis communication coverage to defray the expenses of PR agents and attorneys.

An insurer should let you pick and choose the types of coverage that your business needs. "If you don't have revenue associated with your site, you don't need business interruption service. If you don't have data that you're concerned about being corrupted, then you don't need damage insurance," Sagalow says.

The most common claims at AIG, according to Sagalow, are related to Web content liability, professional liability, and security. Part of this is because of the policy choices themselves. For instance, every one of AIG's offerings includes Web content liability coverage.



1 2 Next

Related Reading

News

Commentary

Slideshow

Video

Most Popular

More Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>
INFO-LINK




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Recent Articles

Most Popular

Stories Blogs

Upcoming Events



Most Recent Premium Content

Digital Issues