What is a ‘data record’ and why does it matter?
At-Bay provides cyber insurance for the digital age.
In 2017, Equifax, one of the country’s largest credit bureaus, reported that its data records had been breached, exposing the names, addresses, and social security numbers of 143 million users. By April 2018, the company disclosed that this breach had cost over $242 million with expenses and fines still accumulating.
Clearly, data breaches can cost a lot. Because cyber insurance covers the costs associated with losing data, most cyber insurance carriers ask prospective clients, “What kinds of data records do you store? And how many?”
Cyber insurance applicants often answer this “data records” question incorrectly or not at all, usually because they are confused about the definition of “data record.” If you don’t know what a data record is, how can you know how many you have? And why does this number matter?
To avoid this confusion, we’ve simplified our application to four security questions, one of which is whether you store or process data for more than 250 thousand people in a year (other than your employees). But knowing how many “data records” you collect helps you understand your financial exposure to a cyber breach. To help brokers and clients estimate this number accurately, we’ve tried to answer 3 basic questions as they relate to cyber insurance:
- What are the different kinds of data records?
- How many records do I have?
- What are the costs from a breach (and how much will it cost me)?
What are the different kinds of data records?
Data records are generally classified into three main categories.
Personally Identifiable Information (PII)
US State Laws impose penalties for the loss of PII, and each state defines PII in their own way. In general, PII is defined as a first name (or initial) and last name, in addition to one of the following pieces of information:
- Social Security number
- Driver License number
- Financial Account Number or Credit/Debit Card Number
Some states expand the definition to include additional kinds of information:
- Date of birth
- Passport number
- Phone number
- Address
- Voter ID number
- Biometric data
In short, any data that can be used to identify an individual is potentially defined as PII in at least one jurisdiction.
Payment Card Information (PCI)
PCI refers specifically to credit card numbers. In 2006, the four major credit card companies formed the Payment Card Industry Security Standards Council and collectively chose to pass the costs of fraudulent purchases back to the company that lost the data, rather than the consumer whose card was stolen.
Cyber insurance usually covers the costs that businesses owe credit card companies to reimburse fraudulent charges as a result of a breach. Since these costs can run into the millions of dollars, insurers are keen to understand how many credit card numbers a company has on hand before insuring them.
Protected Health Information (PHI)
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects consumers against (and penalizes companies for) the loss of health information. It requires notification of customers in the event of a breach and adds the risk of a federal fine in addition to any penalties imposed by state Attorneys General.
HIPAA applies to all PHI which includes written, oral, and electronic data on an individual’s physical or mental health or condition; provision of healthcare to an individual; and payment for provision of healthcare to an individual. HIPPA’s scope is limited to apply only to “Covered Entities”, which includes health plans, health care clearinghouses, health care providers, and business associates of those entities.
Complicating matters even further, there are several more laws and regulations that govern data privacy on an array of data types beyond PII, PCI, and PHI. These obscure laws govern a variety of different types of data: from student records to your video rental history (looking at you, the Last Blockbuster).
Ok, but how many records do I have?
Is a zip code one record? Or is a full address one record? How do you know how many records you actually have?
Each insurer may phrase their “data records” question differently, but as a starting point to understanding your exposure, you need to know “how many individuals’ records” you hold? So even if you collect SSNs, Passports, and Driver’s License numbers, first start by counting how many people do you have that information on.
This is because the number of individuals whose records were lost drives many of the costs of a breach: how many people must be notified, how many will receive free credit monitoring, and how many might join together in a class action lawsuit.
In a perfect world for insurers, we would also know how many different types of data you have on a given individual since this also plays a role in the cost of a breach. For example, if you lose a patient’s complete health file in a breach, the fine from the government is likely to be worse than if you lost a single data point.
Still, knowing the number of individuals that you have data about helps give a sense of your business’s exposure. If you have that number on hand, for each of the types of records mentioned, an insurer is unlikely to ask for anything else (good luck!).
What types of cost are there from a data breach?
In general, costs exist along a few categories:
1. Regulatory fines and defense
In the early days of the internet, there were few clear requirements for businesses to protect the data of their customers and employees. When a business lost data, they faced few repercussions for failing to safeguard customer and employee information.
People noticed pretty quickly that this setup was not sustainable. Customers suffered the costs of lost data (for example, identity theft), financial institutions suffered from the costs of fraudulent online transactions (in 2001, Visa reported that online credit card fraud rates were up to four times greater than the average transaction), and e-commerce overall was inhibited by the low-trust environment.
Over time, government agencies and industry organizations took steps to ensure that businesses protect the data they collect. As a result, data record privacy today is enforced by a patchwork of agencies, laws, and organizations that can levy fines for exposing customer and employee data records:
- US States: All 50 states, DC, Guam, Puerto Rico, and the US Virgin Islands have laws that punish a company for losing data and require the company to take actions to notify and protect the victims of the breach. There have been several attempts to pass a federal data protection standard dating back to the Obama administration and continuing today. In the meantime, data privacy is governed separately in each state.
- Department of Health and Human Services: The federal government has passed a law specifically governing the protections (and associated penalties) for health data under HIPAA in 1996. HIPAA is enforced by the Department of Health and Human Services Office of Civil Rights (OCR).
- US Federal Agencies: The FTC, SEC, CFPB, and others have issued fines for failure to protect against a data breach (or failure to behave properly in the aftermath) at one time or another, though they are not primary regulators of data privacy.
- European General Data Protection Regulation: On May 25, 2018, Europe enacted its General Data Protection Regulation, which is an EU-wide version of US state privacy laws. However, GDPR is significantly broader than most US laws: for example, GDPR covers Personal Data, which is “any information that relates to an identified or identifiable living individual.” GDPR also allows for steep penalties, up to €20 million, or 4% of worldwide annual revenue, whichever is higher. The criteria used to determine the amount of a penalty are fairly broad and since the law is so new, we do not yet know how it will be enforced. In fact, the EU regulators themselves have said they are not ready to take on their responsibilities under the new law. Because of these new rules and steep penalties, the introduction of GDPR changes what good cyber insurance looks like: in a prior post, we showed some of the challenges that GDPR poses for cyber insurance and how At-Bay’s offering addresses them.
2. PCI fines and assessment
The four main credit card companies joined together to form the Payment Card Information (PCI) Security Standards Council, which issues the PCI Data Security Standard (PCI-DSS) for the protection of credit card data. Under PCI-DSS the card companies contractually enforce penalties for the failure to protect information.
3. Customer support and civil liabilities
In the immediate aftermath of a breach, communicating with customers is crucial and there are typically increased costs associated with this: companies will augment their call center and mailings in order to keep impacted customers informed. In about 65% of cases, companies also offer impacted customers access to credit monitoring services. Beyond communications with customers and services, class action lawsuits against companies in the wake of a data breach are now commonplace.
4. Crisis management and responses
As we’ve discussed, the exact rules governing a data breach can depend on the type of data, the company’s industry, and the location of both the company and its customers. As a result, a breached company will often hire a breach coach, who can help the company determine what legal requirements the company has and how to respond. The business will also likely want to hire forensic experts that can determine exactly which customers were impacted. For larger breaches that have significant media coverage, a breached company may also need to hire a public relations firm capable of assisting with media response.
How much will it all add up to?
Across these categories above, the costs can vary significantly depending on the details of the particular data breach. However, one constant when it comes to data breaches is that the more records that are lost, the higher costs are likely to be (Verizon has some insightful analysis on this point in their 2015 Data Breach Investigations Report).
To learn more about the costs of a data breach and how to contain them, check out our Data Breach Cost Calculator. And if you’re interested in how we use technology to provide a better cyber insurance product, don’t hesitate to reach out at info@at-bay.com.
Found this post useful? Kindly tap the 👏 button below and share the story to help others find it!
About the author
Matt Antoszyk is a Product Manager (the technology kind!) at At-Bay. He builds tools that make it easier for brokers and clients to understand, analyze, and purchase cyber insurance.
