Online Privacy Presents a Growing Liability

Institutional ignorance represents one of the largest hurdles for insurers who need to deal with data privacy.

Just google the terms "cyber law" and "privacy breaches" and you will see a very active marketplace that appears to be growing every quarter. People are appearing to become more aware (and frustrated) with breaches of their privacy, which initiates a broader and more expensive litigation response when their frustration boils over. Right now, however, businesses are seeing a lag of litigation/class actions behind the actual cyber/privacy incidents because there is a natural delay given the newness of these business exposures and the legal community's ability to effectively argue for or against a business's liability.

Still, cyber liability is expected to grow because companies are, on average, doubling their amount of personal identifiable information (PII) while the value of such data is growing in the marketplace of data theft and data brokering. This means that the problem is not likely to go away anytime soon. In fact, according to the Web site Privacy Rights ClearingHouse, more than 240 million personal records reportedly have been breached since January 2005, ranging from lost laptops and network breaches to just plain IT negligence. The lesson appears to be that there is no risk elimination for technology exposures, just risk mitigation at best.

The most serious threat arises from organizational ignorance of the risks, laws and liabilities of data privacy. Companies that are unaware of the emerging laws of cyberspace are often the ones that pay the most in terms of notification expenses, defending class actions, damaging their brands and losing customers. Emerging threats are associated with rogue employees misusing a company system, stealing data or opining on the social Web with embarrassing consequences for their employers.

Companies that have done a real assessment of their cyber exposures are often the ones that see the positive economics of protecting themselves. In order for this to happen, the CIO has to realize that there is more to the solution than technology alone. The most important factor is that the CIO and chief risk officer regularly discuss and assess business risk as it relates to data privacy, network security, media, intellectual property and the company's online activities -- in other words, C-level awareness with C-level alignment.

These days, cyber events impact stock prices. Not enough companies today are prepared for or insured against cyber liability, given the new reality that their business risk is so deeply tied to their mastery of IT and of the Internet itself.