An insurance company data breach that exposed 1.1 million people to identity fraud exemplifies the kind of cybercrime that companies increasingly fear will land them in civil court.
The Nationwide Mutual Insurance went public on Wednesday with notification of an Oct. 3 break-in of a computer network also used by Allied Insurance. Data stolen from the insurers included names, Social Security numbers, driver's license numbers and birth dates.
Such cybercrimes have become the No. 1 worry of publicly traded U.S. companies, in terms of potential litigation and financial losses, according to a recent survey of the Chubb Group. Fully, 63 percent of the respondents said they were most concerned with losing customer or employee data through an electronic security breach.
Their worries are justified. In 2011, the typical data breach resulted in $5.5 million in organizational costs, said the Ponemon Institute. In another study, Ponemon found that of the 583 IT and IT security professionals it surveyed in the U.S., 90 percent said their employers had suffered at least one data breach.
Nationwide notified authorities shortly after discovering the breach and had confirmed on Oct. 16 that personal information had been stolen, the company said. On Nov. 2, the insurer determined the identities of people affected by the breach and started notifying victims.
The California Department of insurance was reviewing the security measures of the Nationwide/Allied Group of insurance companies to see if they were adequate to protect consumers. The breach affected more than 5,000 Californians.
"In a global economy, driven by electronic commerce, it is essential that all necessary steps are taken to ensure consumers are protected from an unintentional release or criminal theft of their personal data," Insurance Commissioner Dave Jones said in a statement.
Based on information provided by Nationwide, the Insurance Department believed the company had taken the "appropriate first steps to notify consumers." Through Equifax, the insurer was offering at no charge credit monitoring for one year and $1 million in identity theft insurance coverage.
Having notification procedures in place that follow best practices is an important step in avoiding big-payout, class-action lawsuits, which courts are more open to than in the past, said the prominent law firm Pepper Hamilton.
Over the last couple of years, courts have broadened their definition of the damages people can suffer, making companies liable for actual and future damages, since ID fraud can occur long after the initial breach.
Other steps companies can take to lessen their chances of facing a class-action suit is to have security technology that falls within best practices for businesses of their size in the same industry. In addition, companies should be prepared to show that they took all reasonable steps to prevent data theft.
"The likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty," Pepper Hamilton said in a client alert. "Class action lawsuits stemming from such incidents have upped the ante with the potential of millions of dollars of attorneys' fees if not damage recoveries."
Some experts believe civil litigation can become an effective deterrent to sloppy security at financial institutions. "In the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly -- imposing costs on those who stint their cybersecurity efforts in an unreasonable manner," Paul Rosenzweig, former assistant secretary for policy at the Department of Homeland Security, said in in a blog post at Lawfare.
[See related: Civil litigation: A better way to improve cybersecurity?]
The Nationwide/Allied breach is just the latest attack on the financial services industry. Starting in late September, a group calling itself Izz ad-Din al-Qassam Cyber Fighters launched a series of denial-of-service attacks over several weeks that affected a number of U.S. banks, including Wells Fargo, Bank of America and JPMorgan Chase.
Read more about data privacy in CSOonline's Data Privacy section.