Privacy Breach Insurance Products

Identifying proper remedies and calculating accurate damages seems to be a tricky area of privacy law.
A few of the recent cases we’ve read touch on this challenge. Pisciotta v. Old Nat. Bancorp; Dwyer v. American Exp. Co.; In re Northwest Airlines Privacy Litigation. I agree claims seem attenuate when based on something like the possibility of future credit detriment. But knowing that one’s financial, health or other personal information has been released into the public domain is alarming, regardless of calculable damage. The emergence of privacy breach insurance products is an interesting approach to addressing this complication.

The business entity benefits by shifting significant financial risk to the insurance company. Even
absent litigation, the statutory obligations for notifying parties whose data has been breached can cost
hundreds of thousands of dollars. See MN ST § 325E.61 (costs must exceed $250,000 to even qualify for a break). The statute also authorizes the attorney general to impose penalties, seek injunctive relief and allows private causes of action for aggrieved parties. MN ST § 8.31. That said, the dollars quickly add up. Privacy breach insurance packages can cover security and privacy liability as well as costs related to business interruption and network shut downs.

Additionally, timeliness may be critical in addressing the source of a breach, minimizing the amount of
compromised data and notifying people so they can begin mitigating possible harm. Having an insurance policy for data security breaches will decrease internal business decisions related to how a company responds to breaches and may facilitate transparency from the company through the insulation
provided by insurance.

The aggrieved party also benefits from such policies by having a more straightforward solution
when lacking actual damage. These insurance products provide future credit monitoring services for
individual’s whose data has been released. This seems like a more balanced remedy that addresses
legitimate concern for a breach of sensitive data that may not give rise to present harm, while not
imposing too great a burden on companies in the wake of such a breach.

Ultimately, the best way to address harm from privacy breaches seems to be one that is quick and
holistic. I think privacy breach insurance policies are an interesting tool that may instill greater confidence in individuals asked to supply sensitive information. Alternatively, knowing that a company needs an insurance policy for my information is itself somewhat concerning. I’ve been realizing the real issue with privacy breaches is the fear and insecurity of knowing one’s information has gone viral. The comfort provided from monitoring services and insurance policies may do little to address the intangible harms of the unknown.