Shostack + Friends Blog Archive


Breach disclosure insurance

A common argument used against state-level breach notification laws, and in favor of federal legislation overriding state laws, is that existence of these numerous state laws with their differing requirements and conditions raises the cost of compliance unacceptably. Just to be prepared to comply with potentially fifty distinct notification regimes, a firm would need to spend major bucks — and much much more in the event of an actual breach.
This argument just got weaker, as the Chubb Group announced it would provide insurance to cover these (and several other) costs:

To help financial institutions defray the costs of notifying customers of
a security breach, [company spokesperson] Vispoli announced that Chubb has enhanced its CyberSecurity
by Chubb(SM) policy. A new Security Breach Notification option insures these
costs regardless of where the affected customers reside. CyberSecurity, which
addresses a financial institution’s e-commerce crime-related exposures, is
among the first policies to insure the costs of credit monitoring services for
up to one year for the financial institution’s affected customers; creating
new customer account numbers and re-establishing secure account numbers;
issuing new ATM/credit/debit cards; and hiring a crisis management/public
relations firm. The coverage also helps protect financial institutions when a
vendor entrusted with its customer data experiences a security breach.

Now, I don’t know anything about Chubb, and I sure haven’t read the fine print of this policy, but on the surface this looks like a positive step.