Unlike your wedding ring or your Rembrandt, data can be stolen but still remain in your possession. Thieves who take copies immediately diminish — maybe destroy — the value of your original.
Insurance companies offer cybersecurity policies to reimburse expenses related to breaches and theft, but the value of the data isn't the central issue, says Reynold Siemens, an attorney at the law firm Pillsbury Winthrop Shaw Pittman. He represents policyholders trying to extract payments from insurers.
Rather than value the data at the center of the situation, the two sides quantify the costs of the incident, such as customer notifications, technology to stop or prevent a future breach, fines and judgments, he says. In some cases, the CIO may be questioned about costs to investigate the incident, determine the extent of it or reconstruct data that's been damaged by criminals.
Policies and premiums are determined based on assessments like these, for which the two sides can estimate a dollar value. But the data itself isn't insured, Siemens says, though it is possible to buy insurance to cover the cost of reconstructing or repairing damaged data.
At the $73 billion retailer Target, last year's theft of the personal data of up to 110 million customers caused expensive problems (not to mention cost the CIO and CEO their jobs). In the first three months after the breach, Target spent $61 million on card reissues, fraud-detection systems, legal fees and other expenses. The store also plans to spend $100 million to install systems to support smart-chip credit and debit cards, which protect data associated with them better than point-of-sale systems alone.
The breach's trickle-down effects include lost sales during the important holiday shopping season. CFO John Mulligan told Wall Street analysts he can't yet measure its full impact, but he described the situation as "meaningfully negative."
So far, Target has received an insurance payout of just $44 million.
Consequences of a breach are difficult to plan for, says Grady, the New England Biolabs CIO. "Trying to anticipate the scale and scope of data compromise can run a very large range, from an email sent to the wrong place unintentionally to a Target-level compromise," he says. Such unknowns make valuing data difficult, he says.
Siemens, who isn't involved in the Target case, says clients sometimes ask if they can buy insurance to protect some discrete piece of data or intellectual property. "The answer, generally, is 'no' because there's no real way to put a value on that," he says. "The process is so esoteric and speculative that the insurance industry is not willing to underwrite it."
Like a Beef By-Product
As technologies such as mobile apps, sensors and analytics come together to produce mountains of data, CIOs have the opportunity to lead discussions about how the information can be packaged as new products and services.
Sign up for CIO Asia eNewsletters.