How much cost? Of the business breaches identified by the research organizations, 80 percent result in total defense and indemnity costs of less than USD1 million, 15 percent result in insurable damages between USD1 million and USD20 million, and 5 percent result in total costs of more than USD20 million.

For the biggest breaches, the second cost that has added up to millions of dollars is the liability to banks that must cancel and reissue credit and debit cards. Although in some early cases the breached entity was not held liable because there was no privity of contract, in more recent cases, such as the retail store breaches at TJX and Hannaford, the retailers were held liable to reimburse the credit card-issuing banks for the cost of cancellation and reissuance. Similarly, last year's Heartland Payment Systems breach has left Heartland, a payment processor, responsible for at least USD65 million in costs to credit card-issuing banks. Finally, a number of state statutes, led by the Minnesota Plastic Card Security Act, make the breached party statutorily liable to credit card-issuing banks for the cost to cancel and reissue cards in the event of a data breach.

The largest uncertainty is whether a breached entity is liable to its patients or customers. (See Stollenwerk v. TriWest Healthcare Alliance decision.) To date, courts have mostly held that consumers have not been able to prove actual compensable damages and have dismissed the cases. (See 2009 BJ's Wholesale Club and Express Scripts decisions). However, a few recent cases have raised the possibility of liability for the threat of damage to consumers. The court did not approve TD Ameritrade's settlement because there was insufficient compensation to the harmed consumers. The Hannaford case was sent to the Maine Supreme Court to determine whether the "time and effort" following a security breach constitutes a cognizable injury.

WHAT TO DO TO REDUCE POTENTIAL LIABILITY?

How can risk managers reduce potential liability and stabilize their company's financial statements and mitigate risk? Here are best practices:

Assemble a data security team and assess the data. The team should have the support of senior management and include IT, legal, finance, procurement, human resources, risk management, operations and sales. In addition to determining the scope of personal data maintained by the company, the team needs to identify how the data is collected, used and transmitted, and the threats to the company's security. Have the team meet monthly.

Develop data protection and privacy policies and procedures. The data security team should review existing policies and make them consistent with industry best practices. Social networking sites such as Twitter, LinkedIn, Facebook and MySpace pose new threats that must be addressed in the policies. As mentioned, employees tweeting and chatting online are inadvertently handing hackers the "inside" information they need to quickly and easily penetrate corporate networks. Companies have two options: Block access to social networking sites completely, or enforce strict policies to avoid becoming the next victim of a significant data breach.

Train, test, update and monitor such policies. To be effective, a prevention program must include routine (at least quarterly), periodic testing of people and systems, built-in requirements for updating in the face of evolving security threats as well as for monitoring compliance.

Control hardware and software. Laptops, PDAs and other mobile devices present additional challenges. A data-breach prevention program must assess and control exposures related to hardware and software used by company personnel.

Mitigate risk. This is a three-prong initiative that involves:

1.) Contractually allocating liability. Contracts with vendors should specify that they are liable for breaches of IT security and data that are in their control or possession. The vendor agreement should include a provision that holds your business harmless and indemnifies it for vendor liability-related breaches and requires the vendor to purchase privacy and security insurance.