Global CIO: CIOs And The Looming Risk Of Information MalpracticeGlobal CIO: CIOs And The Looming Risk Of Information Malpractice

I met recently with the CIO of a major hospital and university system. He was convinced that the "walls were up" and the "network threats monitored." He shared that they spent almost $20 million a year in technology staffing, products, and third-party services. Yet he had never even considered spending 5% of that amount to provide a CIO insurance safety net. In this CIO's defense, he believed also that someone, somewhere in his relatively large and well-run organization had this covered, that someone in some faraway part of the university hospital system had silently provided him with some type of insurance.

The CIO also said, somewhat dismissively, that technology insurance simply isn't his specialty. Well, it should be, because he's in charge of the biggest source of risk and potential liabilities in his entire organization: IT infrastructure, databases, department staff, and unenforced IT policies! In fact, we did a quick calculation over some initial discussion about the economics of failure or IT abuse. According to the Ponemon Institute, data privacy breaches can cost organizations from $100 to $145 per person (aka "profile") within a database. This CIO actually scoffed at the number, saying it was "way too high." He thought $10 was much more in line -- not because he had objective facts to support that belief, but because that's what an earlier incident had cost him.

Aha! An acknowledgement that a breach already occurred, with the hospital having to notify 135,000 patients during the previous year. Total direct cost: $1.35 million. But what about the private liability cost that could be associated with such a breach? That was a completely unknown quantity for this CIO and therefore becomes the financial wild card -- especially because the 135,000 patients affected in that breach represent only a tiny portion of the hospital's 5 million patient names in its database.

Consider this: Most traditional business insurance policies were written for a world that communicated by telephone, stored customer data in metal filing cabinets, and strictly controlled employee communication to the outside world. Additionally, most touch points with customers, partners, and suppliers were person-to-person interactions. But that business and professional world simply no longer exists.

Touch points today have become self-service models with customers and automated data exchanges with partners and suppliers. So who's insuring against errors in data protection, automation, and technology failures? Traditional Industrial Age policies intend to cover the slips and falls and negligent acts of the physical world that embodied the Industrial Age, but what are the slips and falls of the Information Age? This exposure also creates an opportunity in allowing CIOs to demonstrate another facet of their business leadership by taking ownership of this new situation and mitigating the risk.

Every working day, my business receives about 10 new submissions for technology insurance, but CIOs rarely are involved as leaders or even as supporters of the process. In fact, some CIOs appear even a bit defensive about the concept of insuring "their stuff," yet their stuff is both the vault and the center of liability. Firms that would never consider lacking for insurance covering fire, flood, professional malpractice, or discrimination are almost completely exposed to what could go wrong in the Information Age. Furthermore, the uncertainties associated with technology will match the brisk pace of technology developments themselves. This means the technology risk for CIOs isn't a steady-state phenomenon -- rather, it's a very dynamic one to be contemplated regularly. Emerging and recent technology advancements such as cloud computing, Web 2.0, and smartphones will mean new unintended consequences for the CIOs that leverage them.

Looking forward, the modern CIO will be part technologist, part economist, and part analyst. This transition of the CIO mind-set is more than just a philosophical shift for business and professionals; unseen (and uninsured) technology liabilities are a true threat to the continued success of business in the Internet environment -- indeed, the threat looms over the Internet itself should enough business blunders ruin the public trust in the medium. With business leaders being unaware of both these emerging technology risks and the appropriate ways to hedge against their uncertainty, the Internet success story may falter -- for all of us.

Folks, this is the Information Age. As such, CIOs should take the lead in understanding the economics if IT failure, abuse, or negligence, and consider technology insurance accordingly. If not, someone will end up doing it for them.