Recently it was announced that J.P. Morgan Chase & Co was the victim of a data breach and that Home Depot may have been as well. It was just a few weeks ago, according to Reuters, that Russian hackers had stolen 1.2 billion username and password combinations, and more than 500 million e-mail addresses. Until that breach was discovered by a U.S. security firm, neither online merchants nor their customers knew that the data they promised to keep secure was now in the hands of nefarious Russian hackers.

Since the massive Target Corp data breach took place, news of data breaches seem to be surfacing more regularly. The news about a possible data breach affecting Home Depot and J.P. Morgan Chase & Co is yet another wake-up call for any company collecting and securing data online to make certain they have explored every avenue to mitigate their liability in the event of a breach.

Liability for misuse of breached data lay with online merchants who collected it from their customers. The merchants believed that this type of data theft, the resulting corporate exposure, and consumer lawsuits would be covered by their liability insurance. Many merchants learned that this type of massive claim was resisted by their insurer. Therein lay the necessity for captive insurance.

Hale Stewart, J.D., LL.M. of HS Captive Management and The Law Office of Hale Stewart in Houston, Texas, a nationally recognized expert on captive law and captive insurance management, says that most commercially available policies have significant and well-known exemptions. A captive insurance company provides better coverage for security breaches because it is a wholly owned insurance subsidiary used to insure risks of the parent corporation. Its structure allows the parent corporation to write its own broad policies, and to cover risks that are not covered by traditional insurance policies.

“If a company has a cyber liability insurance policy for $100 million, and they file a claim against it, the insurance company will work feverishly to limit their overall liability. They may stop writing policies for that client, or they will make the claims process so onerous as to make the policy useless,” explained Stewart.

In the meantime, data theft is an expensive and potentially explosive silent threat that has the power to undermine even the most solid company.

A captive insurance policy is effective and written in a way that matches risk. Stewart says that the parent company can write a broad policy covering potential risk, file claims when necessary and receive the benefits of those claims without penalty.

According to Stewart, a feasibility study can be performed to determine whether captive insurance is best for a potential client. The study considers factors such cyber liability exposure, electronic commerce, and if they store some type of confidential client data. “We work with companies that have gross revenue over $1 million dollars and a record of free cash flow of $250,000 to $350,000 for the last 2 to 3 years,” said Stewart. The study also factors in their current insurance coverage and what an optimal captive structure would look like for them. Once all these factors are considered, the premium is calculated and a prospective business plan is delivered to the client in 30 to 60 days.

It’s important to note that a captive must be carefully managed. Compliance related documents must be filed every year and insurance policies are usually altered annually as cases in certain jurisdictions come to the forefront. Also, the investment portfolio must be monitored and altered as the economy and markets grow and contract.

Stewart underscores the importance of captives explaining “breaches of secure data are a lot more common than we thought they were. Even when data is placed behind firewalls and merchants truly believe they have secured it, it is still vulnerable. Captive insurance can mitigate some of the damage done by hackers and cyber thieves.”

Before law school, F. Hale Stewart was a bond trader with several regional firms where his clients included small community banks, insurance companies and hedge funds. He is author of US Captive Insurance Law which is now the leading legal text in the field. He is also author of the book Who Should Form a Captive Insurance Company, which was published in collaboration with the TaxConnections.com website.

Mr. Stewart has provided continuing education for the American Bar Association and his articles have been printed in American Bar Association publications. He currently provides legal commentary and analysis for the Tax Analysts tax service and has been cited on CNN, the Boston Globe, the Miami Herald, the Kansas City Star, the Sacrament Bee, and Worth Magazine. His economic and security analysis can be read on XE.com and Seeking Alpha.