Below is the second in a series of posts from Emergent partner Peter Roldan on the increasing need for cyberinsurance. His prior post in the series is here.
Any business that collects and stores Personally Identifiable Information (meaning social security numbers, driver’s license numbers, credit card numbers, or bank account numbers) or Personal Health Information (medical records, including diagnosis, treatment and prescription information), faces the risk of a data breach. A data breach is commonly defined as a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
The costs of a data breach can be enormous. Almost every state has enacted notification laws requiring businesses to provide notice of a data breach all affected individuals. Some states, including California and Connecticut, also require businesses to provide free credit monitoring to individuals whose personal information has been compromised.
In addition, businesses hit with a data breach face the threat of lawsuits brought by individuals whose information has been exposed.
Generally speaking, insurance coverage for the losses and expenses associated with a data breach is not going to be available under the standard commercial general liability, directors and officers, and errors and omissions insurance policies typically held by most businesses. Instead, businesses must look to special cyber insurance policies in order to insure against these risks.
Because the market for cyber insurance is relatively new, the scope of coverage offered under these policies can vary from insurer to insurer. Policyholders looking to purchase cyber insurance should familiarize themselves with the specific types of coverage that apply to data breach risks and, if needed, seek advice as to what’s needed for their business.
Most cyber insurance policies include liability coverage, including defense costs, for claims made against a policyholder brought by persons whose personal information has been exposed in a data breach.
The costs of notifying affected consumers is usually the biggest out-of-pocket expenditure associated with a data breach. Policyholders should make sure that coverage includes the costs of voluntary notification and is not limited to notifications required by law.
The damage to a company’s reputation following a data breach can be immeasurable, making coverage for crisis management expenses essential. Policyholders should examine the policy to make sure that these expenses are covered and to familiarize themselves with any limitations that might apply.
Having insurance to cover the fallout from a data breach is essential, but it’s just as important to make sure that the coverage purchased actually fits a company’s needs. To find out how Emergent can help you to better understand your insurance coverage and identify any potential gaps, contact us.