The recent theft of 40 million credit and debit records may have not been the largest data breach, but it sure did get our attention.
In 2002, California introduced the first “breach notification law,” SB1386, and the majority of states quickly followed suit. Today, 46 states, the District of Columbia, the US Federal Government, Canada, and the European Union all have breach notification laws – often multiple laws applying to different types of data. The data breach tracking website datalossdb.org notes approximately 8,000 breaches since 2004, affecting over 700,000,000 records.
Many misconceptions persist about the exposures of “cyber” liability, the way in which these claims occur, and the extent to which they are insurable.
While many entities feel they are not exposed to “cyber” events, either because they do not handle Protected Health Information (PHI), because they do not sell goods or services online, because they outsource the storage of their data, or because they are small, there is almost no company that is not exposed to data breaches.
In reality, the simple presence of customer data, employee data, or confidential third party corporate data creates this exposure. Though we often think of these events in “cyber” terms, some of the most severe incidents have come from the loss of paper files.
Many companies feel their small size insulates them from data breaches, though the reality is that smaller entities often have less staff able to be dedicated to a data breach response and a smaller balance sheet to settle liabilities. Some small companies with limited assets have been forced into bankruptcy due to their post-breach liabilities.
The insurance products available in the market today are actually a group of products such as privacy liability (called “third party” coverage,) breach costs (“first party” coverage,) regulatory investigations, fines, and penalties, multimedia liability, cyber business interruption, damage to digital assets, and cyber extortion. Many carriers have innovative enhancements to these coverages, or specialized coverages not available elsewhere.
The most commonly used portion of a cyber liability policy is the breach costs insuring agreement, which covers services such as computer forensics, notification to affected individuals, credit and/or identity monitoring, and public relations. While limits, retentions, and policy language are all very important, many buyers find the availability of these resources, centralized through a single, experienced business partner to offer significant convenience and peace of mind.
Though the majority of data breaches are perpetrated by sophisticated hackers, Verizon’s 2013 Data Breach Investigations Report shows that approximately half of known data breaches were attributable to human error. Often, human error facilitates the hack. Approximately one sixth of the studied data breaches arose from third party business relationships. In almost all cases, data storage facilities disclaim all liability for data breaches, leaving the data owner responsible for the costs.
The cyber liability marketplace has changed significantly in the recent past, with coverage now available to companies of all sizes, lower premiums, and lower retentions/deductibles.
Want to be certain you are covered? Hays Companies’ Cyber Liability Practice assists clients ranging from pre-revenue start-ups to established multi-billion dollar entities. Cyber Liability Practice Leader Dave Wasson is available for complimentary consultations at 312.519.7141 or DWasson@HaysCompanies.com.