Cyber Liability Insurance 101
Boiling down cyber into plain language and answering the most common questions.
By Joe DePaul
Individuals, companies, governments, and others have been collecting data for various purposes and in various forms for centuries. What’s all the hype about? Bernard Marr wrote a great article in February 2015 entitled, “A Brief History of Big Data Everyone Should Read,” which mentions that the collection of data goes back to 18,000 BCE. The article discusses the Ishango Bone, which was discovered in 1960 in what is now Uganda, and is thought to be one of the earliest pieces of evidence of prehistoric data storage. “Paleolithic tribespeople would mark notches into sticks or bones to help them keep track of trading activity or supplies,” writes Marr. “They would compare sticks and notches to carry out rudimentary calculations, enabling them to make predictions, such as how long their food supplies would last.”
Why, then, if we have been collecting data for so long have we become so hypersensitive about it? It’s quite simple, really. Along with privacy rights, liability, legal ramifications, and regulatory issues are the costs of an unauthorized data disclosure event (also known as a data breach). This is not by any means an all-encompassing list of concerns, nor is it intended to be, but these are major items to consider in our day and age, where data is collected in all that we do.
Let’s boil it down into plain language, using no insurance policy language or legal interpretations, starting with some simple questions.
What is a data breach? A data breach is an event that involves the release of sensitive, protected, or confidential data that has been viewed, stolen, or used in an unauthorized manner.
What is sensitive, protected, or confidential data? Typically, it involves personally identifiable information, such as name, Social Security number, address, driver’s license number, financial account information, and credit card information. It also includes protected health information, such as any information in a medical record (oral or written) that can be used to identify specific individuals. It also includes any disclosed health information in the course of providing a health care service, such as a diagnosis or treatment. Additionally, it includes corporate confidential information that should be protected in the course of business between one party and another through a non-disclosure agreement.
If an organization is involved in a disclosure of such information and it has a cyber liability insurance policy in place, what can the company expect the policy to cover? Let’s look at different coverages and the consequences of a data breach one by one.
Network Security and Privacy Liability Insurance Coverage (Including Defense)
- Liability for your failure to protect client, customer, vendor, or employee data.
- Liability for a denial-of-service attack or transmission of a virus or malware to a third party.
First Party Coverage – Crisis Management Coverage
- Legal counsel – “data breach coach.”
- Customer notification expenses.
- Credit monitoring/ID theft monitoring.
- Forensic investigation.
- Call center services.
- Public relations experts.
- Notification to affected parties.
- Legal counsel.
- Forensic investigation.
- Customer support (such as a call center).
- Public relations issues.
Regulatory Defense and Penalties Coverage
- Compliance with civil regulatory action taken against you.
Multimedia Liability Coverage
- Liability resulting from multimedia operations, such as copyright infringement, plagiarism, defamation, libel, and slander.
First Party - Data Recovery Coverage
- Costs to restore, replace, or recollect affected data.
First Party – Business Income Coverage
- Lost business income and extra expenses.
First Party – Cyber Extortion Coverage
- Costs to terminate a cyber extortion threat.
Payment Card Industry Coverage
- Costs of fines, penalties, or assessments, including contractual damages by the card brands for non-compliance with Payment Card Industry Data Security Standards).
As shown in this list, the effects of a data breach event can put an organization on its heels quickly. The costs can run from thousands of dollars for smaller breaches to hundreds of millions of dollars for larger breaches. It is unlikely that an organization of any size will have the ability to handle a data breach event themselves. Cyber liability insurance provides organizations with immediate access to premier legal experts, forensic investigators, breach response services, public relations firms, and many other valuable partners so that they can address the event immediately without wasting precious time having to individually negotiate with experts. A well-constructed cyber liability insurance solution will provide the insured with complete access to these firms.
If, as an organization, you have not prepared for a data breach and you find yourself embroiled in such an event that you have not discussed or prepared for internally, you quickly will realize that you have opened Pandora’s Box if there is no cyber liability insurance policy in place that can assist your organization.
Cyber liability insurance is part of the solution to remediate the financial consequences associated with the event. Today, organizations must proactively discuss how to avoid and respond to such an event with their boards, executive and senior management teams, business leaders, employees, vendors, and others to ensure that when an event does occur, the company has put in place an incident response and business continuity plan to assist it through the event.