Thanks to following the news, you are likely aware of the threat of businesses being hacked. The list of large companies hacked and their customers’ data compromised is like a laundry list of bad information.
And you likely also have heard that if you store any client information, including credit card information, you are at risk. And this is truer than ever, as hackers are more often targeting small to mid-sized companies as they typically have lower defenses, if any.
We’ve told you before about the need to have cyber liability insurance, which promises to cover costs associated with a breach. And if you are like most employers, you have questions. Hopefully they are among the five below, which are the most common questions employers have about such coverage.
1. Don’t my other policies cover me?
No. Your general liability policy’s property form protects your physical computers and servers, but not the data that is stored on them. The ISO general liability form specifically excludes claims of copyright, trademark and trade secret infringement.
The personal injury provisions of a GL form generally rely on “publication” – an undefined term. Although there have been limited instances of coverage for privacy breach under GL forms, relying on this for coverage is not in your best interest.
Business interruption coverage, an essential part of any businesses risk management plan, will not respond to outages caused by computer viruses or hackers. In addition, 47 U.S. states now have laws requiring notification in the event of a potential loss of PII (personally identifiable information), as well as fines and penalties for not reporting the breach.
Currently, a number of insurers offer cyber policies that can cover regulatory fines or penalties your clients might incur because of a data breach. No other policies will reimburse you for the costly first-party expenses required to comply with regulatory requirements and out-of-pocket legal expenses incurred to navigate the process.
2. How much does it cost?
For many small to mid-sized companies, the costs can be less than $1,000. One insurance company provided us with the following prices they recently quoted:
- Online retailer with revenue of $500,000 and a $1 million policy limit. Premium: $1,100. (Risk: customer credit card numbers and other PII.)
- Psychologist’s office with revenue of $1 million and a $1 million policy limit. Premium: $1,600. (Risk: Client records with PII.)
- Doctor’s office with revenue of $700,000 and a $500,000 policy limit.
Premium: $649. (Risk: Client records with PII.)
- Professional consulting services with revenue of $400,000 and a $1 million policy limit. Premium: $1,200. (Risk: Client records with PII.)
- Fast-food restaurant with revenue of $15 million and a policy limit of $1 million.
Premium: $9,000. (Risk: customer credit card numbers, debit card information and other PII.)
- Data storage center with revenue of $15 million and policy limit of $20 million.
Because cyber liability insurance is still a new and evolving concept, coverage will vary from policy to policy and there is often some room for negotiation. The key though is that if you don’t have a policy and your and your clients’ data is breached, you will be liable for first-party expenses, including hiring forensic IT experts, notification of customers, providing annual credit monitoring, lawyer expenses and any applicable state or federal fines or penalties.
3. Aren’t our IT department and firewalls enough?
Usually not. Many data breaches occur because of an employee error or an “inside job” from rogue employees. From passwords tacked on computer screens in plain sight and employees opening suspicious e-mail and downloading malware to lost laptops and smart phones, a large portion of security breaches occur because of your employee actions.
Also, keep in mind that a data breach can occur from paper records, as well. Outdated customer information, old credit card receipts and employee files that have been thrown into the dumpster are just as vulnerable as if a hacker logged into your network.
4. If we use a third party for credit cards, do we still need coverage?
If you take credit card payments online, you are likely using a third-party or cloud vendor and your network is not storing the data. However, your customers’ personal information, in case of a data breach, is still your responsibility.
5. What are my state’s privacy notification laws, fines and penalties?
In California, the law requires the inclusion of certain content in data breach notifications, including a description of the incident, the type of PII breached, the time of the breach, the toll-free numbers and the addresses of credit-reporting agencies.
In addition, state law requires the breached business to send an electronic copy of the notification to the California Attorney General if a single breach affects more than 500 residents. California also requires notice to the Department of Public Health for breaches involving patient medical information.
If your questions weren’t among the five above, feel free to call us and we will be happy to explain cyber insurance in more detail.