Data Breaches and Cyber Liability Insurance

Please note: The hyperlinks (links) to other websites are not associated with this website. Such unassociated websites may contain links to other unassociated websites as well. These links are provided as a convenience to you and to assist in your search for information. We make no endorsement, expressed or implied, about any of such linked sites, and do not review (i) content or advertisements posted on or (ii) activities occurring on these linked sites. If you decide to link to any unassociated website, it is at your own risk. Because we are not associated with these linked websites, you should direct any concerns or problems you might have with any such site to that site’s administrator or webmaster.

Compiled by Darby Giannone, Ph. D.

While it may seem funny that Burger King was transformed to McDonalds via a hacked Twitter account, the cyber hacking that overshadows the summit between President Obama and China’s Xi Jinping is not. It is a sign of the electronic networked times that data breaches may be the fastest growing and most financially devastating loss risk facing businesses today. While medical organizations and companies with large databases of financial and personal information are favored targets, The Hartford Financial Service Group reported that 31% of data breaches investigated in 2012 were from organziations with fewer than 100 employees.

What is a data breach? A data breach is when someone obtains proprietary or confidential information from your business without your knowledge or permission by hacking into a computer system, stealing a laptop, smartphone, copier or scanner, or downloading information from a company server. The breach may be perpetuated by a hacker, an opportunistic thief, or an employee. Damage and access may be caused by malware software such as spyware, keyloggers, and viruses spread through email, calls, text messages, or pop-up messages from what appear to be friends or legitimate sources. According to Poneman, smaller organizations experience a higher proportion of cyber crime costs relating to viruses, worms, trojans, phishing, stolen devices and malware. Larger organizations experience a higher proportion of costs relating to malicious code, denial of services, web-based attacks, and malicious insiders.

The Poneman Institute Reasearch Report of 2012 documents the economic impact of cyber attacks. “The total annualized cost of cyber crime for the 2012 benchmark sample of 56 organizations ranges from a low of $1.4 million to a high of $46 million. Participating companies were asked to report what they spent and their in-house cost activities relating to cyber crimes experienced over four consecutive weeks. Once costs over the four-week period were compiled and validated, these figures were then grossed-up to present an extrapolated annualized cost.” (pg. 5) When calculated according to size of business in terms of number of customers, the cost to small businesses for investigating and responding to attacks as well as resulting lawsuits and regulatory fines averaged $1324 per customer and to large businesess $305 per customer.

If your business collects and maintains personally identifiable information or personal health information (HIPPA & HITECH) in electronic or paper format, you are required to protect that information from unauthorized uses and access by unauthorized users. If your business has developed systems, products and communication tools that are central to your success, there is no law requiring you to protect that information, however loss of such information has a large impact on business stability and profitability.

Immediate steps if you believe your business is a victim of a databreach or cybercrime:

 Immediately cease all online activity

· Contact your IT administrator

· Remove the affected computer from the network and all other computer stations that may be affected

· Contact your bank to disable online access to your accounts

· Notify other business partners that may be affected

· Notify your insurance agent and insurance carrier

· File a report with the police department

Significant costs area associated with actions required to mitigate a HIPPA/HITECH data breach:

· Notify affected parties of the breach

· Perform a forensic analysis to determine the data accessed

· Establish a call center to handle customers’ breach-related inquiries

· Implement credit monitoring services for affected parties

· Hire a public relations firm to help restore the firm’s brand and business reputation

· Pay fines assessed by governmental agencies

Businesses thinking about Cyber Liability can put safeguards in place. These safeguards are increasingly inquired about by insurance underwriters who make decisions about policy provisions and exclusions.

· Set standards and processes for proper data management

 Encrypt or use other protective measures to safeguard personal information

 Decide what type of personal data to maintain, how to store and for how long

Require a strong password to protect all PC’s and mobile devices that access company system

Protect each individual PC with automatic updates of operating system and applications from centrally updated and monitored anti-virus, anti-spywre and anti-spam software

Implement a secure email system

Limit employee use of the internet and email tocompany purposes and eliminate all connections to personal sites

Obtain secure website capability – firewall that includes anti-virus, anti-spyware, and anti-spam services along with content filtering and intrusion prevention, detection and real-time reporting

Know the procedures for working with third party vendors – banks, shredding services, hardware disposal, or outsourced efficiencies such as credit card processing

Have a backup system that regularly retrieves data from the company server and stores it off site

Involve employees in creating a cyber security focusedculture and periodically review procedures to evaluate and update practices

· Develop a crisis response plan

What to do in the event of a data breach

What to do in the event of a disaster that affects data storage

Train all employees and periodically review procedures to evaluate and update practices

Businesses owners generally believe that traditional insurance products – general liability,commercial property, commercial crime – provide coverage to address databreach-related exposurers. This is typically not the case as traditional policies provide limited coverage for some data breach-related costs but most do not cover all. Some general liability policies specifically exclude losses incurred because of the internet.

Cyber Liability Insurance is a relatively new stand alone insurance policy that is specifically designed to provide first and third party insurance coverage for computer and Internet-related exposures and address exposures associated with a databreach. A business will need to answer questions about loss experience including corrective actions and damages, questions about outsourcing and third party providers, and questions about privacy controls and media liability controls. Some of the typical risk control questions a business will need to answer:

· Do you have a firewall?

· Do you have a virus protection program that is used on internet-facing and internal mailservers, desktops, and other mission critical servers?

· Do you use standard configuration for firewalls, routers, and operating systems?

· Do you have a process for managing computer accounts, including the removal of outdated access accounts in a timely fashion?

· Do you have physical security controls in place to control access to your Computer systems?

· Do you have a written business continution/disaster recovery plan that includes procedures to be followed in the event of a disruptive computer incident?

· Do you have a designated individual or group responsible for information security and compliance operations?

Typical Cyber Liability Insurance coverages can include liability insurance for:

· Security breach: Addresses the company’s liability for data breach and loss of confidential information

·  Replacement or restoration of electronic data: Cost of data entry, reprogramming, and computer consultation services associated with replacing or restoring electronic data or computer programs destroyed by virus, malicious code or denial-of-service attack

· Web site publishing: Errors, mis-statements, or misleading statements that infringe on copy-right, trademark, trade dress, or service mark; defame a person or organization; or violate a person’s right of privacy

· Programming errors and omissions: Alleged contractual negligence or if the firm’s computer system transmits a virus to a third party

· Business income and extra expense: Loss of business income generated from website or online sales due to ceasing activities because of a virus or extortion threat

· Extortion threats: A threat to introduce a virus, malicious code, or denial-of-service attack; divulge proprietary information contained in the company’s system; inflict rasomware or publish the confidential personal information of company clients


Rough Notes

Professional InsuranceAssociation

Independent Insurance Agents and Brokers Association

Ponemon Research Institute, 2012 Cost of Cyber Crime Study, USA

Insurance Carriers

Online Resources >

Looking for online services? We now offer individual insurance enrollment and online forms for your convenience. If you need assistance, please contact one of our agents.

What's New >

Get the latest news, updates about insurance, notices of events and more.