Protect Your Business with Cyber Liability Insurance
Author: Steve Kiddoo
November, 2012 Issue
In recent issues of NorthBay biz, I’ve been following Mike Duffy’s excellent columns on cybercrime (Tech Talk, Aug.-Oct. 2012) about being aware and managing the risk that business owners face in this age of information gathering and electronic storage. It seems like every day we read of a large company getting “hacked” by cyber thieves stealing credit card information and personal data that can cause us—the consumers and clients—major headaches and financial loss. Unfortunately, the consumer isn’t the only one at risk. The business owner who holds the data faces the same risk. Hacking isn’t the only peril; an employee could make an error and breach your security or you could lose your laptop.
This type of theft (of your clients’ identity and personal information the criminals want) is a form of currency, a thing of value. The best place to find a large quantity of identities is from a business or service where, in some cases, the fruit is ripe for picking. What should business owners do? Follow the advice of people like Mike Duffy and other IT professionals and don’t cut corners if you can help it. More important, ask yourself how prepared you are in the event of a loss of the confidential information of others (your customers) who you’re entrusted with and obligated to protect. How many laptops in your fleet go home or travel with your employees? How well do you keep track of what your employees do with their machines? That may be an impossible task.
Another way to manage your risk as a business owner is with a fairly new insurance product called cyber liability insurance. This coverage can be written as a stand-alone policy or, in some cases, added as an endorsement to your existing insurance policy, each insurance carrier being different. If your current insurance carrier doesn’t offer it, find another carrier.
What does it cover and why do business owners need it? Well, beyond the damage to your business that hacking may cause, you have a responsibility to your clients. Your current business policy may cover the damage to your machines and the property of others, bodily injury and crime (not theft of information), but it doesn’t cover the cost of notifications you’re required to give your clients or the client credit monitoring you may have to perform (which you may be required to continue for more than a year). Your business may face claims of unlawful disclosure, invasion of privacy, third-party business interruptions and lawsuits for intellectual property, trademark or copyright infringement. You may also have a public relations crisis on your hands that needs an expensive repair. You have to wonder whether your clients will trust you going forward. Apologies are a good start, and think how much better it would be if you could offer a remedy and a monitoring service. That could save the day for many businesses. One way to estimate your exposure to this type of loss is with a data breach risk calculator such as the one on Symantec’s website (there are many others as well) to determine your average cost per client and thus your possible total cost of the loss. Add that in with the impact on your reputation and the cost can soar.
Some examples of coverage found in a cyber liability policy follow.
Third-party liability coverage:
• Disclosure injury, including lawsuits alleging unauthorized access or dissemination of private information;
• Conduit injury, arising from system failures of your customers’ systems being compromised;
• Content injury, arising from intellectual, trademark and copyright infringement, or domain name and slogan infringement; and
• Impaired access injury, including claims arising from system security failures of your customers’ systems.
First-party expense coverage:
• Privacy notification expense, including the cost of credit monitoring, from breach of consumer protection laws such as the Fair Credit Reporting Act (FCRA), the California Consumer Credit Reporting Agencies Act (CCCRAA) and the European Union (EU) Data Protection Act;
• E-business interruption, including the first-dollar extra expense, for additional costs associated with renting or leasing equipment, use of third-party expenses, additional staff expenses or labor costs directly resulting from a covered loss of digital assets;
• E-vandalism expense, even the vandalism or intentional acts caused by an employee, to your systems and customer data;
• Coverage for loss resulting from administrative or operational mistakes—extends to acts of the employee, business process outsourcing or outsourced IT provider; and
• Cyber extortion, reimbursement for cost associated with a credible threat to introduce malicious code, “pharm” and “phish” systems, or to corrupt, damage or destroy your computer systems.
Cybercrime can happen to anyone, anywhere. Often, it’s committed by someone close to your business or carried out by an insider (such as a disgruntled employee). It could be caused by someone in another country or the kid down the street. Breaches can come from a simple mistake, as pointed out in Duffy’s columns.
Between 2005 and 2011, more than 543 million sensitive data records have been breached, according to the Privacy Rights Clearinghouse website. Individuals who’ve had their identities compromised by a security breach are four times more likely to suffer identity fraud within a year of the breach notification, according to a report by Javelin Research and Strategy.
I recently participated in a seminar hosted by one of the larger players in the cyber liability arena, and it certainly was an eye-opener. During the introduction, it was jokingly stated that no company has ever reported a laptop lost—only stolen—yet every major airport in America has a closet somewhere full of lost machines. You can imagine how it would feel reporting that you left your company laptop under the seat when you exited the plane after a long flight.
As a business owner and insurance professional, I advise you to check into it. Ask your risk manager about finding this valuable coverage and ask what the minimum premium is. Getting a premium price is free; paying for a loss certainly is not.
Steve Kiddoo is owner of Kiddoo Insurance Agency in Santa Rosa and broker associate with Farallone Pacific Insurance Services in Novato. Steve has been in the insurance and risk management business for more than 26 years. His email address is firstname.lastname@example.org.
Back to article list | Top of page