While business owners may understand the dangers of an overseas hacker who infiltrates their network and steals credit card numbers, most believe that their IT systems are protected by passwords and firewalls and that even if their network were penetrated, a privacy breach is covered under their existing business insurance.
1. “Doesn’t my general liability policy cover me?”
In a word, no. The standard property form protects the physical presence of computers but not the data that is stored on them. The standard general liability form specifically excludes claims of copyright, trademark and trade secret infringement. The personal injury provisions of a general liability form generally rely on “publication”– an undefined term. Although there have been limited instances of coverage for privacy breach under general liability forms, relying on this for coverage is not in your best interest.
Business Interruption coverage, an essential part of any businesses risk management plan, will not respond to outages caused by computer viruses or hackers. In addition, 47 U.S. states now have laws requiring notification in the event of a potential loss of PII (personally identifiable information), as well as fines and penalties for not reporting the breach. Many carriers offer policies that can cover regulatory fines or penalties you might incur because of a data breach. Whether or not slim chances exist for liability coverage in other policies, one thing is for sure: none provide reimbursement for the costly first-party expenses required to comply with regulatory requirements and out-of-pocket legal expenses incurred to navigate the process.
2. “How much is this coverage going to cost?”
Cyber liability insurance is still a fairly new concept, so there’s a lot of variation among policies, and a lot of room for negotiation. However, if you don’t purchase this coverage, you will be liable for first-party expenses including hiring forensic IT experts, notification of customers, providing annual credit monitoring, lawyer expenses and any applicable state or federal fines or penalties.
3. “We have an IT department and we have firewalls. Isn’t that enough?”
Not usually. Many data breaches occur because of an employee error or an “inside job” from rogue employees. From passwords tacked on computer screens in plain sight and employees opening suspicious email and downloading malware to lost laptops and smart phones, a large portion of security breaches occur because of your employee actions. Also, keep in mind that a data breach can occur from paper records as well. Outdated customer information, old credit card receipts and employee files that have been thrown into the Dumpster are just as vulnerable as if a hacker logged into your network.
4. “We use a third party for reservations and credit cards. Do we still need this coverage?”
Are you taking online reservations? Are they processing credit card payments online? Chances are you’re already utilizing a third-party or cloud vendor and your network is not storing the data. However, your customers’ personal information, in case of a data breach, is still your responsibility.