Top 5 Questions Clients Ask About Cyber Liability

By Dean Goodwin, marketing manager, RPS Technology & Cyber

While business owners may understand the dangers of an overseas hacker who infiltrates their network and steals credit card numbers, most believe that their IT systems are protected by passwords and firewalls and that even if their network were penetrated, a privacy breach is covered under their existing business insurance.

1. “Doesn’t my general liability policy cover me?”

In a word, no. The ISO property form protects the physical presence of computers but not the data that is stored on them. The ISO general liability form specifically excludes claims of copyright, trademark and trade secret infringement. The personal injury provisions of a GL form generally rely on “publication”– an undefined term. Although there have been limited instances of coverage for privacy breach under GL forms, relying on this for coverage is not in your client’s best interest.

Business Interruption coverage, an essential part of any businesses risk management plan, will not respond to outages caused by computer viruses or hackers. In addition, 47 U.S. states now have laws requiring notification in the event of a potential loss of PII (personally identifiable information), as well as fines and penalties for not reporting the breach. Many carriers offer policies that can cover regulatory fines or penalties your client might incur because of a data breach. Whether or not slim chances exist for liability coverage in other policies, one thing is for sure: none provide reimbursement for the costly first-party expenses required to comply with regulatory requirements and out-of-pocket legal expenses incurred to navigate the process.

2. “How much is this coverage going to cost?”

“We have negotiated master policy rates with some municipality groups and public education insurance pools with premiums as low as $1,500 a year,” said Estelle Cummings, RPS Technology & Cyber’s national sales manager. “For larger risks, we can tower coverage as high as $70 million.”

Cyber liability insurance is still a fairly new concept, so there’s a lot of variation among policies, and a lot of room for negotiation.  However, Cummings advises agents be certain that their clients understand that if they don’t purchase this coverage, they will be liable for first-party expenses including hiring forensic IT experts, notification of customers, providing annual credit monitoring, lawyer expenses and any applicable state or federal fines or penalties.

3. “We have an IT department and we have firewalls. Isn’t that enough?”

Not usually. Many data breaches occur because of an employee error or an “inside job” from rogue employees. From passwords tacked on computer screens in plain sight and employees opening suspicious email and downloading malware to lost laptops and smart phones, a large portion of security breaches occur because of your employee actions. Also, keep in mind that a data breach can occur from paper records as well. Outdated customer information, old credit card receipts and employee files that have been thrown into the Dumpster are just as vulnerable as if a hacker logged into your network.

4. “We use a third party for reservations and credit cards. Do we still need this coverage?”

Are your clients taking online reservations? Are they processing credit card payments online? Chances are they’re already utilizing a third-party or cloud vendor and your client’s network is not storing the data. However, their customers’ personal information, in case of a data breach, is still the responsibility of your client.

5. “What are our state’s privacy notification laws, fines and penalties?”

Wherever your client is located, make sure that you know the regulatory requirements of the state.  When it comes to the unauthorized release of personally identifiable information (PII), there is no federal mandate governing privacy notification, so each state has its own law. 

In California, for example, S.B. 24 requires the inclusion of certain content in data breach notifications including a description of the incident, the type of PII breached, the time of the breach, the toll-free numbers and the addresses of credit-reporting agencies. In addition, S.B. 24 requires the breached business to send an electronic copy of the notification to the California Attorney General if a single breach affects more than 500 residents. (California already requires notice to the Department of Public Health for breaches involving patient medical information).