To discuss data breach coverage I think it’s important to understand what it is not, as well as what it is. As stated in the previous post, as far as I’m concerned data breach is not cyber liability. Insurance companies may market a product as “cyber”, but “cyber” means anything computer related. Just adding “cyber” to the word “liability” doesn’t really mean anything specific, and it certainly isn’t a clear indication that the coverage is/includes data breach. Instead of me re-stating all of my comments, check out the prior post by clicking on this link: http://tuscanopro.blogspot.com/2012/08/most-misunderstood-insurance-terms.html
Data breach is not third party coverage; i.e. it’s not intended to defend your client or provide indemnification on their behalf for an error or omission generated by their work product. Third party liability assumes that another entity is asking for or demanding monetary damages because of an act, error or omission by your client. While a data breach will probably result in costs to your client, some if not all of those costs are not going to be covered by an E&O policy form that does not include a data breach coverage part.
Data breach is not a package policy that includes GL, Non-Owned and Hired Auto, Crime, etc. I don’t think there’s anything wrong with a “package” that includes E&O, it’s just not necessary to write a package to provide data breach coverage.
I think the most common misunderstanding I’ve encountered so far is being asked to provide data breach coverage for technology service providers not storing critical customer data, including website designers, consultants, hardware and software resellers and programmers. While each situation is unique, If your client isn’t storing/keeping this information, their data breach exposure is probably minimal. (The next post will better define “critical customer data”, but if you want to do some research on your own and get ahead of the curve, do a search for “personally identifiable information”).
If you’re looking for a couple of diagnostic questions to determine if your client has a data breach exposure, you should probably start with questions regarding how many customer records they store, usually electronically, and what type of information is in those records. If your client/prospect does store credit card numbers, medical records, driver’s licenses numbers and/or other similar information, they have a data breach exposure.
The next post will look at what data breach IS…