Monday, August 27, 2012

Data Breach: What It’s Not

universal no symbol

To discuss data breach coverage I think it’s important to understand what it is not, as well as what it is. As stated in the previous post, as far as I’m concerned data breach is not cyber liability. Insurance companies may market a product as “cyber”, but “cyber” means anything computer related. Just adding “cyber” to the word “liability” doesn’t really mean anything specific, and it certainly isn’t a clear indication that the coverage is/includes data breach. Instead of me re-stating all of my comments, check out the prior post by clicking on this link:

Data breach is not third party coverage; i.e. it’s not intended to defend your client or provide indemnification on their behalf for an error or omission generated by their work product. Third party liability assumes that another entity is asking for or demanding monetary damages because of an act, error or omission by your client. While a data breach will probably result in costs to your client, some if not all of those costs are not going to be covered by an E&O policy form that does not include a data breach coverage part.

Data breach is not a package policy that includes GL, Non-Owned and Hired Auto, Crime, etc. I don’t think there’s anything wrong with a “package” that includes E&O, it’s just not necessary to write a package to provide data breach coverage.

I think the most common misunderstanding I’ve encountered so far  is being asked to provide data breach coverage for technology service providers not storing critical customer data, including website designers, consultants, hardware and software resellers and programmers. While each situation is unique, If your client isn’t storing/keeping this information, their data breach exposure is probably minimal. (The next post will better define “critical customer data”, but if you want to do some research on your own and get ahead of the curve, do a search for “personally identifiable information”).

If you’re looking for a couple of diagnostic questions to determine if your client has a data breach exposure, you should probably start with questions regarding how many customer records they store, usually electronically, and what type of information is in those records. If your client/prospect does store credit card numbers, medical records, driver’s licenses numbers and/or other similar information, they have a data breach exposure.

The next post will look at what data breach IS…

Monday, August 13, 2012

The Most Confusing Insurance Term Is…

borgThe concept of Cyber Liability is confusing enough - don’t complicate things by confusing Cyber Liability with Cyborg Liability. At this time, I don’t have any markets available for the latter. But you never know…

(First in a series)

I’m sure there are many insurance terms that aren’t clearly understood, or that don’t really describe what the coverage is, but my vote is for “Cyber Liability”. Let’s face it, we are now reading and hearing about “cyber” everything. Cyber bullying has become a major issue, especially for school age children. I’ve seen a number of commercials for cyber knife medical technology. And of course there are many others, including cyber space, cyber crime and cyber security.

Merriam Webster online dictionary defines cyber as: “of, relating to, or involving computers or computer networks (including the Internet) <the cyber marketplace>”

Based on that definition, then cyber liability could be insurance for your client whenever they’re using the internet. Or perhaps it’s any insurance coverage involving computers or computer networks?   I think I’ve seen requests for cyber liability that involve all of these areas of exposure/operations and more.

Here’s what I think most people mean when the term “cyber liability” surfaces - more than likely they’re referring to an insurance product that’s meant to provide some level of coverage for a data breach, also called an information security breach.

The simplest way I can define or describe a data breach is when  personal information – usually critical financial info – of your insured customer is lost or stolen. In fact, the data really doesn’t even have to be lost or stolen. If your client retains credit card, drivers license and/or other personal financial info, and their network is hacked, they lose a laptop or other electronic device and the info may be at risk, your insured has an obligation to notify their clients. That can be costly, so you need to make sure the policy either covers those costs, or you advise your client that is does not.

In subsequent posts, I’ll get into coverage details, applicability to some of the business operations you may encounter and so forth. In the meantime, if you have questions or need some help sorting out a current quote – call Tuscano. And yes, resistance is futile.