Data Breach Part IV - Coverages

Photograph by Ofer Wolberger, Popular Mechanics July 2010

Most of us know that the lock on the door of our house is sufficient to prevent someone from gaining easy access to our property. It's been said that locks keep honest people out. But we also know that if someone is really determined they can breach the majority of security measures we might have in place. If they're really skilled, they can do so rather quickly. The same is true with our computers and the date stored on them, especially those used in a business operation. 

As business and government operations rely more heavily on computers to perform tasks and store data, more criminals, hackers and terrorists are turning toward computer related crimes to either make money, cause damage or both.  In the past few years there's been a significant spike in cyber crime and there's no reason to believe the rate of incidents will diminish anytime soon. The FBI's Internet Crime Complaint Center (IC3) states they received over 314,000 complaints of online criminal activity in 2011 (2011 Internet Crime Report). That's the third year in a row incidents topped 300,000, and that's just what was reported to them.

Insurance carriers are trying to keep up with the changing landscape by crafting new coverage options and improving existing wordings and features. Here are a few of the current options that may be available to your client (terminology may vary slightly from carrier to carrier, and some coverages provided, especially first party, will usually be subject to a sub-limit):

• Network and Information Security
• claims arising from the unauthorized access to data and that's usually personally identifiable information
• failure to provide notification of a breach (as required by law)
• transmission of a computer virus or similar
• liability associated with the failure to provide authorized users with access to the company's website
• Communications and Media Liability
• coverage for claims arising from copyright infringement, plagiarism, libel, slander in electronic content
• Defense Expense
• coverage for governmental claims as a result of network and information security liability, and/or communications and media liability
• Security Breach Remediation and Notification Expense (first party)
• costs incurred to determine whose identity information was accessed
• cost of notification to customers/others of the security breach
• identity fraud expense reimbursement for those individuals affected by the breach
• credit monitoring services for those notified (usually for 12 months)
• call center services to assist with inquiries
• Computer Program and Electronic Data Restoration Expenses (first party)
• expenses incurred to restore data lost from damage to computer systems due to computer virus and/or unauthorized access.
• Computer Fraud (first party)
• coverage for loss of money, securities or other property due to unauthorized access to computer systems
• Funds Transfer Fraud (first party)
• coverage for loss of money or securities due to fraudulent transfer instructions to a financial institution
• E-Commerce Extortion (first party)
• money paid due to threats made regarding an intent to destroy data, introduce a virus or attack a computer system, disclose customer info or other similar threats
• Business Interruption and Additional Expenses (first party)
• loss of income and extra expense incurred to restore operations, must be a result of a computer system disruption caused by a virus or other unauthorized computer attack

This is a fairly representative list, but each carrier tries to offer something a little different, so exact terms will depend on the unique qualities of the  business, and the carrier offering coverage(s).  Also, it's not necessary to buy all of the coverage options, usually the coverages can be purchased in sections or modules. Contact us today for a quote or help determining how to best address your client's needs.

Data Breach Part III - What It Is

Not being able to visually depict a data breach, I found a photo of an earthen dam being breached. Similar to water, when data is not contained where it’s supposed to be, the result can be damaging and costly.
Data Breach coverage is first party coverage, meaning it’s intended to provide coverage to your client if they experience a loss of THEIR customer’s *personal information. There’s no need for the policy to be triggered by a suit or other demand for damages as you would expect in a third party claim. ( *personal information includes credit card numbers, driver’s license numbers and/or social security numbers. Most of the U.S. Government’s info on this subject refers to such customer info as “personally identifiable information”, or PII; some carriers are simply calling it “personal information”, or PI).
In addition, even if they don’t have thousands of customer records containing PI that is lost or stolen, the fact that this info COULD have been compromised is usually all that’s necessary to trigger notification requirements spelled out in state and federal laws. Simply put, your client could very well be on the hook to send out written notification to ALL of it’s clients, even if only one record is lost or stolen.
In addition to existing federal laws, forty six states have enacted laws regarding notification. The notification requirements are not standardized, and if your client has customers in multiple states the likelihood of your client knowing the statutes and being able to quickly and easily comply with them is slim and none, and you guessed it - slim has already left town. The cost of a reputable, qualified third party to perform the notification task for your client varies greatly based on territory and some other factors, but I’ve seen estimates from $50 to $250 per customer record.  (if you need help explaining the reason for the costs being so high, I can help with that)
If you want documentation of those costs, there aren’t a lot of options available just yet, but try the report from Ponemon Institute in association with Symantec. For the events they could verify, they show that the cost of notification for 2011 was $194 per record. http://www.symantec.com/about/news/release/article.jsp?prid=20120320_02
This report also shows the difference in breach event costs between companies that have chief information security officers and those that don’t, as well as several other factors.
Other “hard” costs that your client may have to deal with are regulatory costs and credit monitoring services. Regulatory costs could include fines, penalties and/or the establishment of a compensatory fund – all as determined by the regulator. Your client must also provide credit monitoring services for those customers who may have had their information compromised. It’s usually a requirement for a company that’s had a breach to provide their customers with at least one year of credit monitoring services from a qualified third party vendor.
In addition to hard costs there are “soft” costs that are likely to be associated with a data breach; abnormal turnover of customers, increased customer acquisition (or re-acquisition) activities, reputation losses, as well as diminished goodwill.
Obviously there’s more to consider, but hopefully this gives you an idea of what’s at stake and helps you evaluate which of your customers may need to consider this coverage. In the next post I’ll look at coverage options available.

Data Breach: What It’s Not

To discuss data breach coverage I think it’s important to understand what it is not, as well as what it is. As stated in the previous post, as far as I’m concerned data breach is not cyber liability. Insurance companies may market a product as “cyber”, but “cyber” means anything computer related. Just adding “cyber” to the word “liability” doesn’t really mean anything specific, and it certainly isn’t a clear indication that the coverage is/includes data breach. Instead of me re-stating all of my comments, check out the prior post by clicking on this link:  http://tuscanopro.blogspot.com/2012/08/most-misunderstood-insurance-terms.html

Data breach is not third party coverage; i.e. it’s not intended to defend your client or provide indemnification on their behalf for an error or omission generated by their work product. Third party liability assumes that another entity is asking for or demanding monetary damages because of an act, error or omission by your client. While a data breach will probably result in costs to your client, some if not all of those costs are not going to be covered by an E&O policy form that does not include a data breach coverage part.

Data breach is not a package policy that includes GL, Non-Owned and Hired Auto, Crime, etc. I don’t think there’s anything wrong with a “package” that includes E&O, it’s just not necessary to write a package to provide data breach coverage.

I think the most common misunderstanding I’ve encountered so far  is being asked to provide data breach coverage for technology service providers not storing critical customer data, including website designers, consultants, hardware and software resellers and programmers. While each situation is unique, If your client isn’t storing/keeping this information, their data breach exposure is probably minimal. (The next post will better define “critical customer data”, but if you want to do some research on your own and get ahead of the curve, do a search for “personally identifiable information”).

If you’re looking for a couple of diagnostic questions to determine if your client has a data breach exposure, you should probably start with questions regarding how many customer records they store, usually electronically, and what type of information is in those records. If your client/prospect does store credit card numbers, medical records, driver’s licenses numbers and/or other similar information, they have a data breach exposure.

The next post will look at what data breach IS…

The Most Confusing Insurance Term Is…

The concept of Cyber Liability is confusing enough - don’t complicate things by confusing Cyber Liability with Cyborg Liability. At this time, I don’t have any markets available for the latter. But you never know…

(First in a series)

I’m sure there are many insurance terms that aren’t clearly understood, or that don’t really describe what the coverage is, but my vote is for “Cyber Liability”. Let’s face it, we are now reading and hearing about “cyber” everything. Cyber bullying has become a major issue, especially for school age children. I’ve seen a number of commercials for cyber knife medical technology. And of course there are many others, including cyber space, cyber crime and cyber security.

Merriam Webster online dictionary defines cyber as: “of, relating to, or involving computers or computer networks (including the Internet) <the cyber marketplace>”

Based on that definition, then cyber liability could be insurance for your client whenever they’re using the internet. Or perhaps it’s any insurance coverage involving computers or computer networks?   I think I’ve seen requests for cyber liability that involve all of these areas of exposure/operations and more.

Here’s what I think most people mean when the term “cyber liability” surfaces - more than likely they’re referring to an insurance product that’s meant to provide some level of coverage for a data breach, also called an information security breach.

The simplest way I can define or describe a data breach is when  personal information – usually critical financial info – of your insured customer is lost or stolen. In fact, the data really doesn’t even have to be lost or stolen. If your client retains credit card, drivers license and/or other personal financial info, and their network is hacked, they lose a laptop or other electronic device and the info may be at risk, your insured has an obligation to notify their clients. That can be costly, so you need to make sure the policy either covers those costs, or you advise your client that is does not.

In subsequent posts, I’ll get into coverage details, applicability to some of the business operations you may encounter and so forth. In the meantime, if you have questions or need some help sorting out a current quote – call Tuscano. And yes, resistance is futile.