The number of reported U.S. data breaches tracked through June 30, 2017 hit a half-year record high of 791. This represents a significant jump of 29% over 2016 figures during the same time period. At this pace, it is anticipated that the number of breaches could reach 1,500 in 2017, a 37% annual increase over 2016, when breaches reached an all-time record high of 1,093. Most businesses are at risk of a data breach.
One way to protect your business is through cyber insurance.* There is no magic calculator to determine the coverage limits you need. It will depend on an inventory of your risk considering what data you have and how you protect it. In other words, what do you stand to lose in the event of a data breach?
First, you must know what data you need to protect. Do you have personally identifying information, or PII (i.e., names and social security numbers, driver’s license numbers and/or financial information)? What about employee bank account information for direct deposits? Do you have protected health information, or PHI, including relating to your employees’ participation in your health insurance program? Do you have payment card information, or PCI? What about confidential corporate information such as client information, intellectual property, or mergers and acquisition information?
Second, be prepared to discuss with the insurance company how you protect such data. What is your information security policy and data breach response plan? Is your protected data stored in the cloud and, if so, what is the cloud provider’s information security policy? Do your vendors have access to such data and, if so, what is their information security policy?
Third, consider what coverage you need. Think about the following losses:
- Forensic investigation
- Legal fees
- Lost or corrupted data/ransomware
- Loss mitigation services such as credit monitoring and identity theft protection services
- Public relations/crisis management
- Business interruption/denial-of-service
- Fraudulent funds transfer
- Regulatory fines/penalties
- Third-party contractual losses, such as PCI fines
- Statutory penalties
- Litigation costs and settlement
Finally, pay close attention to exclusions and limitations. Watch for narrow definitions of PII that may exclude coverage. Is there an exclusion if stolen or lost laptops are not encrypted or unencrypted data is breached in transit? If you use cloud services, look for coverage of data stored outside of your network.
When shopping and negotiating cyber insurance coverage, the wise saying “you get what you pay for” is true. You may need experienced counsel to help you carefully evaluate and negotiate adequate and appropriate coverage for your particular risks, especially when purchasing cyber insurance for the first time.
*Assume but verify that your commercial general liability policy has the standard exclusion for data breaches, i.e., the “loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
Authored by Melody McAnally