Cyber. It’s a word often signifying anything having to do with information zipping across the Internet. In the world of insurance and risk management, it has to do with a broad range of scenarios in which stored information might be damaged or lost. In fact, from an insurance perspective, this information might even live in paper files rather than on a computer.
Electronic or digital data, as well as ideas and confidential corporate information are property. It’s property that may not catch on fire but can certainly be stolen or damaged. The loss of your data property or its inappropriate publication might even limit or eliminate the ability of your business to function.
If data in your care, custody, and control is lost, stolen, or damaged – even if you outsource storage of data to a hosting or cloud computing service – will a lawsuit be filed against you? Do you have a responsibility to notify owners of data in your care about the loss of their property?
Say you’ve got traditional property insurance with business interruption coverage and you have third party liability insurance. You’re already covered, right? In fact, traditional insurance covers tangible property while intellectual property, especially digital bits and bytes, is anything but tangible. For this kind of risk, you will need cyber insurance.
Who’s at risk?
Anyone who collects personal or other sensitive data is at risk. This includes a broad range of service industries from healthcare to stockbrokers, from law firms to retailers and e-tailers, from insurance agencies to educational institutions.
Not sure if you’re in one of those groups? If you’re still wondering if data you store is sensitive, consider whether you handle any of these at risk information types (whether employee or third party information):
- Social Security numbers
- Addresses and/or phone numbers of clients or stakeholders
- Email addresses
- Credit card information and information for billing in arrears
- Financial records including investments, pension and retirement accounts
- Bank information for payroll direct deposit
- Credit information or reports
- User names and/or passwords
- Health records and health insurance information of students or program participants
- Information governed by non-disclosure agreements
Any good cyber insurance policy begins with third party and first party coverage for the loss of or damage to that digital data you store. This is called Network Security and Privacy coverage. Don’t think you need that insurance because you don’t have the exposure? The following scenarios are also covered by cyber insurance:
A company employee takes work home with information stored on a laptop computer. The laptop is stolen from the backseat of the employee’s car while the driver is in a restaurant. Cyber insurance covers the theft of data stored on a laptop and the cost of restoring that data.[i]
An employee opens his or her Facebook account on their desktop computer at work and a virus or other malware infects the company computer network causing a system slow down that affects access to network systems. The costs of detecting and eliminating that virus can be covered by cyber insurance.[ii]
A doctor’s office faxes a patient’s health records, medical payment history, and health insurance information to the wrong fax number and the error is not discovered for six weeks. Thus, the doctor’s office has not notified the patient within the timeframe allowed by regulation. Fortunately, cyber insurance can cover allowable fines and penalties plus the cost of notification itself. The policy also covers costs of resolving the public relations disaster that occurs when a local television station reports the story on the nightly news.[iii]
A cyber criminal in central Asia infects several thousand computers with a virus that allows him to cause them all to contact a North American bank’s website simultaneously. The resulting congestion shuts down the bank’s online customer service capability for two days. This is a distributed-denial-of-service attack which the perpetrator will continue unless the bank agrees to pay $15,000,000. However, the bank’s cyber insurance policy can include an endorsement covering cyber extortion.[iv]
A commercial real estate sales firm decides to lower its capital expenditures on IT services by storing digital files on cloud services provided by a major Internet service provider. Several months later, files containing 5,000 sales contracts – subject to confidentiality agreements complete with banking and credit information – are stolen. The firm not only has the lost data to deal with, but is also in breach of contract. Forensic experts cannot determine whether the information has been hijacked during transmission to the cloud or from the cloud servers themselves. Either way, off-site data hosting can be covered by the firm’s cyber insurance policy.[v]
What’s the cost of risk?
While the common perception is that data loss is usually the result of a malicious event like a hacker attack, hardware failure is a far more frequent cause of loss, especially when grouped with human error and corrupted software. And, there can be a compounding of problems, e.g. you will incur notification costs, but if you fail to notify in a timely manner, you will also have penalties levied against you.
A 2003 study by Pepperdine University pegged the average cost of data loss due to breaches, human error and systems failures at $3.957 million[vi], while a 2009 study by the Ponemon Institute shows that average costs have increased to $6.75 million.[vii]
Generally, data loss cost components include fixed costs like stakeholder notification and credit monitoring and variable costs such as data restoration, regulatory fines, cost of third party lawsuits, systems remediation, plus the harder to measure value of the lost data itself.[viii]
In the event of a data loss, no matter the cause, you have an obligation to notify all affected parties whose sensitive data might be stored in your computer networks or file cabinets. Notification costs can be quite expensive. Your obligation to notify is regulated by a matrix of federal regulations, as well as privacy laws in 47 states plus Puerto Rico and the USVI, and penalties for failing to notify within time limits can be steep. The major federal regulations include:
- FERPA: Family Education Rights Privacy Act (Dept. of Education) requires educational institutions to maintain privacy of student records
- HIPAA: Health Insurance Portability and Accountability Act (Health and Human Services Dept.) In tandem with the HITECH Act protects privacy of personal health records and insurance information
- FCRA: Fair Credit Reporting Act (Federal Trade Commission) with sections of the Graham-Leach-Bliley Act regulates privacy of financial transactions and information
- PCI-SSC: (Payment Card Industry council) regulations oversee privacy and accuracy of credit card transactions
How do you buy coverage?
The premium cost for a cyber insurance policy can range from a few thousand dollars for a $1 million policy limit to hundreds of thousands of dollars for very high policy limits. Over the past ten years, INSUREtrust has written more than $100 million dollars in premiums and paid more than $30 million in claims. Insurers are looking for business and we can find competitive pricing and terms for any risk.
Like all insurance, there is an application process that can be cumbersome. However, over the years INSUREtrust has put together a simplified application that is accepted by many of the leading insurance companies. Call us. We can walk you through the process and make it easy.