ISO Products Perspective

An agent's primer for data breaches

Agent education is the key to understanding and managing cyber loss exposures

By Shawn E. Dougherty

A critical role of the independent insurance agent is to understand the possible loss exposures of clients, help them recognize the potential for and the impact of a loss, and assist clients in mitigating those exposures adequately through a risk management technique, including insurance.

Data breaches may be the fastest-growing and most financially devastating loss exposure facing commercial risks today. It's important for agents to know what these exposures are and where to obtain the appropriate coverage for their clients.

Firms of all sizes and types have integrated the Internet into their day-to-day business operations and, in doing so, may have access to greater amounts of customer information. Firms that collect personally identifiable information (PII) or personal health information (PHI) should look to protect that information whether stored in an electronic or paper format. While no standard definitions of PII or PHI currently exist, they generally include such information as an individual's name, address, date and place of birth, Social Security number, credit card information, driver's license number, financial records and bank account information, biometric data, medical records, and medical claims information.

When we hear "data breach," the first thing that can come to mind is an intruder hacking into a computer system. But data breaches can result from other sources, such as the theft or loss of a laptop or smartphone, unauthorized access to PII/PHI data by a current or former employee, and the theft or improper delivery or disposal of paper files containing PII/PHI.

Data breach reporting laws in 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands generally require businesses that suffer a data breach to notify all potentially affected parties of that breach. Additionally, federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act hold companies in the financial services and health care industries liable for the disclosure of confidential customer information.

Companies that have experienced a breach can incur significant costs to:

• Notify affected parties of the breach

• Perform a forensic analysis to determine the data accessed

• Establish a call center to handle customers' breach-related inquiries

• Implement credit monitoring services for affected parties

• Hire a public relations firm to help restore the firm's brand and business reputation

• Pay fines assessed by governmental agencies

No matter how large or small a firm is, the tangible and intangible costs associated with a data breach can be significant and could possibly affect the firm's long-term survival.

Some commercial insureds and insurance agents mistakenly believe that traditional insurance products, such as general liability, commercial property, or commercial crime policies, provide adequate coverage to address data breach-related exposures. This is typically not the case. While traditional policies may provide limited coverage for some data breach-related costs, most do not cover all.

In recent years, stand-alone insurance policies—such as the Information Security Protection Policy in ISO's E-Commerce ("cyber" insurance) Program—have been specifically designed to provide first- and third-party insurance coverage for computer- and Internet-related exposures and address exposures generally associated with a data breach. While those stand-alone policies may vary in name and form, most typically provide the following coverages:

• Web site publishing liability—Companies publishing information on Web sites face the same legal exposures as other publishers in cases of copyright infringement, defamation, and violation of rights of privacy. Cyber insurance policies typically provide coverage for errors, misstatements, or misleading statements posted on a Web site that infringe on another's copyright, trademark, trade dress, or service mark; defame a person or organization; or violate a person's right of privacy.

• Security breach liability—A business can suffer a hacker attack that accesses confidential information within a computer system. Coverage addressing a company's liability for the data breach commonly falls under cyber insurance policies.

• Programming errors and omissions liability—This form of liability coverage typically applies to actual or alleged negligence, to the breach of a duty or an omission on the part of the insured firm, or if the firm's computer system transmits a virus to a third party.

• Replacement or restoration of electronic data—Such coverage often addresses the cost to replace or restore electronic data or computer programs damaged or destroyed by a virus, malicious code, or denial-of-service attack. It usually includes the cost of data entry, reprogramming, and computer consultation services.

• Extortion threats—Cyber insurance policies generally cover an insured's computer system against threats to introduce a virus, malicious code, or denial-of-service attack; divulge the firm's proprietary information contained in the system or a weakness in the source code within the firm's computer system; and inflict ransomware or publish the confidential personal information of its clients.

• Business income and extra expense—A firm ceasing Web site business activities because of a virus attack or extortion threat, even for a short period of time, can sustain substantial loss of business income. This can be catastrophic, especially for companies that generate a large percentage of their annual sales online during a short seasonal period of time.

• Security breach expense—This coverage typically provides for the cost of investigating the breach, handling notification expenses, and paying for the insured's expenses, such as hiring a public relations firm, establishing call centers, and implementing credit monitoring services.

The Internet is a critical component of today's business world, and more and more companies are amassing greater amounts of customer information than ever before. The exposure related to data breaches faced by firms grows exponentially as the amount of PII/PHI collected increases. These firms need to take extra precautions to safeguard information and ensure that their business practices and computer systems are kept up to date to minimize the impact of data breaches.

Agents can help their clients recognize and understand the differences between coverages provided in traditional insurance policies and newer cyber policies and help them better address their data breach-related exposures.

Agents need to determine if their clients are adequately protected. Agents also need to assess whether they, themselves, are adequately protected. The need for cyber insurance coverage is evident—its time has come.

The author

Shawn Dougherty is assistant vice president, Specialty Commercial Lines at ISO, a member of the Verisk Insurance Solutions group at Verisk Analytics.