Articles | Scrap Risk Insurance

Cyber Privacy

Ross Fields, CLCS | Contact Ross 

Cyber Privacy Insurance

Cyber crimes threaten businesses and their customers

As anyone who even casually is informed in business news knows, Cyber Crime and Data Breaches are burgeoning legal issues facing today’s businesses. As consumers, people are worried. As well they should be…but only about their individual, private and personal information. It could be everywhere and it is definitely vulnerable. Businesses, on the other hand, should be worried about every single individual they come in contact with. They also need to be concerned about other businesses— vendors, clients and etc—that they engage. Today’s business cannot keep up with the creativity and changing tactics of hackers and Cyber criminals. In addition to being the target of an attack or data breach, a business is certain to be hamstringed by what comes after: the legislative requirements. These include regulatory actions, fines, notification costs, federal compliance, state and even local compliance in some jurisdictions. Because of the ever‐changing tactics of cyber‐criminals, the majority of the tools in place for a business to address Cyber and privacy issues are reactionary and cannot mitigate the risk. Therefore, the best practice is for a business to transfer the risk to another party. The insurance industry has created the best way to remove that risk from a company’s balance sheet.

When evaluating a company’s exposure to this risk, the size of the business is of no matter, as all companies are at risk to be targeted for information and data theft. Smaller businesses are often easier targets due to lower security measures and less sophisticated protections than those found at large corporations. A small business is seen as easy prey to the hacking community. Though our interactions with business owners, we have found that most assume that they would be covered by either their network or IT vendors or by one of the insurance policies they already have. Often this is an incorrect assumption and a sad mistake. The most common types of insurance a business may purchase are: General Liability, Property, Auto Liability and Workers Compensation. The latter two have a specific focus and business owners typically understand that data and privacy would not be covered by insurance intended to cover an auto or an injured worker. Often, business owners assume that if they are sued for any type of liability, their General Liability would cover it. In reality, however, a General Liability policy only responds to bodily injury or damage to tangible property. Likewise, a Property policy only covers damage to tangible property. Most can understand that data and information does not fit the definition of bodily injury. What may be surprising to some is that it is not considered tangible property either. As a result, the insurance industry has created an innovative product to address Cyber and privacy risks.

Know how to protect your business

In a Cyber and Privacy Liability Policy there are a number of different coverage features, but the main concerns fall into one of two categories: 1st party or 3rd party coverage. The 1st Party cover reimburses the business who suffered the data breach, i.e. a retailer who lost client’s credit card data. This will help pay for the costs to notify all the affected parties, set‐up credit monitoring for all them and often provide crisis management and public relations services to contain the damage to the insured’s reputation. Often overlooked, the notifications and credit monitoring are legal requirements of a business that has been the victim a data breach. These costs can be expansive, as large batches of data can often be compromised in a single breach. Moreover, if the affected parties are in different states, there are certain criteria that need to be met according to the guidelines of each jurisdiction. The investigative legal work for state compliance could be extremely damaging to a business’ financial health should they have to absorb the cost alone. A business is going to want the help and experience of the insurer to navigate the process. The 1st party cover will also help the business itself recover. Recover lost data, restore systems, networks, user access and begin the forensic investigation to determine what happened and what needs to be done moving forward. Some policies even include coverage for business income interruption costs as a result of downtime from the attack.

The 3rd party coverage picks up the liability of the business as a result of the incident. These claims and allegations can include lawsuits from the affected parties, the legal defense costs and fines as a result of regulatory actions taken against the insured. Regulatory fines and compliance requirements can come from Federal agencies like the FTC or State and local jurisdictions. A properly constructed Cyber and Privacy Liability policy will include coverage for several key liability issues, such as: Unauthorized access, hacking, denial of service, the introduction of malicious codes/viruses, unintentional disclosure of information, breach of confidentiality, violation of the insured’s privacy policy and, of course, the surrounding regulatory issues. Most polices also include media liability under the 3rd party coverage. This addresses intellectual property allegations such as infringement of copyrights and trademarks; personal injury, including defamation, libel and slander; and negligence in the content of the insured’s website and media.

“This could never happen to me” is a common response when a business begins to consider their data breach exposure. Below are some real life examples of the damage caused by Data and Privacy issues.

Examples of damage caused by data and privacy issues

A company’s email system inadvertently transmitted a malicious virus to more than 1,500 clients and other recipients causing, among other damages, widespread loss of data. Likely, this was an employee perusing their email on a lunch break, or clicking the wrong link while shopping online. The company was sued by the receiving parties for failing to detect and prevent the transmission of the virus, claiming losses totaling more than $3.1 million. In this case, the business was not a direct target of attack, just an unknowing aide to the transmission. More likely, hackers sent out thousands of emails or set thousands of phishing websites. They do this knowing that if even one transmits the virus it could result in multiple—in this case more than 1,500—breaches of sensitive data. A Cyber and Privacy liability policy would have covered, up to its appropriate limits, both the company’s expenses for notification, legal fees and etc. as well as the damages to the 1,500 plus secondary victims.

In other cases, large companies are a direct victim of an intentional attack. Vulnerabilities in large clothing and shoe retailer’s credit card processing vendor, millions of dollars were fraudulently transferred via the retailer’s customer’s credit cards. A sizeable class action lawsuit was filed against the retailer on behalf of the customers who were victim of the fraud. Visa then compensated its cardholders for the fraudulent purchases. When Visa sought damages from the retailer’s banks and received it. So, in the end, only the retailer was actually out of pocket the fraudulently transferred money. Visa compensated it’s cardholders at the retailer’s direct expense. In a similar story, the owner of two small newsstands in Chicago went through the same issue with MasterCard after his point‐of‐sale system was hacked. The investigation and subsequent restoration to cardholders took place at the newsstand owner’s expense. This is a prime illustration that, although it may be a direct target, the size of a business is of little significance to Cyber criminals. In both cases, the criminals were able to successfully complete fraudulent purchases using the retailer’s credit card and point‐of‐sale systems.

In addition to a well placed Cyber and Privacy liability policy, a properly written crime policy would assist in managing a company’s risk to cyber crimes. The Cyber and Privacy liability policy addresses the costs of notification, investigation, business interruption, fines and penalties and the resulting liabilities. What is not addressed by the Cyber and Privacy Liability policy is the loss of funds from the business’ banking accounts. Many modern hacking events attack a business’ accounts and cause a significant loss of funds as a result. Most businesses do not realize that they are not protected by Regulation E (Electronic Fund Transfer Act of 1978). The losses of funds as a result of computer or wire fraud on commercial banking accounts are unprotected, and a business is forced to fight their bank over the compromised account. Banks are often winning these legal battles. A properly constructed Crime policy will cover the fraudulent Computer and Funds transfers up to the policy limits. As such, crime coverage is an integral tool in protecting businesses against cybercrime activities.

As one can gather, a business’ exposure to cybercrime is complex and ever‐evolving. A business cannot outsmart the latest tactics deployed by cybercriminals. The damage has been widespread, affecting businesses from international corporations to single location retailers. The very best a business can do is to transfer this risk to a party better equipped to handle it. Insurance industry has developed the appropriate tools to prepare and protect the business community from these innovative sources of loss. Now, more than ever, a business of any size must seek sound advice and strategize with a broker that fully understands the exposures associated modern business transactions.