Today, January 28th, is recognized internationally as Data Privacy Day. Still, for many businesses out there, today is no cause for celebration. After a year rife with data breaches affecting some of America’s most well-known companies, Data Privacy Day is instead a reminder to businesses of the rising costs and risks of data handling.
Recently, as businesses search for solutions to manage the growing uncertainty and risk, demand for cyberinsurance has skyrocketed. Insuring against cyber attacks is a sensible decision given the high costs of data breaches. By one recent estimate released by IBM and the Ponemon Institute, the average cost for each lost or stolen record containing sensitive and confidential information is $201 across industries, and $219 in the communications industry. The costs can add up fast. Home Depot revealed in its September 2014 public filings that the response to its widely-publicized data breach cost $62 million.
The high costs of a data breach can be broken down to costs associated with first party costs and third party liabilities. First party costs include crisis management, notification of customers, data loss and restoration, and business interruption. In addition, businesses may face reputational damage and/or cyber extortion, or attempts to extort money by threatening to reveal data stolen in a cyber attack. Third party liabilities may include the costs of private litigation, regulatory agency enforcement actions, forensics investigations, and third party liabilities arising in cases of loss of data in breach of a contractual obligation to a third party affiliate or client.
Insurers offer plans that can cover each of these potential liabilities. Businesses – in consultation with competent counsel – should review the terms of each plan to determine whether the coverage is sufficient or, conversely, unnecessary, based on the individual business’ needs. In particular, businesses should pay attention to the following concerns:
- Triggers: Triggers for insurance coverage should be broad so as to include data loss in any form that can be damaging to a business’ bottom line. But some plans might not cover serious incidents, such as where employees mistakenly download malware. When reviewing triggers, determine whether a plan covers data stored in the cloud, unencrypted data, and customer data that is not considered “sensitive.”
- Exclusions: Many exclusions are irrelevant to most businesses (i.e. exclusions for cyber events arising out of “war” or “nuclear radiation”) or are self-evident (i.e. exclusions for cyber events arising out of fraud), while other exclusions are designed to ensure compliance with security best practices. Avoid loopholes by clarifying the impact of broadly worded language that might exclude “legal costs,” “contractual penalties,” or “civil or criminal fines.”
- Sublimits: Sublimits can severely undermine the value of your insurance plan. Compare plans based on their sublimits and determine whether the sublimits are acceptable, especially considering that every aspect of data breach response and remediation can result in high costs.
- Reporting and Monitoring Requirements: Insurance plans generally require businesses to monitor their networks and report incidents in a timely manner or risk forfeiting their coverage. Companies should determine whether system upgrades or new technologies are required to ensure compliance with insurance terms.
Oftentimes cyberinsurance is a smart option for businesses that collect, store or transmit sensitive data. In the aftermath of a breach and with a company’s reputation on the line, insurance can enable a business to take appropriate steps without fear of the impact on profits. Insurers can even help with setting up call centers to notify customers and providing customers with one year of credit monitoring.
Cyberinsurance is not the right solution for every company, of course. Businesses that handle sensitive data should evaluate their risks and assess whether or not insurance can protect them from that risk. Our firm offers tools for businesses to evaluate their exposure, including our new Privacy Impact Assessment Questionnaire.
Our firm can assist you in analyzing your company’s risks and weighing the costs and benefits of cyber insurance. If you have any questions, please contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at firstname.lastname@example.org, or visit our Information Privacy, Data Security and Consumer Protection practice website.