Do I Need Cyber Liability Insurance?
In today’s environment, the answer is probably “yes!” Organizations of all sizes and types increasingly rely on large amounts of their own or their customers’ data to effectively carry out operations, and are tasked with ensuring the confidentiality, integrity and availability of that data. Ransomware attacks or other data breach incidents create not only the internal costs of business interruption and breach response efforts, but also the external costs of penalties imposed by regulators or legal liability under contracts with customers. Courts are also becoming more receptive to class action suits brought by affected data subjects. And as federal, state and even foreign data privacy regulators continue to impose more rigorous and far-reaching requirements, organizations are left more exposed to inadvertent gaps and slipups in their attempts to obtain all required consents from, provide all required disclosures to and honor all rights of consumers vis-à-vis their personal data.
Even if you employ industry-leading data security measures and scrupulously follow regulatory guidelines on data privacy, a significant percentage of data breach incidents or privacy mishaps result from the acts of a rogue employee, lost or stolen devices, or other forms of human error that even the best policies and procedures can’t prevent. Better to be protected for things that are outside your control. Further, if your organization handles personal data of your customers’ consumers or employees, or if you provide service in highly regulated industries such as health care and banking, then your customers will almost certainly require you to carry some form of cyber liability insurance as part of your vendor contracts.
For these reasons and more, cyber liability insurance is an important component to consider for any organization’s data security and data privacy risk management strategy.
Do my existing policies protect me?
Data breach- and data privacy-related liabilities are often not covered by commercial general liability insurance or other common forms of business insurance. Sometimes a professional liability (i.e., “errors and omissions”) policy may include a special endorsement providing coverage in this area, but the damages limit may be low or the scope of coverage may be narrow. If you are unsure of what is covered under your existing policies, you should consult your insurance broker.
What does cyber liability insurance cover?
Depending on the scope of the policy, you may see coverage for common “first-party” costs and liabilities resulting from a data breach or data privacy incident, such as costs related to business interruption, breach mitigation and forensics, legal services, providing notice to consumers, setting up call centers or credit or identity theft monitoring for consumers, and public relations crisis management. You may also see coverage for common “third-party” costs and liabilities such as fines and penalties assessed by regulators or legal liability, defense costs, and expense reimbursement related to the unauthorized disclosure of the personal data or confidential business information of your customers. Some insurers offer ancillary services to go with the insurance coverage, such as pre-breach risk management advising or incident investigation and response services for when a breach does occur.
Keep in mind that as you are discussing coverage options with your insurance broker, it is just as important to consider carefully what is not covered by the policy and to fully understand the conditions and limitations of the coverage that is available (e.g., the coverage only applies if you notify the insurer within XYZ number of hours after you become aware of an incident), so that you can organize your operations and your incident response plans accordingly.
How much does it cost?
You’ll have to speak with an insurance broker to obtain a quote, but generally we hear that premiums start at around $1,000 annually for a basic stand-alone policy with coverage for up to $1,000,000 in damages. In other words, reasonable coverage may be in range for even the smallest start-up business.
You should consult your insurance broker for more information.
While the attorneys at Robinson Bradshaw stand ready to help you navigate the legal landscape related to contractual data security requirements, complying with data privacy laws, rules and regulations and more, we are not licensed insurance brokers and encourage you to consult a licensed insurance broker with any questions related to insurance policy coverage for your business.