A data breach policy is a sound investment. You’ve heard enough in the news lately about information security breaches at companies and government agencies of all shapes and sizes around the world over the last couple of years to know that there’s a constant threat. What you may not know is that IT security professionals are generally in agreement that there is no stopping a sophisticated cyber criminal (or cyber criminal group, as the case may be) from infiltrating basically any system they want. Yes, beefing up defenses is an important part of preventing a breach, but insurance against the hack you couldn’t see coming is equally important.
There are several different types of claims that a data breach policy can cover:
- Claims made by individuals or businesses whose personal/confidential information was compromised. Claims could be due to identity theft as well as unauthorized access to trade secrets or other confidential business information.
- Claims made by those who rely on the services you provide when a breach prevents those services from being available.
- Claims made by other individuals or entities whose systems were breached because you unintentionally transmitted a computer virus to them, or whose systems were shut down because you allowed your computers to become part of a botnet denial of service attack (look that one up on Google, it’s a fun concept!).
Data breach policies cover more than just liability claims though. There are several types of first party costs that can be covered as well:
- Costs to comply with state laws that require you to notify affected individuals when a breach of your computer systems leads to those individuals’ personal/confidential information being compromised. In fact, most state laws require that you notify anyone whose information *MAY* have been compromised, and also that you cover the costs to provide them with credit monitoring services for a year.
- Costs to recover damaged or deleted data.
- Business interruption losses and extra expense (and note that your property policy won’t cover a BI loss resulting from a cyber attack because there was no physical damage that led to the interruption).
- Extortion payments and investigation costs to apprehend a cyber extortionist. Cyber extortion works two ways: 1) The criminal infiltrates the system and threatens to shut it down if a ransom isn’t paid; or 2) the criminal infiltrates the system and shuts it down until a ransom is paid.
- Payment of defense costs and fines pursuant to any failure to comply with state privacy laws. I generally don’t consider this coverage part incredibly important, because the vast majority of cyber policies on the market today come with access to expert risk management and breach recovery consulting services. So if you do suffer a breach, you have someone to hold your hand through the response process. On the other hand, the prospect of a government agency coming down on you for failing to comply with applicable law can be scary, so there’s nice peace of mind in this coverage.