Coverage for Data Breaches – What You Should Know

Jeff GelburdBusiness Insurance, Insurance, Risk Management

A data breach is a loss involving theft, accidental release or accidental publication of Personally Identifiable Information (PII) or Protected Health Information (PHI). It includes social security numbers, bank account, credit or debit numbers, driver’s license numbers, PIN numbers, medical diagnosis, patient history and medications and other private information defined by state or federal law. Data breaches can occur in various ways:

  • Unauthorized access, such as by former employees, vendors or hackers.
  • Stolen or lost paper files, or shipped documents failing to arrive at their proper destination.
  • Mailing, faxing or emailing documents with one person’s PII to the wrong person.
  • Computer system hacked by virus, Trojan horse or improper security.
  • Stolen or lost laptop, computer disks, USB flash drives, portable hard drives or back-up tapes.
  • Employee error or oversight.

Who needs this coverage?

Virtually no business is immune from this potential risk including yours. Nearly all businesses that handle or store any private business, customer or employee data is at risk for a data breach and could benefit from this coverage. The possibility is especially high for organizations that routinely deal with credit cards, patient medical records, Social Security numbers and other sensitive information including: professional services (lawyers, accountants, real estate , insurance agents); retailers and restaurants; financial services; healthcare providers/facilities; educational institutions; and manufacturers or distributors.

Isn’t this covered by one of my other policies?

Most likely not. There are times when pieces of privacy coverage show up on other policies, but that coverage and those triggers are generally not as broad. It is also very important to have a standalone policy to make sure you have complete coverage not only for defense costs and liability, but also for notification and credit monitoring costs.

Notification costs are the costs of creating and sending a letter to clients and/or employees who have had their information compromised. This is required by 46 states currently. A single letter can cost from $1-$5 per person.

Credit Monitoring Costs are the costs to pay a credit bureau to monitor someone’s credit. These costs can be very expensive, ranging between $20-$30/person per year.

There can also be forensic expenses or the costs associated with paying an expert to figure out how your network was hacked/how the data was compromised. Also, you may be liable for crisis management expenses. These are the costs associated with public relations damage control when you have lost information and/or have had a breach.

Fines, such as HIPAA, HiTECH, FTC and Graham-Leach-Bliley may be other incurred expenses. Cyber Liability Insurance covers these and other privacy-related fines, including those that are state-mandated.

Cyber liability insurance protects client information as well as the loss of employee information. It also covers employee loss or theft of client information as long as they are not executive officers of the company.

What if I lose information but don’t get sued, do I still need coverage?

Yes. This policy provides coverage for preventative costs including notification and credit monitoring, as well as upfront costs like data forensic and crisis management expenses. If you do get sued, there is also coverage for defense and indemnity expenses.

If you have more questions, contact your Murray representative or Jeff Gelburd, CPCU, ARM, Vice President, Commercial Solutions.


Share this Post