Cyber Liability is certainly one of the hottest topics in both the media and insurance industry today. It seems like headlines and news stories announce new victims of data theft almost on a weekly basis.
But even with all the attention that personal data theft and cyber liability are getting, many insurance professionals are still reluctant to engage their insurance clients on the personal data theft and cyber liability exposures that face them. In most cases, the lack of familiarity suggests there is a need for an organized approach to assessing personal data theft and cyber liability exposures.
Here is a basic overview of who has an exposure and the options available to deal with it.
Does my client have personal data theft or cyber liability exposures?
If your client stores or collects personally identifiable information in either a written or electronic format, they have an exposure. In the event of either a physical theft or an electronic theft of the information stored, your client could be financially impacted in multiple ways.
Your client’s liability to those whose records have been impacted could be only part of the total cost. There are 47 states and multiple federal agencies with laws and rules regarding personally identifiable information and the required notification to and monitoring of record holders following a breach.
You’ve probably received a letter yourself letting you know that your record may have been compromised and that your credit will be monitored. Did you know the estimated cost of everything going on behind that letter is $228 per record?
To put this in perspective, insureds with just 250 records at an estimated cost of $228 for monitoring and notification per record would incur a cost of $57,000. That’s before anyone loses a dime as a result of the theft. Few businesses deal with fewer than 250 customers over time.
Most definitions of personally identifiable information in legislation include name, address, date of birth, Social Security number, credit card numbers, email addresses and passwords as information that must be safeguarded.
Be aware that definitions of personally identifiable information are expanding.
Does your client interact with the internet?
Many companies actually conduct business via their website accepting credit card payments either directly or through a third party vendor that they link to.
Companies also use their website, Facebook or LinkedIn page as a source of communication with their clients. Companies also upload and download data to third party vendors. Consider your agency using a rating program for a carrier. Imagine a virus being uploaded from your system disabling the carrier’s site. Many businesses interact similarly within their industries.
How should you deal with exposures?
Almost every business has some exposure. Now, what’s the best way to deal with the exposure?
Avoidance is one method. If your clients do not have an incident or a breach they are all set. The other name for this is luck. Statistics would argue against relying on luck. More than nine million Americans have been victims of identity theft resulting in more than $5 billion in losses. Over the next few years it is estimated that almost everyone in the U.S. will be a victim of some form of identity theft.
Security is another method. Increasing security and expanding training in the handling of information is a great way of protecting information and networks from threats. Internal protocols, access limitation and training can reduce the possibility of rogue employees, accidental dissemination or external hackers gaining unauthorized access.
While most companies agree the expense of security is more than worth the cost of a serious system breach, it is almost weekly that we hear of a top company having their sophisticated system breached.
Finally we come to insurance. While insurance neither prevents nor deters cyber attacks, it does reduce the financial impact following an incident or breach. Additionally, insurance programs can be designed to cover multiple data and cyber liability exposures within a budget. Most policies today also provide an emergency response service that immediately responds and assumes management of the incident.
In summary, almost every client has some personal data theft or cyber liability exposures. If they store or collect personally identifiable information or interact with the internet there is some level of exposure. Security and training can minimize the potential of an incident but most prudent business owners would supplement this with some level of insurance protection given the statistics and trends.
Article Written By James O’Neill