This is a weekly series of blog posts on interesting, pertinent or little known topics on insuring your business properly. It is my belief that in insurance, “What you don’t know can hurt you!” After reading these posts I hope you will have a better understanding of the nature of the threats you and your business face. These articles are not designed to cover every conceivable risk that your business will encounter. However, I do hope that my writing will stimulate your thoughts on ways to organize your business in a manner that first minimizes or avoids all the risks that you can before you buy insurance. I also hope I can promote a dialogue between you and your insurance professional on unavoidable risks facing your business. Again, this is always the first step to take before you purchase any insurance. Armed with this information, I hope you and your agent will be able to perform a realistic cost benefit analysis for insuring only residual risk thereby maximizing the ROI on your insurance dollars.
Understanding Cyber Liability
This is my first post in a series designed to acquaint you with the emerging risks you and your business might encounter while doing business on (or even “near”) the World Wide Web. Many refer to these perils as “cyber risks” and the related potential liability as “cyber liability”. In my first few posts I will discuss the full spectrum of “cyber risks” inherent in doing business on the Net. Later, I will cover why you cannot look to your general liability policy alone for protection from cyber risk and elaborate on why - most likely - you will need more specific policies (often referred to as “cyber insurance”) which are designed to protect you from cyber liability. Finally, the last series of posts will deal with how you can protect yourself with cyber insurance and what you should look for in the way of a cyber liability policy before you purchase it.
Who needs cyber insurance?
It is hard to imagine a modern business that doesn’t need some type of cyber insurance. No matter what size or what industry you are in, you are not exempt from cyber liability. At its simplest, if you have a web site or send or receive emails you are exposed to cyber liability. The “bottom line” is that almost every business needs some form of cyber liability coverage.
What types of risk create cyber liability?
Data breaches (online data theft) are a very real source of potentially very expensive cyber liability. Almost daily you can read about a data breach incident in which sensitive information is lost, stolen, posted in public view improperly or destroyed. In some cases the compromised information consists of social security and/or credit card numbers, email addresses, driver’s license numbers, medical records or other bits of information that we all would want kept from “prying eyes”. Let’s look at some recent real life examples of cyber crimes and use them to examine potential cyber liability claims you may face in your business. Understand that your liability does not have to be the result of a crime. It can easily be the outcome of human error or a disgruntled/careless employee.
The latest breach involved a Dallas based email marketing company named Epsilon, a subsidiary of Alliance Data (NYSE:ADS). The Epsilon breach took place on March 30, 2011 when hackers penetrated their email system and made off with 2% of Epsilon’s client’s email addresses. Epsilon’s blue chip client list just happens to include banks; JP Morgan Chase, Citi and US Bank, and retailers; Target, Best Buy and Kroger just to mention a few. While there are many more household names that were involved this should be enough to get you thinking -- “Is my name and address involved?” -- “What else might they know about me that was stolen?” At least they didn’t get my credit card information…you hope!
This high profile security breach is a good example of what can happen to even the most security conscious company. As in most breaches (the only thing that is damaged immediately is the company’s reputation. Likely, it will be many months before the first potential fallout will occur. Epsilon’s damaged reputation will not immediately affect their P&L Statement. However, angry customers can cause significant embarrassment and more seriously - a loss of future business that could negatively impact earnings. Consequently, many cyber liability policies have added coverage for “damage control” expenses such as PR and legal expenses to lessen the financial impact of a breach.
Another early expense that will be incurred by Epsilon is the expense of notifying all the individuals or companies affected that their information was stolen. These notification costs can be substantial. (As a side note, I personally had my credit information stolen from Countrywide Mortgage who in addition to notifying me by a $10 registered letter -- also paid for credit monitoring services for me for three years! Some consultants have estimated the cost of losing a single record can be over $200! Now imagine a laptop disappearing with 50,000 records!)
Back to Epsilon -- As days go by there will most certainly be an investigation by any number of federal regulators and also by Epsilon themselves. The cost to conduct an internal investigation of this larceny could be a significant expense for Epsilon that potentially would be covered by a cyber policy. Damage control and investigatory costs are referred to as first party costs as they are borne by the insured. Additionally, if Epsilon was found negligent in protecting their customer’s data there may be fines/penalties imposed by a regulatory agency also. Government fines in most instances are not insurable. Also, if the attack caused actual damage to software or hardware those costs would also be considered covered first party expenses. First party expenses are typically covered by most cyber liability policies.
Later, as the stolen data makes it way through the Black Market for who knows what purpose, new threats may emerge. Armed with specific bank information and email addresses a clever “phisher” can dupe naive email recipients into disclosing their bank account information and passwords and then systematically empty online bank accounts with fraudulent withdrawals. If an attorney can trace the financial loss back to the Epsilon data breach a new type of claim may be triggered – Third party claims. Third party claims are suits brought by plaintiffs, not affiliated with Epsilon, seeking to recover expenses they incurred to clean up the mess. There is no way to judge early on how large these potential third party liability claims might be. The amount could be staggering especially if class action suits can be filed on behalf of enough people with actual damages. A properly structured cyber liability policy could protect Epsilon from most of these third party losses. Third party cyber liability coverage can be added to a professional liability policy or included in a broader stand-alone cyber liability policy.
Online data breaches are serious perils that face anyone that stores sensitive public information or intellectual property like trade secrets or product designs on their network. Online theft of data can lead to a wide array of first and third party claims and associated expenses such as defense costs, settlements, judgments and investigations. A properly structured cyber liability policy will provide balance sheet protection against these losses.
My next post will cover another source of emerging cyber liability that flows from “publishing” exposures from blog posts such as this on your web site or in chat rooms for defamation, libel or violation of copyrights or trademarks. The World Wide Web could truly be called the Wild Wild West!
