Cyber crime is one of the fastest emerging risks in the world today
Unfortunately for some business owners, awareness comes after a claim has already devastated their finances. When you consider the modest cost of an insurance policy that provides prevention, protection, and remediation coverage versus paying for a claim out of your own pocket, having insurance in place should be an obvious choice for business owners. Included below are some of the common misconceptions among small businesses today when considering whether they need cyber liability insurance for privacy data breaches.
Common misconceptions business owners have about privacy data breaches
Privacy data breaches only occur at large corporations.
For cyber criminals, no business is too small. Fifty eight percent of all cyber attacks target small businesses.1 As large corporations increase their internal security protocols, small businesses will increasingly become at risk.
Commercial General Liability (CGL) insurance will pay for a privacy data breach.
Unfortunately it will not. General liability policies cover bodily injury and property damage claims—not privacy data breaches. “The track record of companies trying to get coverage under a CGL policy has not worked out too well,” states Scott L. Vernick, an attorney at Fox Rothschild LLP.
When shopping for cyber liability insurance, make sure it includes: (1) protection for data breach litigation and regulatory fines/penalties, (2) remediation coverage to help pay for notification costs, credit monitoring, public relations and forensic services, and (3) risk management tools such as mobile security apps and computer vulnerability scans designed to help prevent claims.
Privacy data breaches are caused by hacker infiltrations only.
While 47% of privacy data breaches are due to criminal activity, 28% are due to employee error, and 25% due to system errors.3 Criminal activity does not consist solely of hacker break-ins. It consists of stolen desktop computers, laptops, tablets, smart phones, and external drives. With more employees taking work home, they’re transporting customer records on their portable electronic devices. If you or your employees store client records or email records to your phone or portable device, your business is at risk for a privacy data breach.
My type of business is not being targeted by cyber criminals.
Cyber criminals do not discriminate according to business sector. Any business with a weak security system is a target. According to Kevin Mitnick of Mitnick Security Consulting, once the most sought after cyber criminal in the U.S., “I get hired by companies to hack into their systems and find security holes. Our success rate is 100%...”4
Regardless of size or type, any business can become a victim of a privacy data breach, whether it’s due to criminal activity or employee error.
Cyber criminals steal customers’ online records to get credit card numbers.
While that’s true, they target a lot more. Cyber criminals steal names, addresses, and social security numbers and use them for many purposes, including filing phony tax returns. They also go after bank statements, investment data, employee pension plans, driver’s license numbers, visa numbers, passport numbers, medical records, insurance policies, employer ID numbers, W2s, email passwords—the list goes on.
As a business owner, if you colllect or store any type of customers’ personally identifiable information—whether it’s on an electronic device or in a paper file—you have a responsibility to protect it.
Customer litigation is the primary type of claim resulting from a privacy data breach.
Though customers affected by a privacy data breach do sue individually and as class actions, it doesn’t happen in every situation. What does happen is the business is forced to “remediate” the claim, which may involve notifying customers via email or mail and providing some form of credit monitoring.
Depending on the state and the situation, it can also involve a forensic team to determine the origin of the breach, hiring a public relations firm to save the business’ reputation, a regulatory investigation, and governmental fines and penalties.
The government has little involvement with privacy data breaches.
The federal government has enacted the HIPAA and HITECH privacy laws to protect Americans’ privacy. In addition, nearly all states in the U.S. have enacted legislation requiring business owners to notify individuals of a breach of personally identifiable information.
What constitutes personally identifiable information, the time frame when notification must be given, the method of notification, whether or not an investigation is required, whether public notice must be made, and the penalties for noncompliance, all vary by state.
If my company experiences a privacy data breach it will not impact my revenue.
According to a recent survey, 70% of consumers would likely discontinue doing business with a company after disclosure of a privacy data breach.5
“Data breaches are not just breaches of security. They’re also breaches of trust between companies and their customers, and can result in not only negative publicity, but lost business,” said Tsion Gonen, chief strategy officer at SafeNet.6
Why do law firms need cyber liability coverage?
Here are some financial implications:
Current research puts the cost of a privacy breach in the U.S. at $225 for every compromised record.3 How many customer files have you collected or do you maintain in your business? For example, if you have 1,000 clients, that could mean a claim totaling $225,000.
Additionally, the cost to hire a forensic team to analyze where the breach originated can cost anywhere from $200 to $2,000 per hour. Credit monitoring costs between $10 to $15 per month and your state may require you to provide monitoring for up to two years. The estimated cost to provide monitoring for a year for 1,000 clients could be $120,000 or more.
When you add in the cost of mailing notification letters, public relations costs, legal fees and response team expenses, it’s easy to see why 66% of small businesses indicated they would either go out of business or shut down for a day or more if their data was compromised.7
- Prevention – you receive access to resources that help you act proactively, allowing you to put systems and procedures into place to help reduce your exposures.
- Protection – if a privacy data breach results in allegations of negligence and litigation, you receive cyber liability insurance protection, including coverage for regulatory fines and penalties, cyber extortion, PCI fines, media liability, and more.
- Response – assists you in complying with state and federal privacy breach laws, forensic expenses, notification costs, credit monitoring, legal fees, and more.
1 “2018 DATA BREACH INVESTIGATIONS REPORT, 11TH EDITION”, VERIZON.
2 GREENWALD, JUDY, “INSURERS FIGHT TO BAR CYBER COVERAGE UNDER COMMERCIAL GENERAL LIABILITY POLICIES,” BUSINESS INSURANCE, OCTOBER 26. 2014.
3 2017 “COST OF A DATA BREACH STUDY: GLOBAL OVERVIEW,” PONEMON INSTITUTE,LLC JUNE 2017.
4 WWW.ADVISERA.COM/27001ACADEMY/BLOG/2016/01/18/HOW-TO-USE-PENETRATION-TESTING-FOR-ISO-27001-A-12-6-1, JANUARY 18, 2016.
5 “DATA BREACHES AND CUSTOMER LOYALTY 2017”, GEMALTO.
6 “GLOBAL SURVEY REVEALS IMPACT OF DATA BREACHES ON CUSTOMER LOYALTY”, SAFENET, JULY 30, 2014.
7 “VIPRE ANNOUNCES LAUNCH OF VIPRE ENDPOINT SECURITY-CLOUD EDITION”, BUSINESS WIRE, OCTOBER 2, 2017.
AON CYBERBUSINESSPROSM IS A SERVICE MARK OF AON CORPORATION. BIZLOCK INSURANCE SERVICES IS THE EXCLUSIVE ADMINISTRATOR.
THIS DOCUMENT PROVIDES SUMMARY INFORMATION ONLY. INSURANCE COVERAGE IS SUBJECT TO SPECIFIC TERMS, LIMITATIONS AND EXCLUSIONS, AND MAY NOT BE AVAILABLE IN ALL STATES. LIABILITY INSURANCE IS PROVIDED PURSUANT TO YOUR ACTIVE MEMBERSHIP IN THE DATA THEFT RISK PURCHASING GROUP (RPG). PLEASE NOTE THAT THERE IS A NOMINAL FEE OF $1.00 PER TERM FOR THE RPG THAT IS ALLOCATED TO THE RPG BY THE PROGRAM ADMINISTRATOR, IDENTITY FRAUD, INC., FROM THE PROCEEDS OF YOUR PURCHASE.
AON AFFINITY IS A LICENSED INSURANCE PRODUCER IN ALL STATES (TX 13695), (AR 100106022); OPERATING IN CA & MN, AIS AFFINITY INSURANCE AGENCY, INC. (CA 0795465); IN OK, AIS AFFINITY INSURANCE SERVICES INC.; IN CA, AON AFFINITY INSURANCE SERVICES, INC. (CA 0G94493), AON DIRECT INSURANCE ADMINISTRATORS AND BERKELY INSURANCE AGENCY; AND IN NY, AIS AFFINITY INSURANCE AGENCY.