It is likely that you have heard about Cyber Liability Insurance, formally known as Information Security and Privacy Liability Insurance. However, it may not be clear exactly what your exposure is, what this insurance covers, and why this coverage differs from your existing professional liability insurance. This article will address each of these questions and provide you with a solid understanding of coverage, so you may make an educated decision regarding your need for coverage.
What is my exposure?
Almost all businesses collect some amount of personal information from their clients. This personal data has become a primary target for cyber criminals and creates potential exposure for your firm.
At this time, at least 46 states have enacted formal Security Breach Notification laws. Although these laws differ by state, each defines what they consider Personal Identifiable Information (PII), your requirements of notification, and the potential penalties for failure to notify clients in the event of a breach.
Personal Identifiable Information (PII) – PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. This may include social security numbers, credit card numbers, bank accounts, alone or when combined with other personal information, including name, date of birth, mother’s maiden name, etc., may be linked, or linkable, to an individual.
Notification Requirements – Each state requires that you if you are aware of a potential breach of PII data in your possession or control that you notify certain individuals and/or groups. These contacts may include:
– All individuals whose data may be breached
– State Attorney General
– Local/State law enforcement
In addition, some states require that you offer impacted individuals with credit monitoring services for a defined period of time.
1st party vs 3rd party expenses
It is important to note that a firm may incur significant cost to notify each of their clients and to offer the necessary monitoring services. These costs are considered 1st party expenses as they are directly incurred by your firm, as opposed to 3rd party costs which are expenses incurred by a client to which you may be responsible to provide restitution. This is an important distinction when it comes to evaluating insurance coverage.
Notification Penalties – Failure to follow the appropriate notification requirements may result in significant financial penalties enforced by your State Attorney General.
What does Cyber Liability Insurance cover?
Cyber Liability insurance policies arose to address the exposures outlined above. Although each policy is different, the following are four potential areas of coverage which may be provided.
Information Security & Privacy Liability
– Legal liability coverage for theft, loss, or unauthorized disclosure of personally identifiable non-public information or third party corporate information that is in the care, custody or control of the insured organization, or an independent contractor that is holding, processing or transferring such information on behalf of the insured
– Legal liability arising from failure to comply with state breach notice laws
– Coverage for failure to comply with the insured’s privacy policies as well as failure to administer an identity theft prevention program required by governmental regulation
– For unauthorized access, theft of or destruction of data, denial of service attacks and virus transmission involving the insured’s computer systems resulting from computer security breaches
Privacy Notification Costs
– Coverage for the costs to provide notification in compliance with a breach notice law, including fees charged by an attorney to determine the applicability of and actions necessary to comply with breach notice laws –
– Includes the cost of a credit file monitoring program
– Coverage for the costs to hire a computer security expert to determine the existence and cause of a security breach
Regulatory Defense and Penalties
– Coverage for the cost to defend a regulatory proceeding resulting from violations of privacy laws caused by the otherwise covered theft, loss, or unauthorized disclosure of personally identifiable non-public or third party corporate information
Website Content Media Liability
– Covers display of electronic content on the insured’s website. Offline media coverage may also be available.
Does my Professional Liability policy provide coverage for this exposure?
The answer to this question will be subject to the specific conditions of a claim. In addition, many professional liability policies have added endorsements to provide some level of cyber-related coverage. However, it is important to understand exactly what is covered under your professional liability policy and what exposure you may still have.
In the delivery of professional services
Your professional liability policy is primarily intended to provide coverage for claims related to your delivery of professional services. This is considered the “coverage trigger”. The specific wording for this may vary by policy and exposes a potential gap in your cyber liability exposure.
If your laptop is stolen while you are on vacation, and it includes Personally Identifiable Information of clients (consider this data may unintentionally be included in emails), is this in the delivery of professional services? This exposure may not activate the necessary “coverage trigger” for response by your professional liability policy.
In addition, you need to be aware of the specific wording in your policy or relevant endorsement. Data that is in your “care, custody, or control” has potentially different ramifications than data for which you are “legally liable”.
1st party vs 3rd party expenses
You will remember above we discussed the differences between 1st party and 3rd party expenses. Your professional liability policy is intended to provide coverage for 3rd party expenses. Even when Cyber Liability coverage is included in a professional liability policy it is unlikely that any 1st party coverage is included.
The estimated notification costs (1st party expenses) in the event of a data breach are estimated anywhere between $5 and $50 per client. A data breach that impacts only 1,000 clients may cost you up to $50,000 in direct and uncovered expenses.
Do I really need Cyber Liability Coverage?
As explained above, the exposure exists for almost all professional service firms. In addition, there likely gaps in the coverage provided by your professional liability insurance policy.
The cost for a stand-alone cyber liability insurance is still relatively low. We recommend any of our clients who may have an exposure to obtain a quote for Cyber Liability Coverage. It is only with this information that you may make an educated decision to weigh your potential exposure and costs.
For more information, or to obtain a quote for Cyber Liability coverage please contact us.
This information is for illustrative purposes only. It is not intended for the purpose of providing specific legal or other professional advice. Only the policy form and endorsements themselves can provide actual coverage wording and conditions. Please consult with legal counsel and review the Security Breach Notification Laws specific to your client’s states.