Data breaches that result in the unwanted dissemination of personal information are prevalent in the news of late, particularly given the rapid growth of electronically stored information and online commerce. A data breach can be very, very expensive even for the smallest of companies. On average, a relatively small breach that involves less than 10,000 records reportedly costs about $2.4 million in out-of-pocket expenses, $3 million in lost revenue, and no small amount of lost client confidence. Despite this risk, another recent study found that only 35% of small businesses invest in cyber insurance. This should be a major concern for all businesses and employers given that many standard policies exclude coverage for cyber losses.
When an electronic data breach occurs, many businesses attempt to rely on traditional liability insurance policy for coverage. Often, the clause within the GL policy through which a company will seek data breach coverage applies to oral or written publication of information that violates an individual’s right to privacy. But, some insurers explicitly exclude electronic data losses from their traditional policies. In other words, coverage denied!
The need for cyber insurance was highlighted by recent court decisions denying coverage for data breaches. For example, Sony sought coverage from its insurer as a result of the theft of gamers’ personal information from the Sony PlayStation network. The New York Supreme Court denied coverage, holding that none was available under the applicable policy because the publication of personal data was not performed by the policyholder (Sony) but by unknown third party hackers. Arguably, a cyber policy would have covered this theft.
A similar case out of Seattle echoed this holding, finding that the hacking of personal information from Redbox movie rental kiosks was not covered under the common liability policy exclusion for a “violation of statute in connection with sending, transmitting or communicating any material or information.” Again, a cyber policy would have helped here.
While the law remains in flux, these recent decisions serve as a heads-up that cyber insurance is a must. Indeed, Target estimates that $47 million of its $61 million in expenses related to the well publicized breach were offset by insurance coverage, bringing the impact down to $17 million. This extreme example demonstrates that managing risk through cyber insurance could result in significant savings, no matter the size of the business or the size of the breach.