Cyber Protection / Cyber Security Liability
Posted By: Ed Kraine, CPCU, Senior Vice President and Tim Moroney, Risk Manager
Wednesday, February 01, 2012
The dawn of the internet provided many new avenues for doing
business, and the protection of computer data has become a main
concern in today's working environment.
"Cyber Liability," as it is called, encompasses a gamut of new
risks for businesses that not only conduct business over the
internet, but that also may store private confidential information
subject to several federal laws.
To provide some insurance protection for these new risks, most
insurance companies have developed cyber security liability
policies which cover both first party "the insured" and third party
liabilities which can arise because of attacks by outside parties
or because of losing of sensitive data due to mistakes on the part
of the insured.
Up until a few years ago, these policies were available under
most property and general liability policies. However, since 2005
the loss of intangible property has been excluded under standard
property policies; likewise, bodily injury or property damage,
previously covered under the general liability policy, is also
excluded if it emanates from a cyber breach or error.
Some examples of the claims that have occurred are as
Theft of Digital
A regional retailer contracted with
a third party service provider. A burglar stole two laptops from
the service provider containing the data of over 800,000 clients of
the retailer. Under applicable notification laws, the retailer- not
the service provider-was required to notify affected individuals.
The total expenses incurred for crisis management notification of
customers cost nearly $5 million.
In a second example a home health
care organization had backup data, laptops and disks containing
social security numbers, clinical and demographic information. In a
small number of cases, patient financial data was stolen. In total,
over 365,000 patient records were exposed. The organization settled
with the State Attorney General and provided patients with free
credit monitoring, credit restoration to patients that were victims
of identity fraud, and reimbursement to patients for direct losses
that resulted from the data breach.
An employee of a private high school
mistakenly distributed via email the names, social security
numbers, birth dates and medical information of students and
faculty creating a privacy breach. Overall, 1,250 individuals'
information was compromised.
A juvenile released a computer worm
that caused a launch of denial of service attack against a regional
computing consulting and application outsourcing firm. The
infection caused an 18 hour shut down of the entity's computer
systems. The computer firm incurred extensive cost and expenses to
repair and restore their systems, as well as business income
expenses which totaled approximately $875,000.
The cyber liability policy is sufficiently flexible so that a
business can buy either third party or first party coverages, or
both. Here is an example of how the language in a carrier's
insurance policy protects first party assets:
Loss of Digital
"We will indemnify you for loss you
incur, in excess of the deductible, as a result of damage,
alteration, corruption, distortion, theft, misuse, or destruction
of your digital assets directly caused by a covered cause of loss".
In this case, digital assets mean electronic data and computer
programs that exist in a computer system. Please note that digital
assets do not include computer hardware. In addition to this,
protection can be provided for the business income loss that may
result from any direct first party claims.
Here is an example of the coverage grants available for third
party protection under a typical insurance carrier's policy:
Network Security and Privacy
The insurance company "will pay on
your behalf those amounts, in excess of the applicable deductible,
which you are legally obligated as damages on claim expenses
arising from your acts, errors or omissions or from acts, errors or
omissions for others for whom you are legally responsible,
including outsourcers, or vendors provided such acts, errors or
omissions follow a security breach or privacy breach". An example
of this claim is the loss of a laptop containing sensitive
information, which results in the public disclosure of a person's
private information. Also, this insuring agreement would cover
unauthorized access into your computer system, a denial of service
attack against your computer system, or an infection of your
computer system by malicious code.
There are a number of other coverage protection grants available
on most policies, which The Fedeli Group, after an assessment of
your risks, can review with you. Please contact The Fedeli Group
team to arrange for this type of risk assessment and possible
valuable insurance protection.