Data Breach Insurance, Prevention & Cost
Data breach insurance may be a good fit for some businesses, but not worth the cost or red tape for others.
- What is a data breach?
- How can a company protect information from a data breach?
- What is Data Breach Insurance?
- How can a company avoid claim denial?
- What should a business consider prior to purchasing data breach insurance?
- How much does data breach insurance cost?
- Data breach insurance does not safeguard information.
What is a data breach?
A data breach occurs when sensitive, protected or personal data is viewed, stolen, copied or broadcast by a party unwarranted to do so. Examples of data that may be vulnerable to a breach include individual customer information, (e.g., credit card numbers or financial information), and proprietary information such as a business plan or operational methods.
Data breach can occur in a variety of ways, including:
- Hackers gaining access to a site
- Mishandling of client information
- Theft of improperly disposed hardware
- Employee misconduct
Other tactics include the use of malware, social engagement (e.g., email phishing or phone calls soliciting donations), or physical threats such as face-to-face theft.
A business will be exposed to liability if client information is compromised, and a company's general insurance policy may not cover the associated costs. In light of this, companies have begun to consider data breach insurance as protection for uncovered losses.
How can a company protect information from a data breach?
Data protection, like any chain, is only as strong as its weakest link. The first step in avoiding a data breach is having the proper security features in place to protect information.
Protect valuable information by:
- Conforming to current PCI DSS guidelines
- Ensuring that all information is encrypted
- Using general fraud protection such as passwords and security software
- Properly storing any paper documents in a locked file cabinet out of reach of any employees not authorized to view the information
- Performing background checks on new employees
- Changing passwords and door locks when an employee leaves the business
- Examining the security practices of companies who are outsourced for work such as payroll or Web hosting
- Establish specific procedures to follow if a breach occurs
In a study conducted by the Verizon RISK team, 96% of breaches were “not highly difficult”, which suggests security measures in place were inadequate. The study also found that 94% of all data compromised involved servers, and 85% of breaches took two or more weeks to discover. These findings emphasize the need for business owners to be proactive, and to ensure that appropriate security checks are in place.
What is Data Breach Insurance?
Data breach insurance, also referred to as cyber liability insurance, can protect a business from the costs associated if a breach occurs. These policies may cover any of the following:
- Notification obligations - These are expenses related to notifying the proper parties about a breach.
- Liability claims - These include costs associated with lawsuits generated as a result of the breach.
- Investigation expenses - Forensic investigations are frequently involved if an incident occurs.
- Fines and penalties - These may be associated with a breach, especially if a company is not compliant with certain requirements and stipulations.
It is important to note that a company may incur expenses which are outside the coverage of the policy, for example, those related to a loss of current and/or future customers, as well as a negative impact on the brand image.
How can a company avoid claim denial?
The risk of having a data breach insurance claim denied increases if a company has not met certain requirements. These requirements include but are not limited to:
- Having a certified staff member in charge of information security
- Performing vulnerability scans on a regularly scheduled basis, preferably every two weeks
- Carefully following Payment Card Industry Data Security Standards (PCI-DSS) for data storage
- Adhering to the National Institute of Standards and Technology guidelines
Important! When shopping for a policy it should raise a red flag if the potential provider does not inquire about current security practices.
What should a business consider prior to purchasing data breach insurance?
Although data breach is a potential risk for any business, data breach insurance is a newly introduced product. Therefore, providers lack experience in determining what a basic policy should cover, making it difficult for a business to compare plans. Be aware of any inconsistencies when comparing policies.
As with most insurance, there are limits on the amount of coverage available for a particular type of loss. Be mindful of any sub-limits the policy may carry.
How much does data breach insurance cost?
Factors that affect the cost of a breach insurance policy may include:
- Location – Many states have regulations and requirements for insurance that will cause price to fluctuate.
- Gross sales – The amount of potential loss will affect the cost of the policy.
- Industry type – Businesses in particular industries will have a higher risk for a breach; medical practices often represent a high risk category, as they store sensitive client information.
- Current security features – The characteristics of current security features often impact policy costs.
Insurance policies are customized to fit the need of the business. Specific details about policies and associated costs can be obtained from a certified insurance professional.
Data breach insurance does not safeguard information.
Data breach insurance is meant to mitigate losses associated with a breach, it is not meant to protect information from being breached.
Businesses that do purchase data breach insurance should not allow the insurance to lead to complacency regarding data security. Insurance may help to curb losses after a breach happens, but it won't stop one from happening in the first place.
With this in mind, it is important to maintain and follow a rigorous data security plan regardless of whether breach insurance is in place.