Data Breach Prevention and Insurance
In the wake of expensive, well-publicized data breaches like those experienced by Home Depot and Target, you may be nervous about your own business experiencing a breach. Unlike Target and Home Depot, small businesses don't always have the money to cover the expenses of a data breach, and may take a bigger reputation hit if customers perceive your business as not secure. You might be considering breach insurance, assuming that will protect you in the event of a data breach. Many credit card processing companies even offer data breach insurance as an add-on, making it an easy decision for some businesses. Just know that there may be limitations to what types of breaches are covered, or how much the insurance will pay.
- What is a data breach?
- What is data breach insurance?
- How can a company protect information from a data breach?
- What should a business consider prior to purchasing data breach insurance?
- How much does data breach insurance cost?
- What is a claim denial and how can I avoid it?
- Bottom Line
What is a data breach?
When sensitive, protected, or personal data is viewed, stolen, copied, or broadcasted by anyone not authorized to do so, it's called a data breach. Well-publicized breaches like the Target and Home Depot breaches may make you think that breaches only affect big businesses, but a breach can happen to anyone. Examples of data that may be vulnerable to a breach include customer information (e.g., credit card numbers or financial information) and proprietary information, such as a business plan or operational methods.
A data breach can occur in a variety of ways. While many people think of a data breach as hackers infiltrating a secure website or database, there are multiple ways in which a data breach can occur. Other common methods include:
- Phishing scams
- Use of malware or credit card 'skimmers'
- Mishandling of client information
- Theft of improperly disposed hardware
- Employee misconduct
Your business may be liable if client information is compromised, and a general insurance policy may not cover the associated costs, which can add up fast. You may face investigation costs, fines, or card re-issuing costs. The thought of high fines and breach expenses can be intimidating, causing some companies to consider data breach insurance as protection for uncovered losses.
What is Data Breach Insurance?
Data breach insurance is a form of insurance policy specifically designed to help your business with the costs if a breach occurs. These policies may cover expenses like notifying affected parties of the breach, legal counsel, and fines imposed on your business. The exact amounts that will be covered vary by policy. Common small policies cover up to $10,000 in breach-related costs, while larger policies cover $100,000 or more.
Data Breach Insurance from Major Processors
Some of the largest processing companies, including First Data and TSYS, offer data breach insurance plans. First Data's TransArmor option includes a liability waiver in the event of a data breach, while TSYS' Card Compromise Assistance Plan (CCAP) is available separately or as part of the more robust TSYS Guardian Security Suite.
How can a company protect information from a data breach?
Data protection is only as strong as its weakest link. The first step in avoiding a data breach is having the proper security features in place to protect information. An ounce of prevention is worth a pound of cure, and even data breach insurance won't repair your reputation if customers or employees don't feel secure doing business with your company. Take the time to make sure you're using up-to-date security procedures.
Protect valuable information by:
- Conforming to current PCI DSS guidelines
- Ensuring that all information is encrypted
- Using general fraud protection such as passwords and security software
- Properly storing any paper documents in a locked file cabinet out of reach of any employees not authorized to view the information
- Changing passwords and door locks when an employee quits or is let go
- Examining the security practices of companies who are outsourced for work such as payroll or web hosting
- Establishing specific procedures to follow if a breach occurs
In a study conducted by the Verizon RISK team, 96% of breaches were “not highly difficult”, which suggests security measures in place were inadequate. The study also found that 94% of all data compromised involved servers, and 85% of breaches took two or more weeks to discover. These findings emphasize the need for business owners to be proactive, and to ensure that appropriate security checks are in place.
What should a business consider prior to purchasing data breach insurance?
Although data breach is a potential risk for any business, exactly what is covered by data breach insurance can vary among policies and providers. Don't assume that all data breach insurance policies cover all costs associate with breaches. Be sure to read policy information carefully to determine what is covered and confirm it in writing before purchasing a policy. Some policies limit coverage to internal security issues (such as employee theft and card misuse) while others will cover both internal and external risks, such as stolen POS systems or card data obtained from skimmers.
Additionally, as with most insurance, there may be limits on the amount of coverage available for a particular type of loss. Be mindful of any "sub-limits" the policy may carry. Data breach insurance does you no good if you have a particular type of breach that isn't covered or if the policy only covers a small fraction of your breach expenses.
Data breach insurance is meant to mitigate losses associated with a breach, it is not meant to protect information from being breached. If you do purchase data breach insurance, don't let that lead to complacency regarding data security. Insurance may help curb losses after a breach happens, but it won't stop one from happening in the first place. It's important to maintain and follow a rigorous data security plan regardless of whether you have data breach insurance.
How much does data breach insurance cost?
Like any insurance policy, the exact costs and coverage vary by policy and provider. If you're shopping for data breach insurance, be sure to know exactly what you're getting. Costs can vary due to a number of factors, including your business's location, gross sales, industry, and your current security procedures. Some policies start as low as $9.95 month, but be aware that lower cost policies generally cover less.
What is a claim denial and how can I avoid it?
A claim denial occurs when you have data breach insurance, but when you make a claim, the insurer denies it. Claims can be denied for several reasons, so make sure you're aware of your obligations and requirements to increase your chances of a successful claim should you need it.
The risk of having a data breach insurance claim denied increases if you have not met certain requirements. These requirements include but are not limited to:
- Having a certified staff member in charge of information security
- Performing vulnerability scans on a regular, preferably at least every two weeks
- Carefully following Payment Card Industry Data Security Standards (PCI-DSS) for data storage
- Adhering to the National Institute of Standards and Technology guidelines
Remember, data breach insurance is not a replacement for good security. Be sure to follow proper procedures to keep sensitive information safe.
The Bottom Line
Whether or not data breach insurance makes sense for your business depends on a number of factors that only you can properly assess. Are you compliant with current security standards and using all the security features available to you? If not, that's step one, whether you purchase insurance or not. Beyond that, you'll need to consider the costs of a policy and what it covers, and assess the likelihood of a breach that will be covered by the policy. Some businesses may not be able to justify the costs of data breach insurance. If you do elect to purchase a policy, make sure you're fully aware of what it covers and any obligations on your part to maximize the chances that you'll be covered if you do experience a breach.