- I’m not at risk because I don’t maintain any personally identifying information on my customers. Every commercial entity has an exposure because all commercial entities have customers and employees. Typically, an entity will have employees’ social security numbers as well as health information for benefits programs. If you have this information- you have risk.
- I’m not at risk because I don’t conduct business over the internet. While the more sensational breaches involve hacking information via the internet, the majority of breaches occur by other means such as accidentally released or stolen physical files or electronic media (i.e. laptops, CD-ROM’s, thumb drives, etc.).
- I have coverage under my property, commercial general liability or other commercial policies. You may want to review your insurance policies again. Property policies may provide coverage for business interruption but generally are triggered by a direct physical loss to the insured property. “Physical” is though of as “tangible” and case law generally maintains that data is not tangible property. Typically, commercial general liability (CGL) policies contain exclusions for damages as a result of the release, disclosure or access to personally identifiable information. It is for this very reason cyber risk coverage was developed.
- Personal Data breaches only happen to large companies and public entities. The media tends to focus on larger data breaches because it impacts a significant number of people but breaches impact entities of all sizes. In fact, smaller entities may be more susceptible to breaches as they do not have the resources to dedicate to the issue.
- Laws requiring notification of personal data breaches only apply to large businesses. Currently there are 47 states that have legislation requiring notification in the event an entity breaches personally identifying information. These laws are consistent on one point- they do not address the size of the entity.
- Coverage that wouldn’t enable my company to provide a professional response to a personal data breach requires a lengthy application and various audits. Unless limits of $100,000 or great are required, no underwriting questions are asked. A security audit is not required for this program.
- There is nothing I can do to reduce my company’s chances of having a personal data breach. There are several steps an organization can take to require its cyber liability exposure. Click here to learn more about how to reduce your changes for breach.
- If we have personal data breach data and need to notify our customers, we can just send them a “we’re sorry” letter and our customers will understand and continue to do business with us. While ending a “we’re sorry” letter will often satisfy the various legal requirements, the entity is then left with a marketplace reputation problem and the challenge of retaining customers in the wake of a breach. our program offers additional service to the people affected by by the breach. These service include access to a toll free information line, credit monitoring service and identity recovery services.
- I don’t need cyber risk insurance if I spend more information Technology security. While robust information technology security will help reduce your exposure, it will not prevent all breaches from occurring. Breaches often occur from procedural mistakes or “rogue” employees who have access from the inside. Insurance, as well as appropriate spending on security and information technology is part of a holistic risk management strategy.
- In this economy, I can’t afford any more insurance. You cannot afford not to have cyber risk insurance. A recently Ponemon Institute study indicated that direct costs to respond to a breach were $60/record. Even a small breach that only impacts 100 records could cost you several thousand dollars.
For further information about cyber liability coverages- as well as any other business or personal insurance needs, we can help. We can be reached at keslarinsurance.com or 603-273-0953.
Source: The Main Street America Group. This document is intended for information purposes only and does not modify or invalidate any of the provisions, exclusions, terms or conditions of the policy and endorsements. For specific terms and conditions, please refer to the coverage form.