A lot of confusion exists around Cyber and Data Breach Insurance. Our underwriters have compiled this list of the most common questions clients often ask regarding privacy or data exposures and insurance coverage.
What is my exposure?
Generally, the typical exposure includes personally identifiable information in your custody – from employee social security numbers and drivers license numbers, to payment cards accepted for fees, goods and services, exposure to clients' sensitive data, healthcare records collected, etc.
Why do you need to know how many records a company has? The higher the number of records, the higher the exposure and the higher the potential costs post-breach.
Who is Hiscox?
Hiscox is a leading specialist insurer, with roots dating back to 1901. They are not a traditional insurance company as they target specific types of insurance in which they develop expertise, often focusing on areas other insurers find too complex to insure. By challenging convention in each specific market they are able to offer market leading products and services to US businesses.
Hiscox Insurance Company Inc. is a Chicago, IL domiciled insurer admitted or licensed to do business in all 50 states and the District of Columbia. Hiscox Insurance Company Inc. is rated A (Excellent)1 by A.M. Best with a group financial size category (FSC) of XII.
I got an endorsement to my other policy
for this. Isn't that enough?
Maybe, but usually not. Most endorsements are for a very small dollar amount with very limited coverage. For example, only third party costs may be covered, or the maximum coverage for first party costs may be only $50,000. Every company would benefit from a full privacy/data breach policy, providing the peace of mind that comes with knowing that the costs of a potential breach won't be catastrophic to the business.
If my only real exposure is first-party
data (such as. employee data), do I really
need a policy?
All companies have the duty and obligation to safeguard the information they hold on behalf of their employees as well as any confidential information about the business itself. No company is immune from attacks. A Hiscox policy provides coverage for employee data.
I am not a target like Sony, Anthem
or Home Depot. Why should I worry?
Large corporations make the news. Small ones don't. It's a matter of 'when', not 'if' a company will have a breach of data. There's a black market where these records are sold and bought, and hackers are only getting savvier. Target, Home Depot, Anthem, and other large organizations have entire departments devoted to analyzing the risks the company could face and helping set policies and procedures to protect against them, and their systems and data have still been breached. Smaller companies without someone responsible for network security and the resources to protect their data are easy targets for hackers.
Who buys cyber coverage?
Companies who are mitigating this growing risk. It is becoming a must-have coverage.
Why shouldn't I trust my IT Department
when they say they have it covered?
Target, Sony, and other large corporations have entire departments devoted to IT security, and they did not have it covered. A simple error or omission like not updating software, not setting appropriate user authentication procedures for third party vendors, losing an unencrypted laptop that stores sensitive data, or a rouge employee with malicious intent can all lead to a breach. Exposures grow as technology expands, and hackers are only getting smarter and better.
Do I need this coverage if I don't store
any client information on my network?
Yes. You may not store client data, but you may have access to it. You may cause a breach of your client's data, consequentially breaching a contract. Corporate information is also covered under a privacy/data breach policy. Employee data is also a liability.
My company is really small. Am I still at
risk of a data breach?
Every company has data breach and privacy exposures, either through employee sensitive information, payments accepted from third parties, services provided, etc. Some have more exposure than others, but it's important to emphasize that every company with employees is liable for third party data (including employee data). A breach costs an average of $188k, for the smallest companies with the smallest exposure. Costs add up very quickly.
I outsource my payment card processing
to a third party. I don't have any payment
card exposures do I?
According to the PCI Compliance Guide, PCI applies to ALL organizations or merchants, regardless of the size or number of transactions, that accept, transmit, or store any cardholder data. And merely using a third-party company does not exclude a company from PCI compliance. It may cut down on the risk exposure and consequently reduce the effort to validate compliance but it doesn't mean a merchant can ignore PCI.
If my client information is stored in the
cloud, the liability rests with the cloud
Not exactly. It would be in the insured's best interest to carefully review those contracts with their legal counsel. Even if the risk is mitigated, the liability may still fall on the shoulders of the insured.
What industries traditionally buy, and
what industries are newly buying?
Currently the most heavy users of liability insurance are in the banking, healthcare, and technology fields. New purchasers are businesses of all sizes and industries, including governments, schools, and manufacturers.
What is the average cost of a data breach?
The average cost of a data breach continues to fluctuate but reputable cyber security and information sources peg the average breach at roughly $188,000. The bigger the company, the bigger the costs. Also, the more sensitive data the company collects (regardless of the size of company), the higher the costs.
What does Cyber Crime/Deception cover?
Cyber Crime/Deception contemplates the following scenario: A hacker disguises themselves as a vendor, client, or employee and tricks the Insured's employee into transferring funds to the hacker's account. This deception can be perpetrated through phishing, spearphishing, and other tricks perpetrated through email, text message, instant message, telephone, or other electronic means.
What is considered a record? What if I
have multiple files for the same person in
my possession? Do you require the total
number of records or just the number
Non-public individually identifiable information as defined in any federal, state, local, or foreign statute, rule or regulation, may include but is not limited to unsecured protected health information, social security number, individual tax ID number, driver's license number or state ID, passport number, financial account number or credit or debit card number. We would like to know the total number of pieces of individual information an insured possesses. If multiple pieces of information for the same individual are stored within the insured's network or on the insured's premises, we would like details on the retention and duplication procedures in place.
How much does the coverage cost?
It depends on size and exposure. A $1M policy could cost as little as $1,000.
Do privacy policies matter for websites?
Yes, because they are in many ways constructively a contract with your customers. More importantly, if you do not disclose your data privacy procedures and who you share others' data with you could be in violation of several privacy related laws.
What is the difference between regulatory
defense and the regulatory compensatory
The regulatory action defense addresses claims brought by a regulatory body, such as the Office of Civil Rights for HIPAA violations. If a breach does indeed occur, the regulatory body will set up something that acts a lot like a trust for the affected individuals of the violation. In practice, if individuals' data was breached and an entity violated HIPAA, the OCR will levy a fine for their violation. The fine will be paid directly to the OCR, and will not address "victim" compensation. The OCR will then set up a this trust-like fund for the medical group to pay into that will be distributed to those individuals for their "damages."
Generally, what regulations are
companies subject to? For payment
card data, PCI DSS.
For healthcare data, HIPAA. These, in addition to social security numbers, financial records, etc., are also subject to state and federal regulations.
Why is PCI compliance important? What
happens if I'm not PCI compliant?
Outside of the specific fines and penalties levied by the card brands, a non-compliant business would open themselves up to various third party suits from angry consumers whose information was breached.
My POS vendor says they're PCI
compliant. That makes me compliant,
Not necessarily, most merchants have some exposure. The only way to totally eliminate the need to become PCI compliant is through full outsourcing of your entire payment handling process. In most cases the processing uses at least some of your network infrastructure. This subjects merchants to the standard of PCI compliance.
What is the difference between a PCI fine
and an assessment?
The payment brands (Visa, Mastercard, etc.) may, at their discretion, fine $5,000 to $100,000 per month for PCI compliance violations. These amounts are intended to be punitive in nature and don't address indemnifying the banks for their losses resulting from a payment card breach. PCI Assessments are liabilities and costs detailed in a Merchant Services or Payment Processing Agreement, which may include costs associated with card reissuance and fraudulent charges experienced post-breach.
What is the difference between first
party and third party coverage and when
is each important?
First party coverage includes costs incurred by the insured, such as notifications sent out to each individual, computer forensic specialists hired to figure out how the breach occurred, remediation, business interruption, etc. Third party costs may include class action suits, and other claims brought by those outside the company
What is considered confidential
corporate information if you exclude
Confidential corporate information would refer to information that if disclosed may harm the business. This may includes sales and marketing plans, product plans, notes associated with various designs and inventions, customer and supplier information, financial information, etc., that is non-public in nature.
What coverage should I consider?
First and third party coverage. This includes costs for notification, forensics, regulatory fines and penalties, PR consultants, third party suits, etc.
What limits should I consider?
That depends on they company's size and exposure. The larger the company and the more sensitive data they hold, the higher the limits.
What is "Per Person" coverage?
Rather than setting a dollar value to notification and credit monitoring costs, the insurer sets a number of maximum individuals they would cover for these costs (no dollar value set).
Does a cyber insurance policy cover the
direct loss of funds?
Most cyber insurance policies are crafted to cover the loss of information, not money (directly). At Hiscox, we can cover certain perils via endorsement to respond to these exposures. Our Cyber Crime/Deception offering is built for "data" events where banking credentials are stolen and utilized to transfer uninsured funds from a corporate bank account or other institution. Other coverage is also evolving to respond to instances where hackers trick employees into voluntarily releasing funds on behalf of the organization, but the funds are sent to the hacker due to a spoofed invoice or other method of deception.
Does the policy cover 'social engineering?'
Social engineering can be defined as an attempt to obtain otherwise secure data by conning an individual into revealing secure information. Victims of social engineering attacks are typically vulnerable due to the innate desire to trust other people and be helpful. Most insurance policies cover the loss of data regardless as to how it is obtained, though the policy wording should always be checked.
Does the policy cover a rogue employee
Most insurance policies cover the loss of data regardless of how it is exposed. With that said, certain policies may exclude rogue employee events. Under the Hiscox suite of privacy insurance policies, a standard rogue employee event is covered subject-to policy terms and conditions, but certain events involving executives of the organization may be excluded.
Does the policy cover paper records?
Most all privacy insurance policies cover paper records, but policy wording should always be reviewed. The Hiscox Privacy Protection insurance policy defines Personally Identifiable Information as information in any form, that is in your care, custody or control, or in the care, custody or control of any third party for whom you are legally liable. A breach of paper records would be covered by the standard Hiscox policy wording. If paper records are destroyed is coverage considered under the Hacker Damage module or does that consider the destruction of digital assets only? Our Hacker Damage Module is triggered by a Hacker Damage Event whose definition includes "…data you hold electronically." Paper records would not be covered. These events include the malicious authorized access of a website, intranet, network, computer system, etc.
Is coverage worldwide? What does that
mean? Must the suit be handled in a
court in the USA?
We provide worldwide coverage but our jurisdiction in claims handling is restricted to the United States courts.
Why does employee training matter?
A significant number of losses actually arise from employee negligence, whether it's leaving a laptop in a cab or plane, accidentally emailing PII to the wrong email address, or simply verbally disclosing private information about individuals in a public setting. Employees must learn to treat such information with discretion and care.
Why do merchant service agreements
The agreements you sign with payment processors will often pass through liability owed to banks in the event of a payment card breach. The fine print may have you agreeing to much more than you think.
What is encryption?
It's the process of encoding information in such a way that only authorized parties can read it. Encryption is very important in evaluating a company's risk and exposure, since a breach of encrypted data is significantly less costly than a breach of unencrypted data Encryption is a safeguard in many cases with regard to privacy protection law obligations.
Our laptops are password protected.
Isn't this enough? Does that mean
No. Encryption is the process of scrambling the actual data on a hard drive so that it is unusable unless accessed with an encryption key. Only password protecting a laptop simply means a hacker can bypass the password to access intact data that hasn't been encrypted.
What is the difference between encryption
and password protection? How does my
company encrypt data?
Encryption is a method of encoding messages or data with coded strings of symbols. It is commonly used to secure online banking sessions and protect credit card data. When you bank online, a 'lock' icon routinely appears in the address bar which means the browser session is encrypted by the bank. Often on mobile devices, passwords are used to enable encryption. Apple has started encrypting personal data on the latest operating system, iOS 8, if the correct settings are enabled. A number of vendors offer encryption of corporate data and insureds should consult their risk manager for further information on how to implement this additional security protocol.
What are your value added services?
We have partnerships with BreachProtection. com and the eRisk Hub, all complementary to our insureds. BreachProtection.com provides comprehensive risk management policies, procedures, training, and other tools for pre-breached insureds. This includes online compliance material, email updates, procedures and sample forms, workforce training, data breach response plans, and full phone support. Our eRisk Hub, powered by NetDiligence, provides breach response resources and tools to help our insureds understand the exposures, establish a breach response plan, and minimize the effects of a data breach organization. They include a Breach Coach and a Breach Response Team as well.