Privacy Liability – It’s a hot topic these days

December 8th, 2009

 By Jeanine Loomis, RPLU
S.H. Smith & Company, Inc.

Most businesses are unaware of how much a security breach could affect their balance sheet.  Whether unauthorized access results from a stolen laptop, network hacker, unauthorized employee, student or third party vendor, the result is the same: confidential information has been breached and the legal landscape addressing it has gotten stricter.  Have you taken the time to assess your exposure?

 The Ponemon Institute’s “2008 Annual Study: Cost of a Data Breach” states that:

  •  Data Breach incidents cost companies $202 per compromised customer record in 2008.
  • Average Total per-incident costs in 2008 were $6.65 million, compared to $4.8 million in 2006.
  • Breaches by 3rd party organizations, such as outsourcers, contractors, consultants and business partners were up from 29% to 40%.

 Do you know what your responsibilities are if you experience a security breach? Forty Five states have passed laws requiring you to notify individuals if their Personally Identifiable Information has been breached.  Personally Identifiable Information is generally defined as a combination of a person’s name and their social security #, driver’s license or state identification #, account #, credit or debit card #, medical information,  or other non-publicly disclosed information.  The Federal Government has passed the HITECH act requiring HIPAA covered entities and their Business Associates to notify affected individuals and the government if Personal Health Information has been breached.

 The costs of complying with these laws are much more than a piece of stationery and a stamp.  Consider the following activities and legal mandates that follow a breach of security:

  1. Research to determine whose information was stolen and what state laws have been violated,
  2. Notification to those individuals,
  3. Credit Reporting Services or a Hotline if required by law,
  4. Public Relations to restore your company’s image to customers or potential customers,
  5. Legal expenses for the governmental investigations or lawsuits that may trickle in,
  6. Lost staff time when their attention is taken away from their traditional work to handle the requirements that come with this event.

 Recently, insurance carriers have created new coverages to address a cyber/network security breach and other related exposures that are often not covered in traditional general liability policies or in professional errors and omissions policies.   The following is an example of the types of coverage that are currently available to protect you from lawsuits and/or lost profits from these new exposures:

  • Notification Expense Coverage to comply with the states reporting requirement
  • Crisis/Public Relations coverage
  • Media Liability coverage for infringement suits resulting from the information posted on your website
  • Business Interruption coverage for virus or hacking events that don’t qualify for coverage under your property policy because it was not from a ‘direct physical loss’ to your computer systems
  • Extra Expense coverage to help you recreate the lost data
  • Cyber Extortion in the event that someone is holding your network hostage.

 Every cyber policy sold today varies in coverage.  Likewise, each company has their own unique set of exposures.  It is important to identify your company’s exposures with your agent so that you can make an informed decision regarding the importance of transferring this risk to an insurance carrier to protect your bottom line.