Cyber liability insurance covers losses from data breaches and privacy violations that are typically not covered by other business insurance policies. Examples of cyber breaches in 2013 include those at Target, LivingSocial, and various government agencies, where millions of customer records containing sensitive personal and financial information were compromised. Federal and state laws require companies to notify individuals affected by a breach. Cyber liability insurance can help cover the costs of forensic investigations, notifying affected parties, credit monitoring services, legal defense, fines and penalties, and public relations in the event of a breach. Premiums for cyber liability insurance start at $1,500 and the average costs of a legal defense and settlement from a breach are $500,000 and $1 million, respectively
3. What is Cyber Liability?
“Liability for loss of customer or employee data is not typically covered under a corporate
insurance policy. Some existing business insurance policies that offer general liability and
directors and officers liability may provide a measure of coverage for those areas; however,
most CEOs discover significant gaps in what is and what isn’t covered after an attack.
Unfortunately, by then it’s too late.” Forbes 10/18/2012
Examples: transactions for many goods and services are conducted online, including
money transfers, bill/invoice payments, and even payments for many services such as
insurance coverage, for example.
4. • CYBER BREACHES 2013
• Target says
40 million credit, debit cards possibly breached
Through remote access to two websites used by employees and suppliers
• LivingSocial
Daily-deal website LivingSocial confirmed that its computer systems were hacked, resulting in “unauthorized access.” The
company updated its password encryption method after the breach impacted more than 50 million users. Names, email
addresses, dates of birth, and salted passwords were stolen.
• Washington state Administrative Office of the Courts
After the public website of the Washington state Administrative Office of the Courts was hacked, sensitive data of individuals
whose cases were making their way through the state court system was compromised. Names, Social Security numbers, and
driver’s license numbers were accessed.
• Evernote
The popular notetaking software service Evernote had to reset the passwords of all of its 50 million users following a network
breach. The company did not find any indication that content or payment information was stolen. Usernames, email addresses,
and encrypted passwords of users were accessed.
• Drupal.org
The servers of the open source content management platform were hacked, and the sensitive information of close to one
million accounts was stolen. As a safety measure, the company reset all passwords. Usernames, email addresses, country
information, and hashed passwords were all exposed.
• Federal Reserve internal site
The Fed admitted that hacking collective Anonymous breached one of its internal websites, accessing the personal data of
4,000 bank executives. Mailing addresses, phone numbers, business emails and fax numbers were accessed and published by
the hackers online.
5. Catagories of Losses
• “In 2010, the U.S. Secret Service and Verizon Communication Inc.’s forensic analysis unit, which
investigates cyber attacks, reported 761 data breach cases, up from 141 in 2009.Of those, 482,
or 63%, were at companies with 100 employees or fewer. Visa also estimates that about 95% of
the credit-card data breaches it discovers are on its smallest business customers.”1
» Negligence
» • Breach of warranty
» • Failure to protect data
» • Failure to disclose defects in products or services regarding capabilities of
protecting data
» • Unreasonable delay in remedying suspension of service or loss of data
» • Violations of various applicable state/federal laws
» • False advertising
» • Unfair or deceptive trade practices
• Consumer claims are typically filed as class action lawsuits, but tend to have limited success
given the difficulty in proving injury in the absence of actual identity theft. However, new legal
theories continue to evolve and so may the outcome of such claims. While it is uncertain whether
consumers may successfully prove damages, it is certain that the breached company will face
significant costs in hiring legal counsel to defend itself
6. Federal & State Cyber Liability
Requirements
• S.B. 46 Adds Notification Requirements for Breaches of an Individual’s User Name or
Email Address in Combination with a Password or Security Question and Answer that
Permit
• Access to an Online Account that expands the coverage of California’s existing breach law
to include breaches of individuals’ online user names and email addresses, when acquired
in combination with passwords or a security question and answer that would permit
access to their online accounts. The bill passed the California legislature unanimously, by
a final vote of 38-0 in the Senate on September 4, 2013, following final passage of an
amended bill by the Assembly (77-0) on September 3, 2013. Governor Brown signed the
bill on September 27th
2013.
• Provisions of the Existing and Amended California Breach Notification Law
• The new law amends the existing California data breach notification law, California Civil
Code Section 1798.82, which has been in effect in California since July 1, 2003. That law
already requires businesses and governmental agencies to notify consumers when a
security breach occurs involving “an individual’s first name or first initial and last name in
combination with any one or more of the following data elements, when either the name or
the data elements are not encrypted: (1) Social security number. (2) Driver’s license
number or California Identification Card number. (3) Account number, credit or debit card
number, in combination with any required security code, access code, or password that
would permit access to an individual’s financial account. (4) Medical information. (5)
Health insurance information.” Cal. Civ. Code Section 1798.82(h).
7. Products Available for Cyber
Liability
• Forensic Examination
– The cost of obtaining a third party forensics firm is covered under most network risk policies.
• Notification of Affected Third-parties
– Covered by most network risk insurance policies.
• Call Centers
– Typically covered under a network risk policy.
• Credit/Identity Monitoring
– Identity Monitoring and Identity Restoration are covered by a limited number of policies in the market.
• Public Relations
– The direct cost of obtaining a PR firm is covered under most network risk policies
• Coverage for Legal Defense costs and Indemnity payments to third parties
– is available under Cyber Risk policies
• Fines and Penalties from Regulatory Proceedings and PCI DSS violations Coverage for general
Fines and Penalties
– is available from some markets, however, insurability varies depending on jurisdiction and circumstances.
Defense of a regulatory investigation/proceeding is typically covered under most policies.
• Comprehensive Written Information Security Program
– Typically not covered by cyber policies
8. Costs
• They start at $1,500 and up
• The average cost for legal defense was
$500,000 while the average legal
settlement was $1 million. Zurich Study