Cyber criminals do not discriminate and often target small entities. In fact, “31% of all breaches in 2012 occurred at organizations with 100 or fewer employees,”1 spanning across diverse industries including finance, retail, manufacturing, technology, government, and more.
While some business owners may understand the dangers of hackers infiltrating their network and stealing private information (i.e. credit card/checking account numbers), most believe their IT systems are secure with passwords and firewalls. Moreover, most seem comfortable that even if their network were penetrated, a privacy breach is covered under their existing business insurance. Unfortunately, that’s not the case at all.
Here are some questions that SMB owners should be asking about their coverage in today’s tech-heavy world:
1. “I have a general liability policy, doesn’t it cover me against cybercrime?”
No. The property policy protects the computers but not the data that is stored on them. The general liability policy specifically excludes claims of copyright, trademark and trade secret infringement. Although there have been limited instances of coverage for privacy breach under Liability Policies, relying on this for coverage is not in your best interest.
Business Interruption coverage, an essential part of any businesses risk management plan, will not respond to outages caused by computer viruses or hackers. In addition, 47 U.S. states now have laws requiring notification in the event of a potential loss of PII (personally identifiable information), as well as fines and penalties for not reporting the breach. Many carriers offer policies that can cover regulatory fines or penalties incurred because of a data breach.
2. “How much does Breach Insurance cost?”
Cyber liability insurance is still a fairly new concept, so there’s a lot of variation among policies, and a lot of room for negotiation. We have seen policies starting as low as $995 for a small business and premium rises as the business gets larger.
3. “We have an IT department and we have firewalls. Isn’t that enough?”
Not usually. Many data breaches occur because of an employee error or an “inside job” from rogue employees. From passwords tacked on computer screens in plain sight and employees opening suspicious email and downloading malware to lost laptops and smart phones, a large portion of security breaches occur because of employee actions. Also, keep in mind that a data breach can occur from paper records and a properly written policy will provide protection for a breach of paper files. Outdated customer information, old credit card receipts and employee files that have been thrown into the Dumpster are just as vulnerable as if a hacker logged into your network.
4. “We use a third party vendors. Do we still need this coverage?”
Are you taking online reservations? Are you processing credit card payments online? Even if you utilizing a third-party vendor and your network is not storing the data, your customers’ personal information, in case of a data breach, is still your responsibility.
5. “What are the state’s privacy notification laws, fines and penalties?”
When it comes to the unauthorized release of personally identifiable information (PII), there is no federal mandate governing privacy notification, so each state has its own law, so you must be aware of your responsibility at the state level.
In California, for example, S.B. 24 requires the inclusion of certain content in data breach notifications including a description of the incident, the type of PII breached, the time of the breach, the toll-free numbers and the addresses of credit-reporting agencies. In addition, S.B. 24 requires the breached business to send an electronic copy of the notification to the California Attorney General if a single breach affects more than 500 residents. (California already requires notice to the Department of Public Health for breaches involving patient medical information).
1 [source: Travelers]