Insurance carriers and brokers are seeing increased demand in policies specifically tailored to cover an employer in the event of a data breach, a risk that is increasingly common as more business moves online for small and large employers alike.
While online business dealings -- from retailers to electronic health records -- have been prevalent for more than a decade, high-profile data breaches at major companies like Sony, Google and, on a local level, St. Joseph Health, have caused employers to take a closer look at an insurance product that might not have seemed necessary in the past, insurance experts said.
"We've gotten a lot of calls from prospective clients about cyber security and liability policies," said Greg Culley, who runs Culley Insurance Services in Santa Rosa. "And they're asking us, 'Is this something we're insured for?' And they're not, so there's specialized products that a handful of companies are offering, and it's starting to get a foothold."
As numerous examples have shown, a company that either is maliciously hacked or accidentally discloses personal information on the web can, and likely will, face steep class-action lawsuits or will be made to notify and correct the issue, all of which can add up quickly, said Pamela Chanter, vice president of Vantreo Insurance Brokerage in Santa Rosa.
[caption id="attachment_57294" align="alignright" width="144"] Pam Chanter[/caption]
"Cyber risk has never been greater than today due to the technology-dependent world where we do our business online and where we store sensitive customer data electronically," Ms. Chanter said. "We see in the news on a regular basis that businesses have breaches that involve millions of dollars from cyber attacks. It's clearly a risk that impacts the bottom line of a company."
Smaller companies in particular are expressing increased interest, as the ramifications of data breach become visibly damaging to even the largest, most organized companies, said Joe Smith, a professional liability broker with Crouse and Associates, a San Francisco insurer that writes a good deal of Vantreo's specialty coverage.
"There is definitely a trend of corporations and smaller business buying it," he said.
And it's not strictly limited to electronic breaches, but rather it could be any situation where personal data is mined or lost from a company's confines, Mr. Smith said.
"There's a common misconception that cyber liability has to be in electronic form. It doesn't," he said, noting that dumpster diving for documents and employee error, such as failing to encrypt passwords on computers, contribute to about 75 percent of cases in which personal information is disclosed.
"It's really exploded and evolved into what it is today within the past five years," Mr. Smith said of the level of coverage and interest in it. Such liability insurance has existed for probably a decade or so, but only recently have employers begun to look closely at the policies. "Definitely more within the last two years."
Mr. Culley and Mr. Smith both likened the increased attention in cyber liability coverage to that of employment practice liability insurance -- it wasn't popular when first rolled out but is now a standard area of coverage.
"Over the years we've seen that you're more likely to get sued by your employee for wage disputes and discrimination," Mr. Culley said. "It wasn't immediately popular but over time it became common place. I think (cyber security liability) is going to go the way of employment practice -- it will be a standard part of your insurance package."
Mr. Smith agreed. "I relate it to practice liability -- it was there but nobody bought it," he said, adding that over the last two years, he's seen workload in cyber liability increase from about five percent to 10 percent. "Companies figured out 'I have this exposure.' It's been around but now it's at the forefront."
A breach, whether accidental or malicious, typically includes names, addresses, date of birth, Social Security numbers, credit card information, driver's license, financial data, medical records, and legal data -- essentially a wide swath of information that is stored by a wide variety of industries.
Some industries, though, might be at a higher risk, and smaller employers in particular could take a big hit from accidental disclosure -- a small medical practice with electronic health records or a small legal practice, for example, Mr. Culley said.
Currently, there are about 25 markets that carry cyber liability insurance. "And it's one of the fastest growing areas of professional liability," Ms. Chanter said.
A typical policy is priced based on revenues, number of records retained and the nature of a client's business. Rates can vary depending on the industry and the client, of course, but most policies would have a $1 million limit as a minimum, and a minimum premium of $2,500, Ms. Chanter said. She added that Vantreo has already written several policies, but has not had any claims yet. It's estimated, though, that a typical claim can cost as much as $18,000 a day and that 14 days is the common amount of time taken to resolve matters.
Typical reasons for accidental disclosure can include an employee’s laptop or flash drive being stolen, which contains the customer’s data, a hacker breaks into a network and steals customer data, potentially selling it to criminal elements or extorting the company, or a computer malfunction or human error accidentally distributes customer data, according to Ms. Chanter.
"All of these scenarios and more can significantly impact a business, whether small or large," she said. "Notification laws require a company to notify their customer base via call centers, written letters, press releases and so on, of the security breach. There is the risk of litigation. A new more secure security system will need to be installed. Customers will be lost. There is general interruption of day-to-day business. All of this leads to lost time and lost revenues."
