Buying cyber insurance? Know your liabilities
Data breaches and other cybercrimes are becoming a lot more common in today’s ever-growing digital world. If your small business falls victim to a data breach, it typically results in major fines and legal fees, not to mention unexpected expenses and down time that will occur when trying to recover. Many small businesses that encounter a data breach cannot recover and typically go out of business within six months. If you have a small business and are unsure what constitutes a data breach, refer to Delaware’s House Bill 180, which lists what data is considered Personal Identifiable Information (PII) and what to do in the event of a breach. The Delaware SBDC has an informational flyer on the house bill that can be found online or by contacting the office.
Cyber insurance was developed to help alleviate the costs associated with a data breach. However, the policies, much like general business insurance, are not one-size-fits-all. Cyber insurance has been around for years, but it has only recently become popular and been recognized as a necessity. Police coverage varies tremendously by insurer. Therefore, the Delaware SBDC has come up with a list of recommended items that should be in most cyber polices.
When shopping for cyber insurance you want to make sure it has a comprehensive liability coverage for both first-party (internal) and third-party (external) losses. First-party liability coverage is any general cost incurred as a result of a cyber or data breach. Third-party liability coverage is defense costs if the affected parties seek legal action against your business. The key items you want in your plan are:
“¢ Legal fees ““ These are any fees associated with any legal representation the business may need when determining the scope of federal and state notification requirements.
“¢ Forensic investigation fees ““ In the event of a cyber or data breach you will need to hire an outside forensic team to investigate what happened, what information was taken, and how that information was taken. Depending on the scope of work, this can be a substantial amount of money, money typically a small business does not have sitting around.
“¢ Notification fees ““ These are any fees associated with notifying the affected individuals in the business’s cyber or data breach.
“¢ Public relations fees ““ Any fees associated with repairing the businesses brand’s reputation. A small business will have to do a lot of work to mend the damaged reputation.
“¢ Business interruption fees ““ In the event the business is completely shut down due to a breach, this should cover the fees to hold the business over till it is back on its feet. This should include any fees in recovering or restoring lost data from the breach.
“¢ Affected party fees ““ This fee is incurred when the business is required to provide credit monitoring and identity-theft protection to the people affected by the breach, or any other fee that requires direct payment to an individual. If the business is a Delaware company the fees are spelled out under House Bill 180.
“¢ Regulatory fines and penalties ““ This fee is exactly what it says: In the event of a breach, fines can be incurred if the business did not have proper procedures in place to try and prevent the breach.
“¢ Liability and defense fees ““ The business may find itself in the middle of a lawsuit due to a breach and these fees cover any settlements, damages, and judgements from those suits.
Most polices will cover these items, however to what extent and how much they cover is up to the coverage provider. Data breaches are not cheap, so the more the policy covers the better; however, businesses need to be mindful that they not paying for things they may not need. Small businesses also need to make sure they are adhering to all the policy’s rules and regulations. Small businesses do not want to be in a situation where they need to utilize their cyber coverage, only to then find out they cannot use it because data storage process voided their coverage.
Some common reasons for small businesses coverage providers to void a policy would be if they stored customer data in an unsecure unencrypted location. Another example is if customer data is stored on printed paper, or if an employee of the company lost an electronic device that was not encrypted or password-protected. Moral of the story: Be mindful to adhere to insurers’ regulations in order to stay covered.
If the small business should need any help with choosing a provider or meeting the provider’s security requirements to be covered, please reach out to the Delaware SBDC. The Delaware SBDC has tons of great material under its Data Assured program that can assist small businesses
and direct them to the right security track.
By Jacob Blacksten
Jacob Blacksten is the technology business advisor for Delaware Small Business Development Center.