In a recent alert, we outlined potential risks businesses face in the wake of cyber security threats as a result of inadequate data protection. 2013 had the highest number of recorded data breaches in over a decade. Cyber-attacks are no longer a question of 'if,' but of 'when.' Target's recent data breach led to a class action lawsuit filed in Northern California along with an estimated additional 40 lawsuits. Target will survive this exposure, but for some companies, survival will be dependent upon positioning themselves today to receive the maximum available insurance coverage for these attacks.
In order to maximize coverage, it is extremely important for businesses handling customer data to understand the types of claims that might result from a cyber-attack and whether they have insurance to protect against them. At least one lawsuit filed against Target alleged that the stolen information constitutes an invasion of privacy. Most Commercial General Liability insurance policies provide coverage for those types of claims. However, these policies may not provide coverage for incidental events that occur as a result of a data breach. Issuance coverage issues to consider include:
-
Coverage for the cost of notifying all of the affected customers
-
Business losses resulting from the attack
-
Cost of the PR a business might have to do to recover
There are many products in the market that provide coverage for cyber-attacks, but no standard policy. Comparing coverages is not apples to apples. Understanding your risks, your protections and your legal responsibilities can be the difference between sustaining and ceasing 'when' a cyber-attack happens.