30 November 2017

Privacy and Cybersecurity 101: Buying Cybersecurity Insurance Coverage

With Uber joining Equifax, JP Morgan, Target and others as the latest victim of a high-profile data breach, all companies should be evaluating how they can protect themselves from data breaches and the fallout.  Over the past month, we have covered how to encrypt your laptop and covered how to send secure emails.  Even if you have a great IT team, train your employees on cybersecurity issues and put into place the necessary software, hardware, policies and procedures, you or your company may experience a breach.  If that happens, the right cybersecurity insurance policy could save you tens of thousands of dollars in legal fees alone.

Cybersecurity insurance is a relatively new insurance product and much of the policy language is non-standardized. The lack of standardization means key language can vary from policy to policy and that much of the language remains untested by the courts.  Here are some key questions you should ask yourself, your IT administrator and your insurance broker

  • Does the policy cover mobile devices, laptops or other employee owned personal devices that lead to a breach? You do not want to pay for a policy only to find out you have no coverage for the breach caused by the theft of your employee’s unencrypted laptop.
  • Does the policy allow you to choose your vendors or legal counsel? This is especially important for health care providers who must comply with very specific regulations following a breach.
  • Does the policy cover breaches that happened in 2000 but discovered in 2018? Does the policy require claims be made the same year as the breach or the same year the breach is discovered?
  • Does the policy include First-Party and Third-Party coverage? First-party coverage includes costs and damages to your own business such as loss of data and loss of business income while your business recovers data or restores network access. Third-party coverage addresses potential liability to clients and governmental entities. You will want protection from lawsuits and governmental fines that may follow a data breach.
  • Does the policy cover data in the possession or control of Third Parties? What happens if your cloud storage provider, accountant or other third party vendor experiences a breach?  Be sure you know where your data is and that your policy protects you from breaches experienced by a third party.

Members of Miller Johnson’s Privacy and Cybersecurity Practice Group have seen first-hand how the right cybersecurity policy can help a company following a data breach.  Asking these questions (and many more), working with your IT staff and working with an experienced broker and lawyer will ensure you purchase a policy that adequately shifts the risks of a data breach without incurring excessively high premiums.