The many risks are evident. Private information of all kinds—personal, financial, medical—resides on the computers of nearly every business. Hackers and identity thieves increasingly are compromising system vulnerabilities, seeking to break in and exploit the details.

Hacking has been generating high-profile news lately. Citigroup warned 360,000 credit card customers that some account data was compromised. AT&T apologized to 114,000 new iPad owners, including celebrities, after hackers leaked their email addresses to an online gossip site. Privacy breaches, both accidental and criminal, are increasing steadily, along with their costs.

Violation of privacy laws and regulations also has become one of the fastest-growing litigation areas, with lawsuits accusing companies of negligence in their computer system security, breach of warranty and failure to properly inform customers following unauthorized access or accidental loss of personal data.

The financial risks of privacy breach are growing for service businesses. Potential costs include liability to customers or employees whose details are exposed, regulatory and legal expenses to notify affected individuals, work to restore computer systems, business interruption, damage to reputation—even extortion demands.

Property-casualty agents and brokers should stay informed about this increasing risk and the coverage solutions that can help mitigate financial exposure. The frequent news of hacking attacks offers ample opportunities to discuss coverage needs, especially with clients in the miscellaneous professional liability category.

Growing privacy threats

Businesses that once were simple service providers have taken on added technology functions that today are integral to their operations. Not only do these businesses worry about errors or omissions in their primary services; they must be concerned about their computer systems holding protected personal information on thousands or millions of clients. Much of this information is regularly exchanged in the course of transacting business through websites and interacting with other service providers.

The result is a potential nightmare for medical billers, third-party administrators, marketing companies, collection agencies and other miscellaneous professional service organizations.

Common causes of data losses include criminal attacks by hackers, mistakes by employees or third-party outsourcers, and loss or theft of laptops and other mobile devices. Some recent examples from the Identity Theft Resource Center:

  1. An IT vendor for a health insurer reports stolen computer drives holding data on 1.9 million customers: names, addresses, medical information, Social Security numbers and other financial information
  2. A medical transcription firm inadvertently opens its server to access from the Internet, making more than 1,000 detailed patient records potentially available to third parties
  3. A direct marketing vendor sends a mailing that accidentally prints the Social Security numbers of 8,000 people on the outside of the envelope
  4. A collection firm is hacked, losing 1,800 consumers' confidential credit reports
  5. An employee of a call center improperly downloads an electronic database of customer identities, Social Security numbers and payment card details
  6. An email marketer for dozens of the largest U.S. companies is hit by hackers who gain access to millions of consumers' names and email addresses.

Related: Read Jordan Kurkowski's article “Insureds Without Cyber Policies Risk CGL Coverage Holes”.

Some privacy breaches involve paper rather than electronic losses: A tax preparer's briefcase is stolen from a car, a thoughtless employee discards old files in a trash container, or confidential papers are left out on a desk. But technology has enlarged the scale of the privacy risk.

Protected personal information is generally defined as confidential data that could cause financial harm to a person if unauthorized users gain access. Examples are Social Security numbers, driver's license numbers or equivalent, bank account or credit card numbers, and certain medical or healthcare information.

Even unauthorized release of email addresses and passwords can make consumers vulnerable, because criminals pretending to be banks or trusted retailers send targeted phishing emails seeking data that would expose financial accounts to fraudulent transactions. Hackers also take advantage of the fact that many consumers use the same password for all of their accounts.

A loss can be extremely costly to a company. The average cost of 51 data breaches at U.S. businesses studied in 2010 was $7.2 million, or $214 per affected customer, according to the Ponemon Institute, a think tank on security issues.

Covering privacy risks

Many insurers offer coverage that can be endorsed to a standard miscellaneous professional liability policy, offering defense and indemnity coverage to insureds to manage potential liabilities from privacy breaches. First-party coverages that proactively cover expenses if a security breach occurs also are an option.

The basic privacy coverage is an enterprise-wide network security and privacy liability endorsement, which defends the insured against claims alleging negligence in maintaining or protecting personally identifiable information. In addition to customer information, the coverage includes claims by employees arising from unauthorized disclosure of data.

Generally, regulatory action defense coverage is coupled with that network security and privacy endorsement to provide a defense for actions brought against the insured by any regulatory or governmental organization as a result of a violation of privacy laws or regulations. The current standard in miscellaneous professional liability policies is not to cover claims brought by governmental agencies. Even when privacy coverage is purchased, it typically provides for defense costs but excludes payment for fines or penalties.

Crisis management coverage provides reimbursement of a company's expenses to respond to a privacy breach, including costs to notify affected individuals, provide credit monitoring services, engage forensic experts to determine the cause of the breach, and hire a public relations firm to help mitigate damage to a company's reputation. Unlike other coverages, crisis management coverage is not for liability to others but for direct costs incurred by the business. This coverage will assist companies in reassuring customers that the company recognizes the problem and wants to continue serving them.

Business interruption coverage, familiar to property insurers, is needed to cover the loss of revenue if a security breach causes a material disruption to a company's computer system and sales suffer as a result. This coverage generally is structured with a waiting period that gives the insured a fixed time, such as 12 hours, to get its computer system back up and running before the revenue losses are covered as business interruption.

Data restoration coverage may be required to offset the company's expenses to restore customer, vendor and employee files, which can be substantial depending on the severity of the data breach.

A final coverage, computer system extortion coverage, may also be useful to protect businesses against hackers holding confidential data for “ransom.” Often compared to kidnap and ransom coverage, this coverage provides funds that can be used by a company to investigate extortion threats and/or pay extortion losses, when a hacker gains access to company systems and demands payment to not disseminate the confidential information.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.