As a result, the first policies for these Internet companies combined language from several different policies. We started with the information included in media policies because they provided coverage for copyright infringement, libel and slander. But we also added E&O coverage because of the services these companies provided. If a company provides a service, E&O insurance provides protection for that service, whether or not there was a cost for that service. The media policy was the solution for the intellectual property and public information aspect of these companies. The E&O policy covered the service aspect. These two pieces became the cornerstone for future technology policies.

Read related: “5 Steps to Mitigate Social Media Liability.”

Other coverages were eventually added—for viruses, hackers, privacy issues and possibly even contingent liability. Viruses and hackers were in the news often enough that underwriters would sometimes want to look at the systems, carefully utilizing outside vendors to see how they were designed. Eventually, hacker concerns became secondary when other issues surfaced, such as privacy and contingency—if I publish something and there is a bad result,will I get blamed? Then came slander and trade dress issues. Some carriers targeted the privacy issue fairly early, recognizing the risks a company faced when working with customer databases. Another issue that emerged earlier in the industry was contingent liability. If someone goes online and finds out how to build a bomb, carries out a plan and someone gets injured, is the company liable?

In time, more companies and individuals began to publish materials on their websites. More sites were designed so anyone could add information. Public posting led to the question of self-regulation and liability. Do we need to self-regulate sites, and if so, how? Can someone legitimately ask a company to take down something that was posted? Slander became an issue, and the privacy issue grew larger. Since media policies addressed these risks, most carriers borrowed more information and contract wording from these policies. Especially today, privacy continues to be a growing issue.

Since then, the technology insurance market has grown significantly. And although cyber security and privacy are still relatively new in the marketplace, these issues continue to evolve. Although coverage varies greatly from carrier to carrier, at its core it's designed to help protect the information assets a company maintains, the infrastructure through which the information is accessed and the implications of a breach of either.

Numbers alone justify the need for cyber insurance. In the U.S. between 2005 and 2012, 545 million records were at risk because of 3,002 breaches. And in 2011, nearly 600 breaches put more than 31 million records at risk, according to a 2010 study by Chubb.

Today, most U.S. companies have an exposure to liability from privacy breaches or its activities on the Internet. In a Wall Street Journal article from March 2012, top leaders on cyber security paint a grim picture:

• According to Shawn Henry, the FBI's top cyber cop, “the current public and private approach to fending off hackers is 'unsustainable.' Computer criminals are simply too talented and defensive measures too weak to stop them.” FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.
• James A. Lewis, a senior fellow on cyber security at the Center for Strategic and International Studies, said that he doesn't believe there is a “single secure, unclassified computer network in the U.S.”
• Richard Bejtlick, chief security officer at Mandiant, a computer-security company, testified before Congress that “the median number of days between the start of an intrusion and its detection was 416, or more than a year.”

Read related: “Malicious Cyber Attacks Could Cost U.S. $100B Annually: McAfee.”

Key Exposures and Costs

Cyber security exposures are generally twofold. The first is privacy exposure, the failure to prevent the disclosure of confidential information, whether it's in-house or outsourced to a third party. First-party claims relating to privacy exposure can include notification costs, call center costs, credit monitoring, investigation and crisis management costs. Third-party claims may include consumer claims, regulatory claims (defense costs and fines), charges by the credit card issuers and fines. The second exposure involves security—the failure to prevent a security breach resulting in denial of service, proliferation of viruses, theft of confidential information and damage to a third party's network. First-party claims include business interruption, data restoration and cyber extortion. Customer and other third party claims can also result from a security exposure.

Although cyber security has been regulated by the states, there is increasing discussion and legislation that is more federal in nature. The FTC recently issued a report detailing best practices for protecting consumer privacy. This report calls on Congress to pass a new law that would allow consumers to access and dispute the collection of their personal and financial data and allow individuals to opt out.

What is the cost of a data breach?

According to the Ponemon Institute, the cost of an average data breach increased to $7.2 million in 2010. This is based on the actual data breach experiences of 51 U.S. companies from 15 different industries. This cost of these data breaches averages out to $214 per compromised record, compared with $204 per record in 2009. It is the need for companies to respond quickly to any data breach that is driving associated costs higher.

Although notification costs increased in 2011, the cost of a data breach decreased for the first time in 7 years. Lost business costs due to a breach also declined sharply. The average total organization cost was $5.5 million in 2011, down from $7.24 million in 2010.

The cost of lost devices

Data breaches involving lost devices like laptops and other mobile devices containing confidential data usually costs more. Lost devices were involved in 39 percent of breaches. Companies face a variety of costs after a data breach: direct costs with specific line items and indirect costs including expenses like lost business due to the data breach and new customer acquisition costs. Indirect costs are uninsurable, but purchasing insurance with robust first party coverages can help minimize those indirect costs that may result from response to the breach.

Today, the primary cause of data breaches is simple negligence, but malicious and criminal attacks are on the rise. Attacks that are criminal in nature are usually more harmful, compromising many more records than insiders and third party partners. Approximately 87 percent of compromised records result from external attacks.

Read related: “Top 5 Questions Clients Ask About Cyber Liability.”

Privacy vs. Security

Although leaks of confidential information are most often heard in the news, it is possible for companies to experience a security breach without a privacy breach. These may include viruses, denial of service attacks and extortion.

Insurance coverage

Insurance products can help cover both the direct and indirect costs associated with data and security breaches. Insurance often provides access to experts who can help minimize costs in the event of a breach. And by incorporating best practices for IT security and data protection, a company can further help reduce costs.