5 Misconceptions about Cyber Liability and Public Entities

The number of cyber attacks and data breaches has increased significantly in recent years, and public entities are not exempt. These “cyber events” include the theft or release of personally identifiable information such as Social Security numbers from a computer system, the transmission of malware from a computer to a third party or a “denial of service” attack that results in the inability to use computers or websites.

These incidents can have a considerable financial impact on a public entity, including the cost of lawsuits, crisis management and notification of the affected parties. They can also lead to a public relations nightmare.

But despite these facts, some public entities continue to believe they are not truly susceptible to a cyber event. Why?

Read related: "Corporate Identity Theft."

Here are some of the more common misconceptions held by public entities concerning  their vulnerability:

  1. “Public entities are not a target for cyber attacks.” Actually, public entities are a perfect target for cyber attacks considering the amount of confidential information in their possession. There is probably no other type of organization, other than a bank or financial institution, that stores more personally identifiable information. It's not uncommon for a public entity to have an individual’s Social Security number, income statements, bank account numbers, driver’s license number and even credit card information. In addition, public entities typically have confidential personal medical and health information for all of their employees. 
  2. “We have the latest technology and software available to protect our electronic information and systems.” The growing number of cyber attacks (more than 500 million records breached since 2005) at both large and small organizations--even those with the most sophisticated software protection--demonstrates that no organization can be sure they are not susceptible. One of the most common causes of privacy information breaches today is not hacking, but human error. When confidential information is stored outside the network system on laptops, smartphones or other electric storage devices, it can be compromised when the device is lost or stolen.     
  3. “Even if our network is breached, we are covered under our general liability or other insurance policies.” General liability insurance commonly provides coverage for “bodily injury” and “property damage.”  Property damage typically means physical injury to tangible property, including the resulting loss of use of that property. However, electronic data is not tangible property and is not covered. In addition, property insurance, crime insurance and professional errors and omissions insurance do not typically provide coverage for cyber liability and notification requirement expenses. 

Read related: "FBI Says Cyber Risk to Surpass Terror Risk."

4. “Cyber liability notification requirements only apply to commercial businesses.” Currently, in addition to federal regulations, more than 45 states have enacted legislation to protect consumer privacy. These state and federal requirements apply to for-profit and not-for-profit organizations, including public entities. Both state and federal agencies may investigate and take action against any organization that is negligent in the handling of confidential personal information.    

     

5. “If we had a data breach, we could handle the notification requirements ourselves.” Most public entities would have difficulty complying with state and federal notification requirements in the event of a data breach. It is also common for goodwill purposes to provide credit monitoring services and identity theft education and assistance for the affected party. Most public entities would not have the expertise and staff to provide these types of additional goodwill services for the affected party.

So how can public entities protect themselves?

First, assess the exposure. Start with a comprehensive review of the public entity’s entire computer system and safeguards, with an internal review by a dedicated individual or team, or by an independent firm specializing in computer system security evaluation. In either case, every aspect of the computer system should be analyzed to determine any weaknesses or areas of susceptibility that need to be addressed.

Once the evaluation is complete, all improvements to secure the computer system should be undertaken as soon as possible. This may include improvements and formalization of internal safety procedures, as well as the purchase of new or additional hardware and/or software to safeguard the computer system and integrity of the confidential information. 

Second, every public entity should consider pubchasing crisis management/notification expense coverage and cyber liability coverage. For first-party crisis management/notification expense coverage, the product and services available vary from carrier to carrier, but coverage for a public entity should include:

Read related: "10 Tips When Considering Cyber Insurance."

  • A computer forensic analysis to determine the cause and extent of the privacy breach
  • A crisis management review and advice from an approved independent crisis management or legal firm
  • Expenses associated with notifying affected parties to maintain goodwill or comply with any notification requirements imposed by law
  • Call center services for credit monitoring as well as identity theft education and assistance for affected individuals.

Third-party cyber liability coverage is typically provided to protect the public entity for the following:

  • Liability arising out of the unauthorized access of confidential information from the public entity’s computer system or the accidental release of confidential information from its computer system
  • Liability arising out of the transmission of malware from the public entity’s computer system to a third party.  

This combination of crisis management and cyber liability coverage can help protect a public entity’s image and assets in the event of a cyber attack.

 

Page 1 of 2
Comments

Resource Center

View All »

Get $100 in leads with $0 down!

NetQuote's detailed, real-time leads have boosted sales for thousands of successful local agents across the...

The Growing Role of Excess & Surplus Lines in Today’s...

The excess and surplus market (E&S) provides coverage when standard insurance carriers cannot or will...

Increase Sales Conversion with this Complimentary White Paper

This whitepaper will share proven techniques - used by many of the industry's top producers...

D&O Policy Definitions: Don't Overlook These Critical Terms

Unlike other forms of insurance where standard policy language prevails, with D&O policies, even seemingly...

Environmental Risk: Lessons Learned from Willy Wonka and the Chocolate...

Whether it’s a chocolate factory or an industrial wastewater treatment facility, cleanup and impacts to...

More Data, Earlier: The Value of Incorporating Data and Analytics...

Incorporating more data earlier in claims lifecycles can help you reduce severity payments by 25%*...

How Many Of Your Clients Are At Risk Of Flood?

Every home is vulnerable to flooding. Learn four compelling reasons why discussing flood insurance with...

Gauging your Business Intelligence Analytics Capabilities and the Impact of...

Big Data, Data Lakes and Data Swamps, How to gauge your company's Big Data readiness....

Extending Contact Center Capabilities Across the Insurance Enterprise

Today advancements in technology are making a big impact on business and society. To yield...

Drug and Alcohol Testing Requirements

In this two-part series, NBIS Risk Management team will break down the requirements to assist...

Looking for Markets?

Search Kirschner’s Insurance Directory to help service your hard to place risks.

497 Risk Categories | 70,000 P&C Insurance Markets

kirschners
Specialty Markets Insight eNewsletter

Receive updates and analyses on hard to place and challenging coverages. Sign Up Now!

Advertisement. Closing in 15 seconds.