By Dean Goodwin, marketing manager,RPS Technology & Cyber

While business owners may understand the dangers of an overseashacker who infiltrates their network and steals credit cardnumbers, most believe that their IT systems are protected bypasswords and firewalls and that even if their network werepenetrated, a privacy breach is covered under their existingbusiness insurance.

Protect both your clients and your agency's E&O byexplaining this critical coverage. Read about the mostimportant questions your clients will ask about cyber liabilitycoverage on the following pages.

1. “Doesn't my generalliability policy cover me?”

In a word, no. The ISO property form protects the physicalpresence of computers but not the data that is stored on them. TheISO general liability form specifically excludes claims ofcopyright, trademark and trade secret infringement. The personalinjury provisions of a GL form generally rely on “publication”– anundefined term. Although there have been limited instances ofcoverage for privacy breach under GL forms, relying on this forcoverage is not in your client's best interest.

Business Interruption coverage, an essential part of anybusinesses risk management plan, will not respond to outages causedby computer viruses or hackers. In addition, 47 U.S. states nowhave laws requiring notification in the event of a potential lossof PII (personally identifiable information), as well as fines andpenalties for not reporting the breach. Many carriers offerpolicies that can cover regulatory fines or penalties your clientmight incur because of a data breach. Whether or not slim chancesexist for liability coverage in other policies, one thing is forsure: none provide reimbursement for the costly first-partyexpenses required to comply with regulatory requirements andout-of-pocket legal expenses incurred to navigate the process.

2. “How much is this coveragegoing to cost?”

“We have negotiated master policy rates with some municipalitygroups and public education insurance pools with premiums as low as$1,500 a year,” said Estelle Cummings, RPS Technology & Cyber'snational sales manager. “For larger risks, we can tower coverage ashigh as $70 million.”

Cyber liability insurance is still a fairly new concept, sothere's a lot of variation among policies, and a lot of room fornegotiation. However, Cummings advises agents be certain thattheir clients understand that if they don't purchase this coverage,they will be liable for first-party expenses including hiringforensic IT experts, notification of customers, providing annualcredit monitoring, lawyer expenses and any applicable state orfederal fines or penalties.

3. “We have an IT departmentand we have firewalls. Isn't that enough?”

Not usually. Many data breaches occur because of an employeeerror or an “inside job” from rogue employees. From passwordstacked on computer screens in plain sight and employees openingsuspicious email and downloading malware to lost laptops and smartphones, a large portion of security breaches occur because of youremployee actions. Also, keep in mind that a data breach can occurfrom paper records as well. Outdated customer information, oldcredit card receipts and employee files that have been thrown intothe Dumpster are just as vulnerable as if a hacker logged into yournetwork.

4. “We use a third party forreservations and credit cards. Do we still need thiscoverage?”

Are your clients taking online reservations? Are they processingcredit card payments online? Chances are they're already utilizinga third-party or cloud vendor and your client's network is notstoring the data. However, their customers' personal information,in case of a data breach, is still the responsibility of yourclient.

5. “What are our state'sprivacy notification laws, fines and penalties?”

Wherever your client is located, make sure that you know theregulatory requirements of the state. When it comes to theunauthorized release of personally identifiable information (PII),there is no federal mandate governing privacy notification, so eachstate has its own law.

In California, for example, S.B. 24 requires the inclusion ofcertain content in data breach notifications including adescription of the incident, the type of PII breached, the time ofthe breach, the toll-free numbers and the addresses ofcredit-reporting agencies. In addition, S.B. 24 requires thebreached business to send an electronic copy of the notification tothe California Attorney General if a single breach affects morethan 500 residents. (California already requires notice to theDepartment of Public Health for breaches involving patient medicalinformation).