Insurance for Cyber Liability and Data Security

Available Coverage for Cyber Liability and Data Security

Coverage Part A

• Data Breach Liability: Claims arising from the public disclosure of private information without the authorization of the owner of such information
• Security Breach Liability: Claims arising from failure of the insured’s computer hardware/software or other security to prevent transmission of malicious code or denial of service attacks against third parties or the manipulation of data stored by the Insured
• Defense of Regulatory Proceedings: Due to violations of federal or state laws regulating the protection of private information
• PCI Fines & Penalties: Credit or debit card industry fines or penalties for inadequately securing credit or debit card information

Coverage Part B

• Data Breach Expense: Covers notification letters to victims, public relations, forensics and credit monitoring expenses due to an unauthorized exposure of private information
• Cyber Extortion Threat Expense: Extortion payments made, expense to hire negotiators and rewards to catch extorters

Coverage Part C

• Website Liability: Covers claims for libel, slander, plagiarism, misappropriation of ideas and infringement of copyright and trademark claims arising from the organization’s Web site activity

Coverage Part D

• Identity Theft: Covers credit monitoring and other personal expenses incurred by board members or owners in resolving identity theft
• Board members or owners who are victims of identity theft can access a team of identity theft specialists who will guide them through the process of resolving identity theft issues
  

Claim Example for Cyber Liability and Data Security

Coverage Part A - Data Breach Liability: A local restaurant chain discovers that their payment systems have been breached over the course of three months. Tens of thousands of customers had their credit card information stolen, resulting in fraudulent charges on the victims’ accounts. Victims band together and sue the restaurant chain for costs incurred, including paying for credit monitoring, recovering lost funds and expenses incurred in clearing their identities.

Security Breach Liability: A restaurant is sued by an e-commerce organization for its participation in a denial of service attack against the e-commerce firm. The restaurant had antivirus and firewall protection on its computers. However, the restaurant had not made updates to them in the past couple years. It turns out their computers became infected with malware, which, when activated, participated in an attack against the e-commerce firm’s servers, overloading them with requests and shutting down their system for a day. The e-commerce firm sued the restaurant, among others for lost revenue and costs to repair their server as a result of the neglect of standards of care by those unknowingly participating in the attack. The restaurant paid over $50,000 in defense and settled for $30,000 in loss.

Defense of Regulatory Proceedings: Joe owns a family restaurant. Joe makes the decision to store customer names, birth dates, addresses, phone numbers, and email addresses to send customers promotional emails and birthday coupons. The restaurant has proper security in place to protect the information. However, a hacker exploits a vulnerability and gains access to the personal information and sells it on the Internet. The state where the restaurant is located accuses them of privacy law violations and sets up hearings to decide if fines will be assessed. Joe expends $10,000 to defend the company and is ultimately fined $30,000.

Payment Card Industry (PCI) Fines and Penalties: Tanya owns a popular bar & restaurant. Her point of sale software is hacked and customer credit card records are stolen. In addition to the expenses incurred for customer notification and credit monitoring, the payment card industry is investigating the lack of safeguards in place to protect credit card data. Tanya’s restaurant is ultimately fined $30,000 for lack of PCI compliance at the time of the breach.

Coverage Part B - Data Breach Expense: A rogue waiter at a local restaurant steals customers’ credit card information with a credit card skimming device. State law requires the restaurant to report the breach and notify their customers. The restaurant spends over $150,000 to hire a firm to conduct forensics to determine all those affected, re-secure its network, send out notification letters across multiple states and set up credit monitoring for the customers. In addition, $75,000 is spent on hiring a public relations firm to manage the publicity surrounding the event.

Cyber Extortion Threat Expense: Jerry, the owner of a pizza parlor, arrives at work to find his website and online ordering system have been shut down by a denial of service attack. A hacker notifies him that they have 24 hours to pay $10,000 or the website will be kept offline indefinitely. As the deadline nears, Jerry realizes that he cannot thwart this attack, and he is forced to pay the amount demanded.

Coverage Part C - Website Liability: As a fun way to attract new customers, a seafood restaurant posts clips of a famous movie about a shark on its website. However, the restaurant never received permission to post these images. The movie studio finds out and threatens a lawsuit based on violations of their intellectual property. At first, the restaurant fights but then relents, agreeing to take down the postings after spending $10,000 in defense costs.

Website Liability: Mike is a restaurateur with a small chain of quick service restaurants along the Florida coast. He has a social media page instead of a Website which includes a section for customer feedback. Mike monitors posts daily and is shocked to find a review from a customer who stated that the service was awful, the food was cold, and she saw mice running around the floor. Mike posted a reply to the customer saying she was rude, impatient, and that it is impossible to satisfy “crazy” customers like her. The customer sued Mike and his restaurant for $500,000 for libel and intentional infliction of emotional distress.

Coverage Part D - Identity Theft: Carl is a small business owner of a local restaurant. When Carl inquires about a loan to open a new location, the bank turns him down due to poor credit. Apparently, his identity was stolen, and the thief had opened up additional lines of credit and was purchasing big ticket items such as a car and boat. They all went unpaid, and collection attempts went to a fake address set up by the thief. His USLI policy provides coverage for the expense of overnighting correcting documents to the credit agencies, the additional fees incurred to resubmit his loan application, and a year of credit monitoring. Carl is now able to successfully reapply for a loan and grow his small business.