Cybercrime is evolving at an unprecedented speed. ANY business that collects, uses and/or discloses personal information needs Cyber Insurance Coverage. Cyber Liability insurance is meant to provide coverage for failure to protect private information in the care, custody, and control of the insured, for which the insured is legally responsible. Private information can be found in paper, electronic, unencrypted, mobile, in the cloud, or with contractors.
Cyber Liability coverage varies from carrier to carrier. Coverage may include;
Regulatory Fines & Penalties: Coverage to defend against regulatory actions and resulting fines and penalties arising from a covered privacy event.
Cyber Extortion/Ransomware: Coverage for costs to end, terminate, or investigate cyber extortion threats.
Media Liability: Coverage for wrongful acts (an act, error, omission, negligent supervision, misstatement or misleading statement by an insured) in connection with material on an intranet site owned by the insured or related social media.
Incident Response/Event Management/Mitigation Expenses: Coverage is provided for law firm/breach coach, PR firm, forensics, consumer notifications and remedies including education, assistance, insurance and credit file or identity monitoring.
Payment Card Industry (PCI)-Coverage for PCI-DSS assessment from payment card association members as a result of an organization’s failure to comply with PCI-DSS.
ENetwork Interruption/Data Reconstruction: Breach expense coverage for e-business network interruption and reconstruction of data.
Business Identity Fraud Insurance & Monitoring: Expense reimbursement to protect against the abuse and fraudulent use of sensitive Business Identity Information (BII).
Employee Personal Identity Protection: Fraud victim resolution services, risk management education, and identity insurance.
Some claim examples include:
Stolen Laptop: Employees laptop is stolen containing private customer information. Customers sue the company for damages resulting from the company not protecting their private financial information.
Rogue Employee: An employee steals a customer’s credit card information. As a result, the company was involved in a forensic investigation, a lawsuit, and a PCI fine.
Media Liability: Two employees posted derogatory comments and a video online. The video captured the employee uniforms and work location.
Malware Data Breach: A retail computer system was compromised when a third party sent a malware program via email to a number of employees. The invasive software allowed the third party to access the system and capture the names, addresses, and credit card numbers for all of their customers.
Any business that collects PII (Personable Identifiable Information) should have this coverage. The National Institute of Standards and Technology have provided the following as a guideline:
- Full name (if not common)
- Home address
- Email address (if private from an association/club membership, etc.)
- National identification number
- Passport number
- IP address (in some cases)
- Vehicle registration plate number
- Driver’s license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Digital identity
- Date of birth
- Genetic information
- Telephone number
- Login name, screen name, nickname, or handle
- Claim #
- Policy #
- Policy Information
The following are less often used to distinguish individual identity because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.
- First or last name, if common
- Country, state, postcode or city of residence
- Age, especially if non-specific
- Gender or race
- Name of the school they attend or workplace
- Grades, salary, or job position
- Criminal record
- Web cookie
There are many different options for coverage and every company’s policy is different. Be sure to read the policy carefully to understand all coverages, limitations, and exclusions.