According to Vispoli, more than half of the companies with less than 1,000 employees have experienced an online data breach. Thus showing that the need for cyber liability coverage is not limited to large technology and multi-national corporations.

With increased legal activity, attorneys are inserting the need to carry Cyber Liability into contract requirements.

Clients are also realizing the importance for cyber liability especially with expansions of federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Red Flag rules.

Policy Forms should address how carriers deal with the defense of regulatory matters. For the cost to defend the insured against investigation, some carriers will provide full policy limit. Others will have a sublimit and some forms may only cover costs if there is a civil suit.

Michael Carr, director of Information Technology and Cyber Liability at Markel Shand, refutes the common belief that the majority of data breaches covered by cyber liability policies occur on public Internet space. Carr states that most claims occur on companies’ networks where their client’s personal data is stored. A common misconception among many agents and insurers is that a client does not need cyber liability coverage if their business is not involved in e-commerce.

Paper records should be another concern as Carr states: “An awful lot of confidential information is still stored on paper. Businesses have the same duty to protect that as electronic forms. Many but not all (coverage) forms extend to paper records.”

Source: Big I E Newsletter, September 2009

State Notification Laws require businesses to notify customers or patients in a timely matter of any data breach that might affect them. Each state has its own requirements and failure to notify per such state’s notification law could lead to fines and penalties.

The Hi-Tech Act which is part of the 2009 American Recovery and Reinvestment Act, creates a federal notification requirement for the breach of Protected Health Information. The HITECH Act also provides incentives for physicians to put into practice “meaningful use” of an Electronic Health Record system.

Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts,” per the regulation. This rule was created in November 2007 as an addition to the Fair Credit Reporting Act.

The Massachusetts Office of Consumer Affairs & Business Regulation issued a regulation known as Massachusetts 201 CMR 17.00 in September of 2008. This regulation was intended to protect the unauthorized disclosure of personal information for Massachusetts’s residents. The importance of this wide sweeping law applies to any person or business that has personal information on a resident of Massachusetts. Penalties for non-compliance may be subject to a $5,000 civil penalty for each violation of each person affected.

So what’s next? H.R. 2221, the Data Accountability and Trust Act was recently passed by the House subcommittee on Commerce, Trade, and Consumer Protection which would require businesses to notify customers when outside parties gain access to sensitive information due to a security breach.

Cyber liability or security and privacy insurance has been developed by insurance carriers to provide coverage for these exposures. First Party Coverages include business income and extra expense; crisis management expenses, cyber extortion; credit monitoring expenses and notification costs. Third Party Coverages include network security and privacy liability; internet and media liability; and regulatory defense coverage (including penalties and fines).

Finally, remember that there is no standard policy form in the marketplace. Each policy form will require extensive review and analysis by a Cyber Insurance Specialist.

Source: David Perkins, September 7, 2009 www.insurancejournal.com