It is difficult to imagine the business that does not touch personal information or has no presence on the internet or social media. And individual business principals themselves are especially vulnerable to the risks of identity theft.
DATA BREACH EXPOSURE
Misconception: “My business does not hold personal information so I do not need coverage.”Reality: Your business is still exposed!
- While you may use a third party to store or process personal information and be the “data holder”, your business is still the “data owner” and in most states the “data owner” is legally required to notify individuals of a breach.
- If you process personal information like credit card numbers but you do not store them, your business may still be the victim of increasingly sophisticated hacking methods that may “skim” this information while in transit.
- If you have employees, you are likely holding their personal information.
- Personal information does
Misconception: “My General Liability policy will cover me for my website activity under the Personal and Advertising Injury coverage.”
Reality: General Liability policies typically have exclusionary language that bars coverage in key situations, such as:
- “’Personal and advertising injury’ arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights” AND
- “’Personal and advertising injury’ arising out of an electronic chatroom or bulletin board the insured hosts, owns, or over which the insured exercises control.” This would exclude social networking and blogging.
IDENTITY THEFT EXPOSURE
Misconception: “I can correct theft of my own identity myself.”
Reality: While you can opt to address theft of your identity yourself, the Federal Trade Commission estimates that it takes an average of 400 hours to correct a single identity theft. Do you have the time to spend on this instead of running your business? If you do have the time, are you able to address it quickly enough that your ability to access credit for your business is not negatively impacted?
Misconception: I can obtain coverage and services to cover the theft of my identity through homeowners insurance or other methods
Reality: These solutions address only a theft of your identity. You are still exposed if another principal of your business has their identity stolen and hence cannot help run the business or loses access to loans as outlined above. “
THE CYBER COVERAGE I HAVE ALREADY COVERS ME FOR THAT!”
If you already have cyber coverage, it may be inadequate for your exposure. Cyber insurance carriers have traditionally not provided key features that are critical for accounts with less than $10 million in receipts.
Misconception: “Besides the retention on my Cyber policy, I do not have to incur any expenses for notification and related expenses to respond to a data breach.”
Reality: Your policy likely has reimbursement wording for your data breach expense coverage. This means that if you are required to provide notification, you will have to pay for it yourself and then seek reimbursement from the insurance company. USLI provides limits of up to $250,000 for data breach expense; can your business absorb this cost and wait to get paid back?
Misconception: “I have already covered my gap in General Liability coverage concerning “electronic chatrooms and bulletin boards”, because my Cyber policy includes coverage for my website activity. Social networking would be covered.”
Reality: Your coverage likely does not specifically include social networking activity. This is a significant deficiency as businesses rely on social networking in addition to, or in place of, traditional websites.
Misconception: “I am already covered for this under my Cyber policy.”
Reality: Cyber policies, including those with data breach coverage, do not typically cover the theft of the identity of an owner, partner or officer.
Misconception: “My Cyber policy does not have a limit on data breach expense. It does not matter how large a breach I have; it is covered.”
Reality: Your policy may not have a dollar limit on data breach expense, but it likely limits coverage on the number of records stored by you containing personal information that are covered. This could leave you with inadequate coverage; records are difficult to quantify plus the number could grow over the course of a year, exceeding the number covered.
Misconception: “My Cyber policy does not exclude Failure to Maintain Security Measures so I do not have to worry about updating my antivirus, firewalls and other security.”
Reality: Your policy may not have an exclusion for failure to maintain the security measures disclosed in your application, but your policy likely has a provision allowing the insurance company to audit your information security measures. Such audits may be as frequent as every thirty days.
TO LEARN MORE ABOUT HOW AXIAL-FOY INSURANCE CAN HELP PROTECT YOU AGAINST CYBER LIABILITY PLEASE CALL 207-468-2054 or email Mike Sawyer, Senior Insurance Executive
This document does not amend, extend or alter the coverage afforded by the Policy. For a complete understanding of any insurance you purchase, you must first read your Policy, Declaration Page and any Endorsements and discuss them with your Broker. A specimen policy is available from an Agent of the Company. Your actual Policy Conditions may be amended by Endorsement or affected by State Laws.