On April 20, 2011, someone hacked the Sony Playstation Network. They found an opening in the online video gaming network's password-reset system and penetrated the security protecting its customer database. Days later, the company admitted that the hackers had obtained personal information on 70 million or more subscribers.
The attackers obtained names, physical and email addresses, birthdates, and other identifying information, and it is possible that credit card numbers were exposed. Sony took the network offline to reinforce it, but within days of it coming back online, attackers again breached the system.
PlayStation Network is a high-profile target with tens of millions of subscribers, making it attractive to criminals. However, even small businesses that do business over the Internet are vulnerable to the same kinds of intrusions. The federal Internet Crime Complaint Center referred more than 146,000 complaints to local, state and federal law enforcement agencies in 2009, 22 percent more than the year before. One out of every three of those complaints was for identity theft, credit card fraud and computer fraud.
The Ponemon Institute has reported that the average data breach costs businesses millions of dollars in combined expenses and lost business. To manage that risk, organizations should consider cyber liability insurance; for guidance on coverage and exposures in the management context, see Management Liability and Cyber Insurance.
What could happen to a business's data?
Over a seven-year period, a Georgia man stole 675,000 credit card numbers and associated information. He racked up thousands of fraudulent transactions and bills exceeding $36 million.
A Texas employee received a lengthy prison sentence for hacking into 14 hospital computers where he worked as a security guard. He disabled network security systems, installed malicious software, infiltrated a computer containing patient medical records, and gained remote access to building controls.
Law enforcement caught another person attempting to access ATMs as part of a planned scheme to steal large sums. These examples show that attackers target both large and small systems with potentially severe financial and operational consequences.
When consumers and business owners give credit card numbers and other personal information to an organization, they expect that information to remain confidential. If customers suffer financial harm because their information was exposed, they may hold the organization responsible. To help manage liability and response costs, organizations should consider specialized cyber liability insurance; firms that serve financial record-keeping or tax clients may want to review industry-specific options such as Accountants (Tax Preparers/Bookkeepers/CPA/EA) Cyber Liability.
What a policy may cover
- Damages to third parties caused by a network security breach
- Loss resulting from administrative or operational mistakes made by the business's own employees or by outside vendors
- Expenses resulting from a breach of consumer protection laws, such as HIPAA or the Fair Credit Reporting Act
- Costs of notifying customers of a breach
- Public relations expenses necessary to repair the business's reputation
Many insurers now offer Cyber Liability policies, and specialty brokers can often place coverage if a general broker does not have direct access to a carrier. Nonprofit organizations face the same exposure and may require tailored solutions; see Cyber Liability for Nonprofit Organizations for more information.
To prevent or reduce losses and to make themselves more attractive to insurers, businesses should implement strong network security systems and continually monitor and update them. Develop plans for responding to intrusion events that include who should be involved, procedures for notifying affected customers and authorities, and a public relations strategy for keeping stakeholders informed.
If you want help reviewing options, talk to an agent.
Frequently Asked Questions
What does cyber liability insurance typically cover?
It commonly covers third-party damages from a breach, notification costs, regulatory defense expenses, and public relations to restore reputation.
Do small businesses need cyber liability insurance?
Yes—small businesses are frequently targeted and can face costs they cannot absorb after a breach, so insurance helps transfer that financial risk.
Will insurance pay for fines or penalties?
Policies vary; some cover regulatory fines where permitted, while others do not, so review policy terms with an insurer or broker.
What should a business do immediately after discovering a breach?
Contain the incident, document what happened, notify legal counsel and your insurer, and follow a prepared response plan to notify affected parties as required.