Overview
Theft of business information by insiders or third parties raises complex legal and insurance questions. Recent court decisions have limited the reach of some criminal statutes when applied to employees who accessed data they were authorized to use, which can make civil and criminal remedies harder to obtain.
Because legal outcomes vary by jurisdiction and by the specific facts of each case, businesses should consider non‑legal protections—such as contractual safeguards, internal controls, and insurance—alongside any litigation strategy.
Key takeaways
- Criminal statutes may not always cover employee misappropriation of data; remedies can be uncertain.
- Insurance and internal controls are essential complements to legal remedies for information loss.
- Review policy language carefully to understand what types of data loss and theft are covered.
How it works
The law treats physical property and information differently, and courts have sometimes narrowed broad federal computer and theft statutes when applied to authorized users. That means prosecutors may decline to bring charges, and civil plaintiffs may find that statutory claims are unavailable or difficult to prove.
Insurance fills many of these practical gaps. Coverage can include loss from theft, expenses to investigate and restore data, business interruption from a data loss event, and liability to third parties whose information was exposed.
What it may cover (and what it may not)
Typical cyber and crime policies can cover forensic investigation costs, notification and credit monitoring for affected individuals, and certain theft or fraud losses. A dedicated crime policy may address direct financial loss caused by employee dishonesty or third‑party theft.
Not all policies are the same. Exclusions commonly apply to intentional acts, inventory shortages, or losses tied solely to reputational harm. Carefully read policy definitions of "property," "data," and "dishonesty" to confirm whether information theft is included.
To explore technology‑oriented coverages that address data and systems risks, consider specialist options such as Information Technology Insurance. For coverage that focuses on financial theft and asset disappearance, review offerings like Theft, Disapearance and Destruction (Crime) Insurance.
Common mistakes to avoid
Assuming criminal law will always solve employee data theft is a common error; investigations can be prolonged or ineffective if statutes don't apply. Relying on a single control, such as access permissions without monitoring, is also insufficient.
Another mistake is buying generic coverage without ensuring the policy language includes the types of information loss and response costs you face. Failing to coordinate IT, legal, and insurance teams before an incident reduces recovery speed and increases expense.
Questions to ask an agent
Ask whether the policy explicitly covers misappropriation of confidential information and what proof is required to make a claim. Clarify whether forensic and notification costs are covered and whether coverage applies when an employee, rather than an outside hacker, is responsible.
Also confirm policy limits, sublimits for incident response, waiting periods for business interruption, and any required pre‑incident controls or reporting steps to preserve coverage.
Next steps
Start by documenting your current access controls, incident response plan, and any recent incidents or near‑misses. Share that information with your broker or insurer so they can match coverages to your exposure.
If you need quotes or want to review specific policy terms, talk to an agent to compare options and endorsements that address both cyber risk and employee theft.
Frequently Asked Questions
How often do courts rule that criminal computer statutes don't apply to insider data theft?
Court decisions vary by jurisdiction and by case details; some courts have narrowed criminal statutes where an employee had authorized access, while others have allowed broader applications.
Can insurance cover the cost of investigating a suspected employee theft?
Yes—many cyber and crime policies cover forensic investigation and related response costs, but coverage depends on policy wording and any applicable sublimits.
Will an insurance claim hurt my ability to pursue legal action?
Filing a claim does not inherently prevent legal action, but insurers may require cooperation with investigations and recovery efforts; coordinate legal and insurance strategies early.
What documentation helps support a claim for stolen information?
Logs showing unauthorized access or exfiltration, internal audit records, communications, and forensic reports all strengthen a claim and speed insurer assessment.
Should small businesses buy separate cyber and crime policies?
Many businesses benefit from both forms of coverage because cyber policies focus on data and systems incidents while crime policies address financial theft and employee dishonesty.