Overview
Employers increasingly face losses from insiders and third parties who access, copy, or otherwise misappropriate business information. Courts have sometimes limited when criminal statutes apply to these incidents, leaving civil remedies and insurance as primary loss-control tools for many organizations.
This article explains how cyber liability and related coverages typically respond to insider data theft, what they often include and exclude, and practical steps to reduce exposure and document losses for a claim.
Key takeaways
- Cyber liability insurance can help cover response costs, investigations, and some liability from stolen information.
- Criminal law may not always provide a remedy for misappropriation of data, so insurance and internal controls are essential.
- Policies differ widely; review terms, definitions of “computer,” and how employee access is treated in your policy.
How it works
Cyber liability policies commonly cover expenses related to incident response, forensic investigation, notification, credit monitoring, and regulatory fines where insurable. They may also include coverage for business interruption and data restoration after a security incident.
Coverage triggers and limitations vary. Some policies require that the loss result from a covered threat (such as a malicious act), while others include theft by insiders if certain conditions are met and clearly defined in the policy language.
What it may cover (and what it may not)
Typical covered items include investigation costs, legal and public relations expenses, customer notification and credit monitoring, and settlement or defense costs for covered claims made by third parties.
Policies may exclude losses arising from dishonesty or fraud by an insured person unless a specific crime or employee dishonesty endorsement is purchased. Coverage for proprietary business information and trade secrets can be limited or require specific endorsements.
For practical guidance on balancing data access and protection, see Tradeoffs in Data and Information Management.
Common mistakes to avoid
Assuming your general liability policy covers cyber events is a frequent error; cyber risks are often excluded from standard policies. Relying solely on criminal prosecution to resolve theft of data is risky because legal standards and enforcement priorities can vary.
Failing to document internal controls, access logs, and chain of custody for evidence can jeopardize a claim. Also, not purchasing separate employee dishonesty or crime endorsements where appropriate can leave meaningful gaps.
Questions to ask an agent
Ask whether the policy explicitly covers theft or misappropriation of electronic data by employees or third parties and whether there are exclusions tied to authorized access versus unauthorized access.
Confirm limits for investigation and notification costs, any sublimits for forensic work, and whether regulatory fines and penalties are covered where permitted by law.
Request examples of recent claims handling and clarify what proof the insurer requires to substantiate a loss caused by an insider or contractor.
Next steps
Start by reviewing your current cyber and crime policy wordings for definitions of “computer,” “access,” and related terms so you understand where gaps may exist.
Strengthen internal controls such as least-privilege access, logging, and exit procedures, and consider technical safeguards and off-site backups to limit damage and support recovery. For practical tips on protecting client information from simple, non-technical threats, consult Protecting Client Data from Low-Tech Thieves.
If coverage questions remain or you need to compare options, review them with your broker or talk to an agent who can explain specific endorsements and limits available for your organization.
Frequently Asked Questions
Will cyber insurance pay if an employee steals customer lists?
It depends on your policy language and endorsements; some cyber and crime policies can cover theft of electronic customer lists if employee dishonesty coverage is included.
Does the Computer Fraud and Abuse Act always apply to insider misuse?
No, federal statutes are applied case by case and courts may interpret their scope differently, so criminal remedies are not guaranteed.
What evidence do insurers typically require for a data-theft claim?
Insurers often want access logs, forensic reports, incident timelines, and documentation of internal controls to verify the loss and how it occurred.
Can preventative steps reduce insurance premiums?
Yes, demonstrating strong access controls, employee training, and incident response planning can favorably affect underwriting and pricing.