FAQ
A lot of confusion exists around Cyber and Data Breach Insurance. Our underwriters have compiled this list of the most common questions clients often ask regarding privacy or data exposures and insurance coverage.
What is my exposure?
Generally, the typical exposure includes personally
identifiable information in your custody –
from employee social security numbers
and drivers license numbers, to payment
cards accepted for fees, goods and
services, exposure to clients' sensitive
data, healthcare records collected, etc.
Why do you need to know how many records a company has? The higher the number of records, the higher the exposure and the higher the potential costs post-breach.
Who is Hiscox?
Hiscox is a leading specialist insurer, with roots dating back to 1901.
They are not a traditional insurance company as they target specific types of insurance in which they develop expertise, often focusing on areas other insurers find too complex to insure.
By challenging convention in each specific market they are able to offer market leading products and services to US businesses.
Hiscox Insurance Company Inc. is a Chicago, IL domiciled insurer admitted or licensed to do business in all 50 states and the District of Columbia. Hiscox Insurance Company Inc. is rated A (Excellent)1 by A.M. Best with a group financial size category (FSC) of XII.
I got an endorsement to my other policy
for this. Isn't that enough?
Maybe, but
usually not. Most endorsements are for a
very small dollar amount with very limited
coverage. For example, only third party
costs may be covered, or the maximum
coverage for first party costs may be only
$50,000. Every company would benefit
from a full privacy/data breach policy,
providing the peace of mind that comes with
knowing that the costs of a potential breach
won't be catastrophic to the business.
If my only real exposure is first-party
data (such as. employee data), do I really
need a policy?
All companies have the duty
and obligation to safeguard the information
they hold on behalf of their employees
as well as any confidential information
about the business itself. No company
is immune from attacks. A Hiscox policy
provides coverage for employee data.
I am not a target like Sony, Anthem
or Home Depot. Why should I worry?
Large corporations make the news. Small
ones don't. It's a matter of 'when', not 'if' a
company will have a breach of data. There's
a black market where these records are sold
and bought, and hackers are only getting
savvier. Target, Home Depot, Anthem,
and other large organizations have entire
departments devoted to analyzing the risks
the company could face and helping set
policies and procedures to protect against
them, and their systems and data have
still been breached. Smaller companies
without someone responsible for network
security and the resources to protect
their data are easy targets for hackers.
Who buys cyber coverage?
Companies who are mitigating this growing risk. It
is becoming a must-have coverage.
Why shouldn't I trust my IT Department
when they say they have it covered?
Target, Sony, and other large corporations have
entire departments devoted to IT security,
and they did not have it covered. A simple
error or omission like not updating software,
not setting appropriate user authentication
procedures for third party vendors, losing
an unencrypted laptop that stores sensitive
data, or a rouge employee with malicious
intent can all lead to a breach. Exposures
grow as technology expands, and hackers
are only getting smarter and better.
Do I need this coverage if I don't store
any client information on my network?
Yes. You may not store client data, but you
may have access to it. You may cause a
breach of your client's data, consequentially
breaching a contract. Corporate information
is also covered under a privacy/data breach
policy. Employee data is also a liability.
My company is really small. Am I still at
risk of a data breach?
Every company has data breach and privacy exposures, either
through employee sensitive information,
payments accepted from third parties, services
provided, etc. Some have more exposure
than others, but it's important to emphasize
that every company with employees is liable
for third party data (including employee
data). A breach costs an average of $188k,
for the smallest companies with the smallest
exposure. Costs add up very quickly.
I outsource my payment card processing
to a third party. I don't have any payment
card exposures do I?
According to the
PCI Compliance Guide, PCI applies to ALL
organizations or merchants, regardless
of the size or number of transactions, that
accept, transmit, or store any cardholder
data. And merely using a third-party company
does not exclude a company from PCI
compliance. It may cut down on the risk
exposure and consequently reduce the
effort to validate compliance but it doesn't
mean a merchant can ignore PCI.
If my client information is stored in the
cloud, the liability rests with the cloud
provider, right?
Not exactly. It would be in
the insured's best interest to carefully review
those contracts with their legal counsel.
Even if the risk is mitigated, the liability may
still fall on the shoulders of the insured.
What industries traditionally buy, and
what industries are newly buying?
Currently the most heavy users of liability
insurance are in the banking, healthcare,
and technology fields. New purchasers are
businesses of all sizes and industries, including
governments, schools, and manufacturers.
What is the average cost of a data breach?
The average cost of a data breach continues
to fluctuate but reputable cyber security and
information sources peg the average breach
at roughly $188,000. The bigger the company,
the bigger the costs. Also, the more sensitive
data the company collects (regardless of
the size of company), the higher the costs.
What does Cyber Crime/Deception cover?
Cyber Crime/Deception contemplates the following scenario:
A hacker disguises themselves as a vendor,
client, or employee and tricks the Insured's employee into transferring funds to the
hacker's account. This deception can be
perpetrated through phishing, spearphishing,
and other tricks perpetrated through
email, text message, instant message,
telephone, or other electronic means.
What is considered a record? What if I
have multiple files for the same person in
my possession? Do you require the total
number of records or just the number
of individuals?
Non-public individually
identifiable information as defined in any
federal, state, local, or foreign statute, rule or
regulation, may include but is not limited to
unsecured protected health information, social
security number, individual tax ID number,
driver's license number or state ID, passport
number, financial account number or credit or
debit card number. We would like to know the
total number of pieces of individual information
an insured possesses. If multiple pieces of
information for the same individual are stored
within the insured's network or on the insured's
premises, we would like details on the
retention and duplication procedures in place.
How much does the coverage cost?
It depends on size and exposure. A $1M policy could cost as little as $1,000.
Do privacy policies matter for websites?
Yes, because they are in many ways constructively a contract with your customers.
More importantly, if you do not disclose your data privacy procedures and who you
share others' data with you could be in violation of several privacy related laws.
What is the difference between regulatory
defense and the regulatory compensatory
award?
The regulatory action defense
addresses claims brought by a regulatory
body, such as the Office of Civil Rights for
HIPAA violations. If a breach does indeed
occur, the regulatory body will set up
something that acts a lot like a trust for
the affected individuals of the violation. In
practice, if individuals' data was breached
and an entity violated HIPAA, the OCR will
levy a fine for their violation. The fine will be
paid directly to the OCR, and will not address
"victim" compensation. The OCR will then
set up a this trust-like fund for the medical
group to pay into that will be distributed to
those individuals for their "damages."
Generally, what regulations are
companies subject to? For payment
card data, PCI DSS.
For healthcare data,
HIPAA. These, in addition to social security
numbers, financial records, etc., are also
subject to state and federal regulations.
Why is PCI compliance important? What
happens if I'm not PCI compliant?
Outside of the specific fines and penalties levied by
the card brands, a non-compliant business
would open themselves up to various
third party suits from angry consumers
whose information was breached.
My POS vendor says they're PCI
compliant. That makes me compliant,
right?
Not necessarily, most merchants
have some exposure. The only way to
totally eliminate the need to become PCI
compliant is through full outsourcing of your
entire payment handling process. In most
cases the processing uses at least some of
your network infrastructure. This subjects
merchants to the standard of PCI compliance.
What is the difference between a PCI fine
and an assessment?
The payment brands
(Visa, Mastercard, etc.) may, at their discretion,
fine $5,000 to $100,000 per month for PCI
compliance violations. These amounts are
intended to be punitive in nature and don't
address indemnifying the banks for their
losses resulting from a payment card breach.
PCI Assessments are liabilities and costs
detailed in a Merchant Services or Payment
Processing Agreement, which may include
costs associated with card reissuance and
fraudulent charges experienced post-breach.
What is the difference between first
party and third party coverage and when
is each important?
First party coverage
includes costs incurred by the insured, such
as notifications sent out to each individual,
computer forensic specialists hired to figure
out how the breach occurred, remediation,
business interruption, etc. Third party costs
may include class action suits, and other
claims brought by those outside the company
What is considered confidential
corporate information if you exclude
trade secrets?
Confidential corporate
information would refer to information that
if disclosed may harm the business. This
may includes sales and marketing plans,
product plans, notes associated with various
designs and inventions, customer and
supplier information, financial information,
etc., that is non-public in nature.
What coverage should I consider?
First and third party coverage. This includes costs for
notification, forensics, regulatory fines and
penalties, PR consultants, third party suits, etc.
What limits should I consider?
That depends
on they company's size and exposure. The
larger the company and the more sensitive
data they hold, the higher the limits.
What is "Per Person" coverage?
Rather than setting a dollar value to notification and
credit monitoring costs, the insurer sets a
number of maximum individuals they would
cover for these costs (no dollar value set).
Does a cyber insurance policy cover the
direct loss of funds?
Most cyber insurance
policies are crafted to cover the loss of
information, not money (directly). At Hiscox,
we can cover certain perils via endorsement to
respond to these exposures. Our Cyber Crime/Deception
offering is built for "data" events where banking
credentials are stolen and utilized to transfer
uninsured funds from a corporate bank
account or other institution. Other coverage is
also evolving to respond to instances where
hackers trick employees into voluntarily
releasing funds on behalf of the organization,
but the funds are sent to the hacker due to a
spoofed invoice or other method of deception.
Does the policy cover 'social engineering?'
Social engineering can be defined as an
attempt to obtain otherwise secure data
by conning an individual into revealing
secure information. Victims of social
engineering attacks are typically vulnerable
due to the innate desire to trust other
people and be helpful. Most insurance
policies cover the loss of data regardless
as to how it is obtained, though the policy
wording should always be checked.
Does the policy cover a rogue employee
event?
Most insurance policies cover the
loss of data regardless of how it is exposed.
With that said, certain policies may exclude
rogue employee events. Under the Hiscox
suite of privacy insurance policies, a
standard rogue employee event is covered
subject-to policy terms and conditions,
but certain events involving executives
of the organization may be excluded.
Does the policy cover paper records?
Most all privacy insurance policies cover
paper records, but policy wording should
always be reviewed. The Hiscox Privacy
Protection insurance policy defines Personally
Identifiable Information as information in any
form, that is in your care, custody or control,
or in the care, custody or control of any
third party for whom you are legally liable. A
breach of paper records would be covered
by the standard Hiscox policy wording.
If paper records are destroyed is
coverage considered under the Hacker
Damage module or does that consider
the destruction of digital assets only?
Our Hacker Damage Module is triggered by
a Hacker Damage Event whose definition
includes "…data you hold electronically."
Paper records would not be covered.
These events include the malicious
authorized access of a website, intranet,
network, computer system, etc.
Is coverage worldwide? What does that
mean? Must the suit be handled in a
court in the USA?
We provide worldwide
coverage but our jurisdiction in claims handling
is restricted to the United States courts.
Why does employee training matter?
A significant number of losses actually
arise from employee negligence, whether
it's leaving a laptop in a cab or plane,
accidentally emailing PII to the wrong email
address, or simply verbally disclosing private
information about individuals in a public
setting. Employees must learn to treat such
information with discretion and care.
Why do merchant service agreements
matter?
The agreements you sign with
payment processors will often pass through
liability owed to banks in the event of a
payment card breach. The fine print may have
you agreeing to much more than you think.
What is encryption?
It's the process of
encoding information in such a way that only
authorized parties can read it. Encryption is
very important in evaluating a company's risk
and exposure, since a breach of encrypted
data is significantly less costly than a
breach of unencrypted data Encryption
is a safeguard in many cases with regard
to privacy protection law obligations.
Our laptops are password protected.
Isn't this enough? Does that mean
they're encrypted?
No. Encryption is the
process of scrambling the actual data on
a hard drive so that it is unusable unless
accessed with an encryption key. Only
password protecting a laptop simply means
a hacker can bypass the password to access
intact data that hasn't been encrypted.
What is the difference between encryption
and password protection? How does my
company encrypt data?
Encryption is a
method of encoding messages or data with
coded strings of symbols. It is commonly used
to secure online banking sessions and protect
credit card data. When you bank online, a
'lock' icon routinely appears in the address bar
which means the browser session is encrypted
by the bank. Often on mobile devices,
passwords are used to enable encryption.
Apple has started encrypting personal data
on the latest operating system, iOS 8, if
the correct settings are enabled. A number
of vendors offer encryption of corporate
data and insureds should consult their risk
manager for further information on how to
implement this additional security protocol.
What are your value added services?
We
have partnerships with BreachProtection.
com and the eRisk Hub, all complementary
to our insureds. BreachProtection.com
provides comprehensive risk management
policies, procedures, training, and other
tools for pre-breached insureds. This
includes online compliance material, email
updates, procedures and sample forms,
workforce training, data breach response
plans, and full phone support. Our eRisk
Hub, powered by NetDiligence, provides
breach response resources and tools to help
our insureds understand the exposures,
establish a breach response plan, and
minimize the effects of a data breach
organization. They include a Breach Coach
and a Breach Response Team as well.