Posted on | March 1, 2013 | 1 comment
(Editor’s note: When high-profile companies disclose database breaches, what often goes overlooked in news coverage are the liability damages that can be associated with losing sensitive data. Large enterprises have legal staffs to pay attention to this. But many small and medium sized businesses don’t have that luxury. In this guest commentary, Ethan Miller, an insurance attorney at Hogan Lovells describes new cyber liability policies available to small businesses concerned about data thieves.)
By Ethan A. Miller
It seems to be that large cyber attacks against big corporations get the most media coverage. The costs of investigating and responding, and the resulting lawsuits and regulatory fines, can be staggering. The Ponemon Institute has estimated that response costs can be as high as $200 for each compromised record. It is not difficult to understand how total costs for a wide breach can quickly escalate well into the millions of dollars.
But smaller companies also face such losses. When these losses arise, the best friend a small company can have is a well-crafted cyber liability insurance policy. And, cyber liability insurance is often more appropriate for smaller businesses.
Large companies typically have the foresight and ability to manage cyber risk up front and the sophistication to deal with losses. For smaller businesses, this is not always so.
While cyber policies reimburse a business for the damages it must pay its customers, they do much more. A victim of a cyber loss must first investigate the cause, often with the use of IT forensic examiners. The company must then comply with required notices to potentially affected customers.
And of course once word is out about the loss, the victim must manage the negative media attention. Cyber insurance can defray expenses at each of these stages. For instance, cyber insurance may pay the costs of hiring a public relations firm to mitigate negative publicity following a breach.
Such insurance can also pay to retain law firms to determine an insured’s rights to indemnification under independent contractor agreements. Cyber insurance can even pay to monitor affected customers to ensure that they do not become victims of identity theft. Cyber insurance can cover the costs of paying regulatory fines and penalties. Given that there is no uniform regulation of data privacy protection worldwide, negotiating the fine with the myriad jurisdictions involved in a wide breach can be enormous.
Smaller businesses face more difficulties in absorbing these types of expenses than do large companies. Smaller companies do not always use robust social media procedures and policies for their employees. Yet in the cyber age businesses of all sizes are more often sued for defamation, unfair competition, breach of privacy and related claims arising from employee postings on social media. Cyber liability policies can be tailored to respond to this type of liability as well.
Similarly, small businesses may be less capable of weathering a shutdown of their business following a denial-of-service attack or even a data breach. And while larger companies may possess such a breadth of business that they can handle closing one aspect of that business, a smaller business may be significantly more dependent on any given line of business so that interrupting that line would effectively be a death blow. In addition to covering the response costs, a good cyber policy can cover lost revenue resulting from a business interruption.
Finally, some insurers will go so far as to counsel a company client on avoiding cyber liability in the first instance. This may span the gamut from ensuring adequate firewall protections to recommending appropriate social media protocols conditioning employees against inadvertent disparagement of a competitor’s product or defamation of a fellow employee. The advantages of avoiding a loss before it materializes are clear.
A good cyber liability insurer will partner with a small business in a start-to-finish management of liability — from counseling to claim response, to mitigation of business interruption to monitoring for breaches and payment of ultimate liability. For businesses without a sophisticated risk management department, this can prove to be invaluable.
A good cyber insurance policy may not be cost-prohibitive for small businesses. Depending on factors such as the size of revenues, the company’s international operations and the industry in which the company operates, the cost for such a policy may be as low as $3,000 annually.
Cyber and related liability policies are not a substitute for sound, proactive management of cyber liability risk. Small businesses must continue to develop and implement data protection protocols and to educate employees on the risks associated with social media. But when those protections and education fail (as they will from time to time), having the backstop of an integrated cyber liability policy may mean the difference between a headache and a death blow to the company.