Quickly emerging as the new-product darling of the Property and Casualty insurance industry is Cyber Liability insurance. Although the Sony PlayStation Network (PSN) incident is the most notable recent hack of customer data, the Privacy Rights Clearinghouse (PRC) catalogs 2,451 data breaches made public since 2005 exposing 598,410,625 customer or employee records to unauthorized users.
The Clearinghouse is particularly useful for making available not just hacking information but a taxonomy of breach types that can help organizations identify the exposures their organizations need to pay particular attention to.
Insurance response to this taxonomy is varied, with some breach types covered by traditional insurance, e.g. credit card fraud (CARD) or the disclosure of information by someone with legitimate access to the information (INSIDER) while others are the subject of a relatively new and rapidly evolving insurance coverage type often lumped under the rubric of "Cyber Risk". The traditional insurance responses are certainly evolving as well, witness the Hartford Insurance Company Employee Data Privacy Liability Endorsement which can be made part of at least their Private Choice Encore! policy.
Insurance products appear to fall into two major "buckets", Network Security and Privacy that can provide first-party and third-party coverage. Also, critical to any Cyber Risk policy is the provision of crisis management services and generous limits of liability available to respond to violations of privacy regulations to include notification and credit monitoring.A summary of state security breach laws can be found here.
Network Security concerns itself with liability to a third-party for the destruction, deletion or corruption of their data caused by the failure of an organizations network security to protect such third-party data. This concerns not just third-party data that an organization might have on it servers but also (and more prominently) the potential introduction of a virus or other malicious code in the exchange of data between two organizations through the simple commercial internet access each has to the others data.
Privacy Liability gets the most press since it deals with the liability to third parties as a result of the organization's failure to properly safeguard personally identifiable information or to safeguard information that is protected under a nondisclosure agreement. It is in Privacy Liability type instances where the crisis management benefit of any policy comes into play. No matter how experienced an organizations in-house public relations staff is, they may never have had to deal with the media crush that attends any well-known organizations loss of customer or employee personal information. Crisis management provides not only money but also services for the purposes of, ultimately, safeguarding the reputation of the organization through public relations activities.
