Given the increasingly digital landscape
of today’s economy, the most valuable asset for many businesses is their computer data. According to a 2015 study, the average cost of a data breach for small businesses is about $38,000 in hard costs and can total upwards of $55,000. Yet many businesses opt only for traditional property insurance policies. This could be a big problem for your client’s small business.
Traditional property insurance policies just don’t cut it when it comes to data breaches. That’s because most of them only cover loss or damage to tangible property on the insured’s premises. See, e.g., ISO Building and Personal Property Coverage Form (CP 00 10), Coverage A; ISO Businessowners Coverage Form (BP 00 03).
At least one California case has held that the loss of data, absent damage to the actual storage medium or computer itself, isn’t damage to tangible property. See Ward Gen. Ins. Servs. v Employers Fire Ins. Co. (2003) 114 CA4th 548. Similarly, data stored off-site (e.g., in remote laptops or in the cloud) would likely not be covered under traditional policies.
And even for those policies that do cover data loss, such coverage is often subject to severe limitations and exclusions. For example, the standard “Additional Coverage, Electronic Data” protection provided by the ISO Commercial Property and Businessowners policies is capped at $2,500 and $10,000 respectively, well short of the $38,000 average cost of a data breach.
So what are some better options?
E-commerce endorsements. Small businesses can buy an e-commerce endorsement for either their commercial property or business owners policies. See ISO forms CP 04 30 and BP 05 94. These forms provide coverage for electronic data that (1) is used in the “e-commerce” of the business; (2) originates and resides in the “coverage territory” (e.g., United States and its territories); (3) is owned by, or licensed or leased to, the insured; and (4) is damaged by a covered cause.
However, these endorsements still have a variety of exclusions, such as when data loss is caused by a virus (unless it occurs on an anti-virus protected computer) or when economic loss is caused by the unauthorized viewing, copying, or use of data, even if it qualifies as theft. They also don’t provide liability coverage for litigation costs incurred as a result of, e.g., the insured’s failure to protect private consumer information.
Specialized cyber insurance policies. To fill in these gaps, small business owners may want to consider specialized cyber insurance policies. These policies may offer first- or third-party coverage, or both, and can be tailored to meet the unique risks of each business. Although the breadth of these polices varies greatly, they commonly cover things like data and network restoration, funds transfer fraud, cyber extortion, and third-party privacy liability.
Although it’s impossible to protect your client from every emerging risk, it’s important to discuss the shortcomings of traditional policies and to consider whether additional coverage is needed. To learn more about cybersecurity and insurance, check out CEB’s California Property Insurance: Law and Litigation, chap 17; Financing and Protecting California Businesses, chap 11; and Internet Law and Practice in California, chap 20.
For a detailed discussion on the history, development, and future of cyber insurance, see Cyber Insurance: An Overview of an Evolving Coverage by Russel Cohen and Alison Roffi, published in the Fall 2015 issue of CEB’s California Business Law Practitioner.
Other CEBblog™ posts you may find useful:
- Analyzing Insurance Policies Step by Step
- 6 Ways to Help Clients Avoid a Data Breach
- Make These 4 Assumptions about Cybersecurity
© The Regents of the University of California, 2016. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.