Data Breach Protection
The Lawton Insurance Cyber Liability Division specializes in Cyber-insurance, also known as Data Breach Insurance. We believe that data is both the most valuable and most underinsured asset in our economy today. Data has become one of the most precious assets a business has, and the risks involved in holding and maintaining that data have increased exponentially.
Recent data breaches at highly tech-savvy companies underline the exposure that companies, no matter how well defended from cyber-attacks, face. While many companies have taken extensive steps to prevent data breaches, it has become clear that no matter what security they put in place, hacking and other malicious attacks can result in the release of sensitive information or damage to systems and data.
… no matter what security they put in place, hacking and other malicious attacks can result in the release of sensitive information or damage to systems and data.
What do you do if customer data is breached and you were responsible for Forensic IT costs, customer notification costs, credit monitoring and other expenses, even if the breach didn’t result in verifiable losses to your customers? What if one of your vendors’ files is breached? Will your policy cover you against the impact to your business of these expenses? Will it pay to defend your reputation in the wake of such a loss? Costs can easily rise into the millions. We specialize in protecting your data assets.
Cyber coverage is designed to protect a business from:
Liability associated with:
- Unauthorized release of confidential information
- Violation of a person’s rights to privacy
- Personal Injury in an electronic/social media environment
- Intellectual property infringement
- Violations of state and federal privacy laws
Types of breaches:
- Hacker Attacks/Unauthorized Access
- Virus/Malicious Code
- Denial of Service-e-Extortion (Ransom-ware)
- Physical Theft of Device/Media
- Accidental Release
- Employee/Vender Error
- Rogue Employee
- Social Engineering
Frequently Asked Questions
What is Cyber Liability Insurance?
Cyber Liability is insurance coverage specifically designed to protect a business or organization from:
- Liability claims involving the unauthorized release of information for which the organization has a legal obligation to keep private or confidential
- Liability claims alleging invasion of privacy and/or copyright/trademark violations in a digital, online or social media environment
- Liability claims alleging failures of computer security that result in deletion/alteration of data, transmission of malicious code, denial of service, etc.
- Defense costs in State or Federal regulatory proceedings that involve violations of privacy law and,
- The provision of expert resources and monetary reimbursement to the Insured for the out-of-pocket (1st Party) expenses associated with the appropriate handling of the types of incidents listed above.
The term “Cyber” implies coverage only for incidents that involve electronic hacking or online activities, when in fact this product is much broader, covering private data and communications in many different formats – paper, digital or otherwise.
What does Privacy Liability cover?
The Privacy Liability insuring agreement in our policy goes beyond providing liability protection for the Insured against the unauthorized release of Personally Identifiable Information (PII), Protected Health Information (PHI), and corporate confidential information like most popular “Data Breach” policies.
Rather, our policy provides true “Privacy” protection in that the definition of Privacy Breach includes violations of any rights to privacy (e.g., person’s right of publicity or disclosure of private information).
Because information lost in every data breach may not fit State or Federal-specific definitions of PII or PHI, our policy helps to fill these potentially costly gaps.
What does Privacy Regulatory Claims Coverage cover?
The Privacy Regulatory Claims Coverage insuring agreement provides coverage for both legal defense and the resulting fines/penalties emanating from a regulatory claim made against the Insured, alleging a privacy breach or a violation of a Federal, State, local or foreign statute or regulation with respect to privacy regulations.
What does Security Breach Response Coverage cover?
This 1st Party coverage reimburses an Insured for costs incurred in the event of a security breach of personal, non-public information of their customers or employees.
- The hiring of a public relations consultant to help avert or mitigate damage to the Insured’s brand
- IT forensics, customer notification and 1st Party legal expenses to determine the Insured’s obligations under applicable Privacy Regulations
- Credit monitoring expenses for affected customers
Our policy can extend coverage even in instances where there is no legal duty to notify if the Insured feels that doing so will mitigate potential brand damage (such voluntary notification requires prior written consent).
What does Security Liability cover?
The Security Liability insuring agreement provides coverage for the Insured for allegations of a “Security Wrongful Act”, including:
- The inability of a third-party, who is authorized to do so, to gain access to the Insured’s computer systems
- The failure to prevent unauthorized access to or use of a computer system, and/or the failure to prevent false communications such as “phishing” that results in corruption, deletion of or damage to electronic data, theft of data and denial of service attacks against websites or computer systems of a third party
- Protects against liability associated with the Insured’s failure to prevent transmission of malicious code from their computer system to a third party’s computer system
What does Multimedia Liability cover?
The Multimedia Liability insuring agreement provides coverage against allegations that include:
- Emotional distress
- Invasion of the right to privacy
- Copyright and other forms of intellectual property infringement (patent excluded) in the course of the Insured’s communication of media content in electronic (website, social media, etc.) or non-electronic forms
What does Cyber Extortion cover?
The Cyber Extortion insuring agreement provides:
- Expense and payments to a harmful third party to avert potential damage threatened against the Insured such as the introduction of malicious code
- System interruption
- Data corruption or destruction or dissemination of personal or confidential corporate information
What does Business Income and Digital Asset Restoration cover?
The Business Income and Digital Asset Restoration insuring agreement provides for lost earnings and expenses incurred because of a security compromise that leads to the failure or disruption of a computer system, or, an authorized third-party’s inability to access a computer system. Restoration costs to restore or recreate digital (not hardware) assets to their pre-loss state are provided for as well.
What’s more, the definition of Computer System is broadened to include not only systems under the Insured’s direct control, but also systems under the control of a Service Provider with whom the Insured contracts to hold or process their digital assets.
What is “PCI-DSS Assessment” coverage?
The Payment Card Industry Data Security Standard (PCI-DSS) was established in 2006 through a collaboration of the major credit card brands as a means of bringing standardized security best practices for the secure processing of credit card transactions.
Merchants and service providers must adhere to certain goals and requirements in order to be “PCI Compliant,” and under specific agreements, may subject an Insured to an “assessment” for breach of such terms.
The Cyber and Privacy Liability Policy responds to PCI assessments as well as claims expenses in the wake of a breach involving cardholder information.
Isn’t this already covered under most business insurance plans?
The short answer is “No”.
While liability coverage for data breach and privacy claims has been found in limited instances through General Liability, Commercial Crime and some D&O policies, these forms were not intended to respond to the modern threats posed in today’s 24/7 information environment.
Where coverage has been afforded in the past, carriers (and the ISO) are taking great measures to include exclusionary language in form updates that make clear their intentions of not covering these threats.
Additionally, even if coverage can be found in rare instances through other policies, they lack the expert resources and critical 1st Party coverages that help mitigate the financial, operational and reputational damages a data breach can inflict on an organization.
If e-commerce functions such as payment processing or data storage are outsourced, is this coverage still needed?
The responsibility to notify customers of a data breach or legal liabilities associated with protecting customer data, remain the responsibility of the Insured.
Generally speaking, business relationships exist between Insureds and their customers, not their customers and the back-office vendors the Insured uses to assist them in their operations.