By Joseph E. Guimera
While cyberattacks against large companies, such as Target, Home Depot and Experian, dominate the headlines, smaller companies also face computer liability risks. Most, if not all, businesses use email, text message or social media; provide products or services through a website; send or receive documents electronically; or store and use company, customer or employee data.
If the data you maintain is compromised, either through a cyberattack, or even through a lost or stolen laptop or smartphone, your business can be held liable. In addition to possible damages, restoring or repairing the data can be costly. Your business could be exposed to:
- Costs incurred by customers and third parties as a result of the incident.
- Costs in repairing or replacing computer systems or lost data.
- Loss resulting from your inability to remain operational while your system is down.
- Costs for notification expenses to customers as required by your state’s notification requirements. Some states require notification if a data breach is even just suspected.
- Regulatory fines if your business has failed to meet state or federal compliance requirements.
- Damages and attorney’s fees from lawsuits, including class action lawsuits, if you have a large number of customers.
Traditional commercial general liability insurance policies exclude cyber risks from their terms. Damage to electronic data doesn’t qualify as property damage under a CGL policy. Also, most CGL policies contain a specific electronic data exclusion, which eliminates coverage for claims based on the loss, damage, corruption, or inability to use data.
Some standard business insurance policies, such as a Business Owners Policy (BOP), may provide limited coverage for certain types of cyber incidents. For example, if you lose electronic data as a result of a computer virus or hardware failure, the BOP insurance may pay recovery or replacement costs. However, for extended coverage for cyber liability risks, you will need a cyber liability policy customized for your business.
Cyber liability policies vary widely from one insurer to another. Some insurers have developed special policies for specific businesses such as healthcare providers or technology companies, while other insurers allow the customer to purchase only the coverage they need.
Many cyber liability policies cover both “first-party risks” and “third-party risks.” First-party risks are the losses suffered by the insured as a result of the cyber incident, including income lost and expenses incurred due to a full or partial shutdown of computer systems; cost of restoring or reconstructing lost or damaged data; cost of notifying affected customers as required by law, and the cost of providing credit monitoring to affected customers; cost of paying ransomware; and cost of hiring legal, public relations and computer consultants.
Third-party risks include the business’s potential liability to clients or to governmental or regulatory entities, including lawsuits or claims from third parties resulting from the data breach and governmental fines.
Cyber liability insurance can be a great asset to a business trying to cope with, and respond to, a breach. Businesses should take the time to learn what coverage they have and what coverage they need to ensure they are adequately protected.