Understanding Data Breach vs. Cyber Liability Insurance

What’s the difference between cyber insurance and data breach insurance? 

Cyber insurance and data breach insurance are distinctly different types of business insurance. If your business suffers a data breach, both insurance types will cover the primary financial interest (also known as first-party coverage) related to the exposed data. However, only cyber insurance will provide legal protection, referred to as third-party coverage. 

In other words, data breach insurance covers the costs directly attributed to a data breach, such as lost revenue and credit monitoring. In contrast, cyber insurance also pays attorney’s fees and any regulatory fines.

Data breach insurance will also cover losses that don’t involve a computer. For example, if someone infiltrates the records room of a doctor’s office and obtains protected health information (PHI), they’d want data breach insurance. Data breach insurance would cover losses stemming from this noncomputer-related breach. Many cyber liability insurance policies would not cover this breach because they focus on data loss or operations disruption due to electronic device interference or damage. 

Let’s break down each insurance type and its parameters: 

Cyber insurance is best for: 

• Cyberattacks affecting computer equipment
• Business interruption costs caused by cyberattacks

Data breach insurance is best for:

• Incidences of unauthorized access or exposure of sensitive data, including physical theft of information not stored on computing devices

What is cyber liability insurance?

Cyber liability insurance is a commercial insurance policy that provides financial protection from losses due to cyberattacks or other tech-related risks. In a cyberattack, cybercriminals can leak, destroy or hold data for ransom. Cyber liability insurance will help you respond to the attack to recover from the loss with the lowest possible impact.

Your cyber insurance policy provides first-party and third-party coverage, meaning it covers direct losses and third-party expenses of claims made against you because of the data exposure. 

What does cyber liability insurance cover?

Cyber liability insurance covers two primary elements: first-party claims and third-party claims. It covers losses associated with PHI and personally identifiable information (PII) hacks, as well as business interruption caused by nefarious parties.

These are some of the first-party claims cyber insurance covers:

• Investigatory costs
• Repairs to damaged or lost equipment
• Lost revenue
• Consumer notification costs
• Consumer credit-monitoring costs
• Ransom paid to a hacker to restore files

These are some of the third-party claims covered by cyber insurance:

• Legal fees
• Settlements and court judgments
• Incurred regulatory fines

Example of a cyber insurance claim

Let’s say an accounting firm with a database of 2,000 clients is attacked with ransomware as part of a cyber extortion attempt. The hijackers block access to the site until the firm pays a $100,000 ransom. The accounting firm files a claim with its insurance carrier. The insurance carrier decides whether to pay the ransom or not. If it decides not to pay the ransom, the insurer will pay network recovery costs and other costs related to lost income due to the attack. 

What is data breach insurance?

Data breach insurance covers breach-related costs that specifically focus on whether PHI or PII has been viewed or obtained by someone who shouldn’t have access to it. 

Information can be exposed in many ways, either on purpose or by accident. For example, someone hacks the system to intentionally steal data, or an employee forgets to put a file away, exposing information to someone who visits their desk.

What does data breach insurance cover?

Data breach insurance covers first-party losses for a company that inadvertently allows PHI or PII to fall into the wrong hands. This loss could result from hacker attacks, physical theft, the loss of a laptop or other device, or information leaks. A data breach could also be caused by employees who abuse their privileges and purposely share, copy, and use data without proper authorization.

These are some first-party claims that data breach insurance covers:

• Consumer notification costs
• Consumer credit-monitoring costs
• Damage control from a public relations firm
• Extortion coverage

Example of a data breach claim 

Let’s say a medical office has a storage room with filing cabinets containing medical records. An individual posing as an electrical contractor for the building is given access to an electrical panel located in the storage room. They are left unattended and use the opportunity to take pictures of patient data records. 

In this case, the insurance carrier will cover the costs of notifying patients of a breach in recordkeeping and pay for the credit monitoring services of the affected patients.

What do cyber insurance and data breach insurance not cover?

Cyber liability and data breach insurance do not cover the following: 

• Bodily injury or property damage. When a business is liable for bodily injury or property damage, a general liability insurance policy will cover it.
• Employee harassment, discrimination or wrongful termination. Employment practices liability insurance would cover costs related to employee harassment, discrimination or wrongful termination. 
• Professional mistakes or omissions. Professional liability insurance covers mistakes made in the course of business. 

Should my business choose cyber or data breach insurance? 

When choosing business insurance, your business type will determine whether you should get cyber liability or data breach coverage. In some cases, you may need both policies to cover different risks.

For example, if your operations are set on a network that stores customer or proprietary data, you should get cyber liability insurance. This way, you’re protected if a cybercriminal infiltrates your network and steals data or shuts down your network and holds it for ransom. 

If you have large PHI and PII databases, you should have data breach insurance — especially if the data isn’t held on a network but instead is stored onsite or offsite in files. Medical practices and accounting firms are two examples of businesses that need data breach insurance. If your database is online, talk to your insurance carrier or business insurance broker to determine if cyber coverage is enough to protect you.

How much does cyber insurance or data breach insurance cost?

On average, you can expect to pay around $1,750 in premium costs for a year with $1 million in coverage. That’s usually with a deductible of around $2,500, although selecting a higher deductible will often reduce your premium costs.

However, business insurance costs are contingent on many factors, and every business is different. When providing a quote, the insurance carrier will want to know the following information about your business:

• How many customers you have
• What type of sensitive data you store
• Your overall revenue
• Your claims history

Your insurance carrier may also consider who has access to your data. A company with many employees or third-party contractors may be at a higher risk of cybercrime or data loss. The more people who can access your data, the greater the level of cyber risk your business faces. 

How can I prevent a data breach?

A robust insurance policy is essential when dealing with a data breach or cybercrime. However, preventing incidents is crucial. Take your data protection seriously to preserve your reputation in the community and protect your business. 

Consider implementing the following cybersecurity risk management practices:

• Keep files locked. Use locks on all physical file cabinets and desk drawers that store client data. Secure your storage rooms with locked doors and lock file containers to limit access to private and personal data.
• Update your antivirus software. Choose one of the best antivirus software solutions and continually monitor it for updates and patches. Current antivirus software can prevent hackers from accessing your systems.
• Train your employees. Hold regular training sessions with your employees on how to protect data. This training should include best practices for document access and storage, emails and passwords. Teach your employees how to identify phishing schemes that can lead to bad actors accessing data, and ensure passwords are complex and impossible to guess.
• Develop vendor protocols. Establish security protocols for third-party vendors and service technicians in your office. Limit their access to specific rooms, and never leave them alone near personal and private data.
• Create a disaster response plan. You may be unable to avoid every breach, no matter how hard you work. Develop a disaster preparedness plan to keep your business operational and respond to issues if you detect a breach, particularly if it results from a cyberattack.
• Have a backup. Work with an IT professional to develop backup databases and operational systems to access if you fall victim to a cyberattack. A backup won’t eliminate the need to notify your customers of a data breach, but it will allow you to continue operations with minimal interruption.
• Perform a cybersecurity risk assessment. Perform a cybersecurity risk assessment to identify equipment and data storage vulnerabilities to protect your business from costly intrusions.

Every business should work to minimize the risk of data breaches and cybercrime. In the event an attack occurs, the right insurance coverage will go a long way toward protecting your bottom line. 

Mark Fairlie contributed to this article.