Network World says that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible. This is causing many firms to investigate cyber insurance.
The decision that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro (IM) had purchased from American Guarantee.
“After that, the insurance firms changed their policies to state that data is not considered tangible property,” Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.
Buyers push back
The resulting complexity is a major source of push-back by potential buyers. According to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection, “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are,” Mr. Ponemon told Network World. “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want,” he adds.
Cyber insurance coverages available
Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center. They also cover credit monitoring, and credit restoration services for the victims, and other crisis management services. Ken Goldstein, vice president at insurer Chubb Group told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts,” he says.
Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach. It also covers fines from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action. While others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.
Cyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Goldstein says.
Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.
Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, Haase says.
Loss coverages
Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses. “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later,” he says.
Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss. “Backup policies are not always effective, and accidents and sabotage happen,” Haase says.
Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.
rb-
Seems that interest is growing in cyber insurance. I wrote about cyber insurance here.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
GigaOm has an article that documents the efforts by Schufa, the largest credit rating firm in Germany to mine data from the Facebook (FB), LinkedIn (LNKD), and Twitter accounts of its customers. David Meyer cites documents leaked to German media, that the firm whose slogan is “We Build Confidence” would use the information “to identify and evaluate opportunities for and threats to the company.”
I wrote about firms like RapLeaf mining social networks for employers and banks back in 2010. What is surprising to me and Mr. Meyer is that this latest social network mining operation comes out of Europe and especially Germany, a country where most people are very conscious of data protection concerns. 
On the other hand users of Facebook and Foursquare happily tie their credit cards to these accounts, post status updates, and check in to places for the world to see. 
The 
