The laws governing the protection of private information have changed.

Businesses that have personally-identifiable information in their possession now have the legal duty to disclose any suspected breach, and there are now fines and penalties for not reporting a breach. The business must notify any person who may have been affected and the Attorney General. In addition, the business faces potential lawsuits from those affected.

Under most State statutes, personally-identifiable information can include:

1. Social Security number;
2. Driver’s license number or state identification card number; or
3. Credit or debit card numbers, account numbers, or any combination of information that would permit access to an individual’s financial account.

Most General Liability policies specifically exclude the ramifications of losses of data. In fact, it does not matter whether the business loses a flash drive, a laptop, or even paper; the personal information is considered breached and is not covered by most liability policies unless a specific “Cyber Breach” endorsement is added, and such endorsements often carry limited protection. Only network security and privacy liability policies are designed to cover the risk of lost or stolen information.

What can Data Breach/Cyber Cover?

• Notification Costs
• Credit Protection
• Hacker Damage
• Forensic Costs
• Crisis Management Expenses
• Regulatory Actions
• Business Interruption
• Cyber Extortion
• Multimedia Liability

The widespread number of successful attacks against even the best run organizations have evidenced the vulnerabilities every business faces.

Example Breach #1

An employee forgot their thumb drive containing client information at a café.
Number of records: 700
Estimated costs at $194 per record = $135,800

Example Breach #2

A laptop with employee information is stolen out of a parked car.
Number of records: 4,300
Estimated costs at $194 per record = $834,200