Here are a few factors that are making the data breach world tricky to insure:
Not too many people in the industry; including insurance companies understand the true risk of data breach to a company. There really isn’t enough claim info to tell the industry too much; and it changes daily….as does technology. Also there really doesn’t seem to be enough case law, including class action suits to give the insurance companies an idea to true exposure. Every business is different and many of the breaches are different including loss from human error, wayward employees, processes, hacks, and theft. These all pose threats to the understanding of data breach risk.
Insurance companies take on risk for dollars. Just like every other business out there; they want to make good investments. Insurance companies make money from underwriting profit (premium profit made after expenses and claims payout), as well as other investments (after setting money to the side to play claims, they invest money in other areas). There simply is not enough data to tell us what the data breach risks are, what industries are being targeted or not targeted, how to safeguard against breach, and how to make enough money to take on the risk. Truth is these data breaches are moving so quickly to keep up, which makes it really tough for insurance companies to understand. Insurance companies are not known for being progressive either…so there is a culture change and a learning curve that is holding the insurance industry back.
Given the above, there is a standard insurance form for data breach insurance, but there are also standard exclusions that exist….of course, right? What has happened in the insurance marketplace is that insurance companies have created their own insurance policies as well, with their own language. So either you can create your own forms, or insurance companies can use the standard industry forms called ISO forms. The trick there is not all insurance companies want to insure your company for certain types of data breach coverages…I told you it’s tricky.
Below are some examples of exclusions that are available to insurance companies using the standard data breach liability form. Below are some standard exclusions that insurance companies can use to trick out your data breach insurance policy. Its all insurance speak, but basically if these exist on your policy, you may need a new policy, or a second opinion, of course other situations apply… This reads straight from the Insurance Journal:
• CG 21 06 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Bodily Injury Exception) — excludes coverage, under Coverages A and B, for injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.
The endorsement also provides that the exclusion will apply even if damages are claimed for notification costs, credit monitor expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by the named insured or others with respect to that which is subject to the exclusion. This endorsement also includes a limited bodily injury exception arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.
• CG 21 07 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included) – which is very similar to CG 21 06 but does not include the bodily injury exception described above.
• CG 21 08 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only) — exclusion with respect to any access to or disclosure of any person’s or organization’s confidential or personal information is limited to personal and advertising injury.
So hey, there are a ton of factors here as to why the data breach world is kind of complex to understand. The good news is we are all working together to develop it and protect it from breach. The bad news is the market is new and with new “stuff” comes the unknown.