By John L. Lubatti of USI Insurance Services
It stands to reason that hardly anybody wants to spend money on yet another insurance policy, especially in today’s economy. Combine this with a healthy skepticism toward the insurance industry born out of a history of adding new exclusions to commonly purchased policies only to then offer other, separate policy products to provide coverage that the exclusions removed, and a business owner or manager can experience a natural tendency to look for reasons to discount the need for privacy liability coverage.
Possibly the most common misunderstanding about privacy liability is that a company not doing business over the Internet has nothing to fear. The reality is, however, that over a recent 5-year period, the largest category of data security breaches at 22.4 percent had to do with stolen or lost laptops containing personal data.
Another common misconception is because a company does not possess customer personal data, it has nothing to fear. This fails to recognize, though, that all companies with employees possess employee personal data that can be compromised, stolen or lost.
Yet another belief is that only personal data in digital form can lead to privacy liability. In fact, personal data can be in any form, including old-fashioned paper, when it is compromised, stolen or lost triggering privacy liability. Maybe not as common as those already mentioned, but still heard a lot is “My computers are not networked, so somebody can’t access one from another to steal personal data.”
Well, here is the bad news: an employee can steal the equivalent of a pickup bed full of paper containing personal data using a tiny flash drive.
So what happens when personal data in a company’s possession is compromised, stolen or lost, putting the individual or individuals in jeopardy?
Currently all states but Alabama, Kentucky, Missouri, New Mexico and South Dakota, as well as Washington D.C., require the company that had the personal data to notify in writing each and every affected individual. Many also require that the company offer a period of credit monitoring at their own cost.
While the majority of these states also exempt the notification and credit monitoring if the data was encrypted at the time it was compromised, stolen or lost, the exemption does not apply when an employee or outside contractor with encryption knowledge was involved.
The cost of notification plus credit monitoring is between $60 and $160 per affected person according to some sources familiar with these activities. If you add the indirect costs of company personnel time and effort devoted to determining actually who was affected, the cost can rise to well over $300 per affected person.
Do the math and you will see that as few as 1,000 affected people can add up to tens or even hundreds of thousands of dollars.
None of this also takes into account the possibility of banks serving affected people suing the company to recoup the cost of reissuing credit cards and debit cards. Nor does it include the cost of damage control when it comes to the company’s reputation.
Finally, if certain federal laws are violated in the course of the data security breach, substantial fines and other penalties could apply. The bottom line is a company, especially one with liquidity and/or loan covenant challenges, could be put out of business because of a major data security breach and not having the benefit of adequate privacy liability coverage.
If through reading this article you have developed a new appreciation for the potential value of privacy liability coverage, there is one more nugget of information you need to know: not all privacy liability coverages are created equal.
The length to which a particular policy covers the varieties of data security breaches and the resulting costs to your company is not necessarily an easy thing to discern — it takes an agent or broker with extensive coverage knowledge and the keen ability to interpret policy language.
This article started with the comment that “hardly anybody wants to spend money on yet another insurance policy.” To that let’s now add: the most expensive insurance policy may very well be the one bought, but ended up not covering what it was bought for in the first place.
John Lubatti is the Regional Marketing Manager for USI Insurance Services LLC, 757-625-1800.
