The recent series of significant hacks to Marriott, Target, Anthem, Home Depot, and other businesses make it clear that there is now another inevitable event to add to death and taxes, namely intrusions to businesses’ on-line databases of their customers’ personal information. These intrusions include outside vigilante hackers who are simply trying to sell their services and then try to incite the government or private plaintiffs to assert damage claims against the targeted businesses from the exploited vulnerabilities. To counteract the inevitability of such intrusions, cyber-security providers and insurance companies are now considering offering a new product that would combine guarding against unwanted intrusions with guaranteed coverage for the cost of the inevitable hack. The product would basically warrant that there will be no damaging access or release of on-line data, and would provide a specified but limited payment to compensate for any damages should an intrusion and/or release of data nonetheless occur.
Numerous insurance companies already offer some type of high-limit coverage for cyber intrusions, but these policies have significant premiums and contain numerous exclusions for insureds’ not taking proper precautions, as well as for various other issues including losses incurred through a breach of contract. Several of these coverage exclusions seem to be headed to the Supreme court for resolution. In the meantime, however, the combined product would provide a service to guard against intrusions that is guaranteed to meet the coverage standards of the insurance company, a correction of any incursion, and a limited payment if the implemented security safeguards are breached and the insured incurs third-party liability. There would be no need to worry about coverage under this type of policy because the security provider is paying the guaranteed amount if there is an incursion and exposure of personal data. The security company would also provide the remediation of any gaps in the insured’s system security.
Most security incursions result in little actual out-of-pocket documented damages to the customers whose data is exposed, but the cost of defending lawsuits and implementing safeguards such as new credit and debit cards, new passports, and identity-theft monitoring provided to the customers whose data was subject to a breach can mount up quickly. The combined product would provide a fixed cost of guarding against a hack and an indemnity payment if one occurs at what will presumably be a lower combined price than having security provided by one firm and insurance by another. There can also be better coordination between the security provider and the insurance provider to improve prevention and lower the cost of remediation. It will be interesting to see how these products, if implemented, roll out and whether they can better prevent intrusions and lower the cost of putting everything back together and compensating the victims. Particularly for businesses that do not already have a security or a cyber-insurance provider, these combined products may well be interesting and have lower cost than separate products. These products would also seem to be especially suited for the healthcare industry where HIPPA provides even more stringent penalties for intrusions and improper protection of patient data.
If a business already has both security and cyber-insurance providers, it could compare the combined cost as well as the experience in coordinating between security provider and insurance and decide whether to consider the combined product. But regardless of what product or products a business ultimately purchases, all businesses that store personal data should take reasonable precautions to protect that data, and should purchase some type of cyber insurance, whether or not it is integrated with a security service.