As more and more information about Cyber Liability becomes available, it is apparent that any non-profit entity or social service organization may be at risk for data breach claims. Especially if the organization has:
• A computer network that links several offices
• Handles confidential information belonging to its members
• Collects and transmits personal identifiable information for any reasons
Why now than ever before?
• Because of our highly technological society
• AND traditional insurance policies (such as General Liability, Crime, and Management Liability) typically DO NOT provide protection against the risk of data breach. This is a huge problem!
Purchasing a Cyber Liability policy is a solution which provides coverage for both third parties (those whose personal information is hacked) and first parties (those whose systems are compromised by hackers).
Cyber policies can cover:
• Defense costs
• Coverage for fines or penalties levied in violation of HIPPA Laws
• Customer notification expense
• Customer support and credit monitoring
• Public relations, advertising and forensic expenses.
As for the organization who suffers the actual breach, they can purchase multi-media coverage, business interruption coverage, and coverage for extortion expenses. Additionally, risk management services are included to educate the purchaser regarding current privacy state and federal laws, compliance material, training tools and procedures all of which act to reduce the exposure to data breach and their resulting third party lawsuits.
Interestingly, coverage under Cyber Liability is not limited to a breach of an organizations computer files. Coverage is often extended to include paper files as well as portable devices such as blackberries, lap tops, Ipads as well as data that are in the custody of vendors, outsourcers or independent contractors.
What types of claims have been reported to date?
• An organization providing medical care and support services to people living with Cancer and related illnesses suffered a burglary at their office. An employee’s laptop was taken and contained client data such as names, dates of birth, client status, and other sensitive information;
• A public advocacy group’s website was hacked. As a result, the hackers actually published a data base consisting of the names, addresses, telephone numbers, email addresses, medical conditions, reports and other personal details gathered by the organization;
• An employee of a charity left an encrypted tape in his backpack. The backpack was stolen at gun point and personal information identifying the largest 100 donors over the past decade was confiscated along with their personal information;
• An employee of a “YMCA” was arrested for trying to sell names, addresses and social security numbers of residents to furnish information for the purposes of applying for phony credit cards under assumed names;
• An employee at a women’s shelter for victims of domestic violence was caught with a list of women seeking services through various agencies connected with the shelter. The employee was trying to post the current whereabouts of many of these women to an online site. Had she been successful, she would have compromised the safety of the shelter’s former inhabitants and their children.
……And the list goes on and on.
It just goes to show that you don’t have to be a major retailer to become the victim of a cyber attack. So it follows that you don’t have to be a major retailer to consider purchasing the coverage.
By Karen Skoler, CPCU