In today’s modern business world virtually all data and personal or corporate information is managed and stored electronically. Whether it be profiles of employees, credit card information, sensitive demographic information about customers, internal information on budgets, customer lists, or personal health information, companies of any size face very real liability issues if this data is stolen, manipulated or were to fall into the wrong hands and enter the public domain.
More and more we hear on the news and read in our local newspapers, stories about cyber crime including lost, stolen and hacked personal information and records. Many of these stories concern compromised credit card records, stolen computer equipment containing sensitive company or customer / patient information, employees who have downloaded copies of confidential records prior to leaving the company, and organisations who face ransom demands after having their systems locked down via service denial attacks.
The potential risk of data breach and cyber crime for any company, large or small is ever increasing. Smaller organisations are perceived to be an easier target for cyber crime and hacking, as their IT security measures are likely to be less robust. While the recovery of data and replacement of equipment is a costly exercise in itself, such an event can lead to the organisation facing regulatory investigation, civil fines and penalties as well as litigation.
Many traditional liability insurance policies such as Management Liability or Professional Indemnity policies fall short of indemnifying many of the technological cyber crime risks being faced by business today. As such, a standalone cyber crime policy is the best way to combat this risk and potential liability.
It is likely that the legislative responsibility for a business to protect personal or sensitive data in Australia will follow the changes that have occurred in international business environments with huge financial penalties and mandatory / enforced on-going data monitoring if a breach occurs. Organisations should source a policy and indemnity level that addresses and reflects the full range of issues that relate to cyber crime rather than opting for ‘the something is better than nothing’ approach.
Not all policies are alike, the below list describes many of the issues that surround cyber crime. A quality policy should address each liability or circumstance.
Personal Data Liability – A breach concerning personal information and data protection
Corporate Data Liability – Breach of corporate information
Outsourcing – Breach of data protection by an outsourced provider where the policyholder is legally liable
Data Security – Damage resulting from any breach of duty that ends in:
- malicious contamination
- denial of access attacks
- theft of an access code to computer system
- destruction/corruption, modification, damage or deletion of data
- physical theft of hardware
Data disclosure due to a breach of data security
Defence Costs in respect of any litigation brought by a data protection authority
Data Administrative Investigations – costs and expenses for legal advice and representation in connection with a formal investigation by data protection or other authority
Fines – Insurable fines and penalties imposed by a government authority, data protection or regulatory authority for a breach of data protection laws or regulations
Notification and Monitoring Costs – costs and expenses of the insured if the legally required and/or voluntary disclosure to data subjects if required
Reputational Repair of the Company and Individual – Reimbursement of costs incurred in relation to reputational damage due to a claim covered by this policy
Media Content that results in an infringement; plagiarism, piracy or misappropriation or theft of ideas; libel or slander committed without malice; or an intrusion, invasion
Cyber Extortion – extortion loss incurred as a result of a security threat
Network Interruption Insurance – Loss of Net income (net profit or loss before income taxes) that would have been earned; if not for a security failure / breach.