Recently, an old friend of mine (who has been in the insurance industry for years) came to visit about a relatively new insurance product he is handling. He explained it can protect an organization from a breach of data security in which confidential information is accidentally disclosed. Sometimes referred to as data security or “cyber” insurance, this type of coverage has been around for about 10 years and is rapidly becoming a standard component of a commercial insurance portfolio.
Like virtually all organizations today, nonprofits frequently collect and store a variety of data, including personal and financial information about members that might have been obtained in connection with membership applications, dues, fundraising campaigns, educational programs and other activities. They also routinely collect health and personal information on employees, financial and other business information on vendors, and many other types of data.
Collection and storage of data can create liabilities and other risks if the security of the information is compromised as a result of a data breach, inadvertent disclosure (such as a lost laptop), or other data loss event. For example, 47 states now require organizations to notify impacted persons if there is a breach, which can be very costly. A 2011 study estimated that the average cost to U.S. businesses of notifying impacted persons of a data breach was $560,000. And the organization may be subject to liability if the data breach results in financial loss to persons or organizations. Standard commercial insurance products like Business Owners’ Policies (BOPs) and Commercial General Liability (CGL) policies generally do not cover these exposures. The CGL policy promulgated by the Insurance Services Office (ISO) and used by most standard commercial carriers, for example, now contains exclusions that make clear that the policy was never intended to address data breach-related losses.
Cyber insurance policies will not only protect your organization if you are sued as a result of a data breach, but more importantly the policies will also cover many of the costs that you will incur in responding to the breach. For example, the policies typically cover the costs of sending notification letters to impacted persons, and the costs of hiring a forensic expert to determine the source of the breach. The insurer typically has relationships with key vendors that can help your organization navigate through this process.
I know there are a number of insurers scattered around the country who are handling this product. I personally only know my friend here in Kansas City. If you have interest, please feel free to contact me and I will put you in touch.