You can't stop a client from suing your IT business over a phishing attack. But you can protect yourself with Cyber Liability Insurance.
"Every company that faces the real risk of cyber loss to either their own information and data or their client's information and data should look very seriously at cyber insurance," says
Jared De Jong, an
Payne & Fears
(@PayneFearsLLP). "It should be one of the most important tools that a company uses to manage its risk."
Let's look at how Cyber Liability Insurance can protect your IT business against the high cost of a cyber lawsuit.
1. Cyber Liability Insurance Can Cover Claims Other Policies Can't
As we covered in "What Is Phishing and How Has It Evolved?," phishing scams only date back to 1995. That means it took some time for insurance companies to figure out how to respond to the threat that hackers pose to businesses. As a result, many insurers initially responded by simply excluding coverage for cybercrime altogether.
"In response to data breach claims being made, insurers started to put specific exclusions into their liability and property policies that closed the door on even the arguments that a lot of policyholders were making regarding cyber issues," says De Jong.
This meant that many claims made by IT consultants regarding phishing, data breaches, and other cyber liability issues were likely being denied. However, insurers recognized the need for a new kind of policy to address online threats. This led to the creation of Cyber Liability Insurance.
"Insurers still wanted to offer coverage for these risks, but they wanted to do it in a more targeted and specific way," says De Jong. "So insurers started to develop cyber policies. They usually offer both liability coverage for third-party claims, as well as first-party coverage for the company's own property or information."
As De Jong mentioned, first-party coverage refers to cyberattacks that hit your business, while third-party relates to a cyber issue that affects one of your clients. For most IT consultants, third-party coverage is the most important because it covers data breaches that impact your clients.
You may even already have cyber coverage. Third-party Cyber Liability Insurance is typically included in Errors & Omissions Insurance. Check with your insurance agent to make sure.
2. Your Insurer Picks Up the Tab for Your Legal Bills
When you have Cyber Liability Insurance, your insurance company can cover your legal expenses if a client sues you over a data breach.
"The real benefit of insurance is that the liability is shifted from the IT tech consultant to the insurance company," say De Jong. "That would include paying to defend a lawsuit, selecting counsel to defend the lawsuit, and either litigating that lawsuit to judgment or settling the lawsuit informally."
Even if an angry customer sues you for something you had no control over – like an employee clicking on a suspicious link – your Cyber Liability Insurance should be able to pay for resulting legal costs.
"The thing that's so important is insurance will respond to claims and lawsuits even if the claims are ultimately meritless," says De Jong. "It can give IT tech consultants peace of mind, which is one of the most important things you purchase when you purchase insurance."
A study [PDF] by Kaspersky Labs, an antivirus software and Internet security provider, found that the average small business data breach costs $38,000, with indirect recovery costs running an additional $8,000.
Being forced to cough up more than $40,000 for a data breach lawsuit could be devastating for a small IT firm. Without Cyber Liability Insurance, lawsuits like these could put many IT consultants out of business.
3. Cyber Liability Insurance Can Cover Data Breach Notification Costs
If either your IT business or your client is impacted by a data breach, you are required to notify anyone the breach affects.
"If the IT consultant or company experiences a data breach, they must act quickly to assess any damage or potential damage to customers' data," says
Cynthia Augello, a
partner in the commercial litigation division of
Cullen and Dykman.
"Such companies should have a protocol in place to take steps necessary to notify customers and any state agencies required to mitigate any potential damage."
(@S_H_Law), adds, "The Federal Trade Commission is aggressive in ensuring that businesses that promise consumers that they will protect their information live up to their promises."
Most state laws may…
- Fine businesses that enable data breaches.
- Require businesses to notify people affected by the breach.
- Require businesses to notify regulatory boards.
Be sure to read "Data Breach Laws by State" to find the laws governing data breaches in your state.
First-party Cyber Liability Insurance can help cover notification costs if the breach happens on your systems. Your policy may also cover the cost to hire a public relations firm to handle damage control for your IT business.
"They [the insurance company] usually offer crisis and reputation management which is a significant boon to insureds," says De Jong. "So not only will they help pay for the defense of the claim if it's a liability, but they'll also respond with reputation and crisis help."
For more information on Cyber Liability Insurance, read "How Much Cyber Liability Insurance Is Enough?"
About the Contributors
is a partner in the commercial litigation department of Cullen and Dykman
. She has represented clients of the firm in matters involving breach of contract, breach of fiduciary duty, whistleblowers, covenants not to compete, civil rights issues, sexual harassment, and discrimination based on disability, religion, race, and sex under the New York State Human Rights Law, the New York City Human Rights Law, Title VI, the Rehabilitation Act of 1973, and Title VII.
Jared De Jong
is an associate at Payne & Fears LLP
working in the insurance coverage group. Jared represents policyholders in insurance-related matters and works with clients in the construction, real estate, manufacturing, and financial services industries. He has experience with a variety of insurance products, including commercial general liability insurance, commercial property insurance, directors and officers liability insurance, employment practices liability insurance, errors and omissions liability insurance, title insurance, and other less-common coverage forms.
Roshan D. Shah
, counsel at Scarinci Hollenbeck
, is a distinguished litigator and trial attorney. Mr. Shah has successfully tried cases to juries in federal and state courts. He has extensive experience in all facets of litigation and in a variety of forums, including federal and state trial courts, the New Jersey Appellate Division, and the Third Circuit Court of Appeals, and administrative agencies. He has represented multinational corporations, federal defense contractors, health care providers, and public sector clients.