What is data breach insurance?
Data breach insurance can refer to several policies that protect a company from financial losses as a result of a data breach. These policies include cyber liability insurance and technology errors and omissions insurance (tech E&O).
Why is data breach insurance important?
With security breaches all over the news, IT consultants are increasingly interested in how small business insurance can help them manage the financial risk from cyber threats.
This coverage is especially important because of the high cost of data breaches. According to IBM, the total cost of a data breach in 2022 was at an all-time high of $4.35 million.
Unsurprisingly, few small business owners can afford to pay that cost out of pocket. Which leads to IT professionals needing insurance to reduce their data breach financial risk. Companies most commonly invest in cyber liability insurance, a data security policy that covers the cost of a data breach at their business.
Is data breach insurance a property or liability coverage?
While data breach insurance provides protection against lawsuits around a breach of PHI and PII, and cyber liability offers coverage against cybercriminals infiltrating your network for malicious reasons, there is an electronic data liability policy that covers you in the event of data loss when there’s physical damage to or loss of tangible property.
Who should consider data breach insurance coverage?
As small businesses often lack the means to fend off cybercriminals or minimize a breach, they are seen as attractive targets for data breaches, ransomware, and other cybercrimes.
There are three categories of small businesses that can benefit from data breach insurance:
1. Businesses that store customer data
Data breaches can affect any business that handles personal identifiable information (PII), such as online retailers and accounting firms. Examples of PII include credit card info, Social Security numbers, bank account information, or any other data that could be used to identify a person.
2. Companies that handle personal health information
This applies to businesses that operate in the healthcare industry, such as medical offices, chiropractors, and physical therapists. Their sensitive data might include birth dates, Social Security numbers, email addresses, and medical record numbers.
3. Any IT or technology business
Which type of data breach insurance do I need?
While data breach insurance can refer to any policy that protects against data breaches, it typically refers to cyber liability insurance. There are two different types of cyber liability insurance that address two different types of data breach risk: data breaches that happen to your tech company (first-party) and those that happen to your clients (third-party).
Data breach insurance usually refers to first-party cyber liability insurance, especially for companies outside of the IT industry. In this context, data breach insurance is typically an endorsement to your general liability insurance or business owner's policy (BOP), and it only protects against data breaches that affect your company directly.
First-party cyber liability insurance does not protect you against data breaches that happen at a client's business, which is why tech professionals should consider tech E&O instead. This tech-specific package includes the protection that all tech professionals need when handling sensitive data and working with clients.
Read more about the differences between tech E&O and cyber insurance.
What types of data breaches are covered?
Data breaches come in many shapes and sizes. The average person probably hears “data breach” and thinks of hackers. But there are many kinds of cyber incidents, including:
- Malware attacks
- Insider data breaches
- Data theft by employees
- Ransomware attacks
- Employee mistakes
- Phishing attacks
Cyber liability insurance covers both accidental data breaches and incidents where a hacker targets your business or a client.
Let’s explore the differences between first-party and third-party cyber liability insurance, and how to choose the coverage you need. As a breakdown:
What is first-party cyber liability insurance?
First-party cyber liability insurance can cover many of the costs you’d have to pay if a breach occurred on your network. If your own data is compromised, this policy can help pay for:
- Customer notification
- Security experts to investigate the breach
- Call centers to handle customer questions
- Crisis management teams
- Anti-fraud protection for parties whose data has been compromised
Retailers and others with lots of stored or sensitive data are the businesses that benefit most from first-party coverage.
If you store customer data on your network (e.g., if you provide data mining or business intelligence services), you may also benefit from carrying first-party data breach insurance. That's because a breach of your network could result in steep costs associated with notifying clients, paying for credit monitoring services, and even paying state fines. First-party coverage offers funds to do exactly that.
What is third-party cyber liability insurance?
Third-party cyber liability insurance covers the costs of a lawsuit if a client’s data is compromised, and they claim that your professional oversight or error resulted in the breach.
Third-party cyber liability insurance is the popular choice among IT companies, who are usually most concerned with safeguarding their clients’ data, which is stored on their clients’ servers or somewhere in the cloud.
For instance, IT consultants typically don’t have a lot of data on their own network that needs protecting, so third-party cyber liability insurance makes the most sense. For many IT businesses, third-party coverage can be included in an errors and omissions insurance policy (tech E&O). When it's included, a data breach lawsuit can be treated like any other E&O lawsuit.
Let's look at an example of how third-party cyber liability insurance can help IT consultants manage the risk of client lawsuits:
Say you help a client update to a new ERP platform, but the software is hacked. The client sues you, claiming you didn’t configure it properly, and recommended software that wasn’t secure.
We all know that any lawsuit can be expensive, But in a data breach lawsuit, you might have to pay:
- Attorney's fees
- Court costs
- Judgment (if you lose in court)
Third-party cyber liability insurance can help cover these costs, and protect your business from the financial devastation a successful data breach lawsuit can have on your bottom line.
How much does data breach insurance cost?
As with most insurance policies, the cost for data breach insurance varies from business to business. However, it's quite affordable when considering the out-of-pocket cost of a data breach. There are three ways to incorporate data breach insurance into your risk management plan:
- Adding a data breach rider to your general liability policy is the least expensive option. It should only add a small amount to your general liability insurance premium, which costs an average of $42 per month.
- Purchasing a standalone cyber liability insurance policy, which costs TechInsurance customers an average of $145 per month.
- Bundling cyber coverage with E&O insurance, which averages to about $61 per month.
In addition to the type of coverage you buy, there are several factors that also affect your premium, like policy limits, the amount of sensitive data your company handles, business size and revenue, and your claims history.
More common questions about data breach insurance
What's the cost of a data breach should your company experience one?
Without the right insurance and risk measures taken, a data breach could do enormous financial damage to your business, as well as your reputation. In fact, IBM did a study and found that data breaches cost approximately $242 per stolen record. This cost could quickly add up, depending on how much customer information your company stores. A data breach insurance policy can cover all of these costs and get you back to business as usual.
The cost will depend on several factors, including:
- How many people were affected
- The cost of finding and fixing the cause of the breach
- Any cyber extortion demands
- How long your business was interrupted
- Lost business due to reputation damage
- Regulatory fines and penalties
What's not covered by data breach insurance?
In most cases, data breach insurance doesn't cover third-party data theft. Which means, your business isn't covered if you happen to cause someone else’s data to be breached. It'll only covers financial losses your business incurs when dealing with a cyberattack.
Additional data breach coverage exclusions are:
- Data loss caused by accidental damage. A data breach policy doesn't insure data lost from physical damage to a network or storage device. An electronic data liability policy expands your property damage coverage to include a loss of data caused by accidental damage.
- Data loss from natural occurrences. If sensitive data is lost because of a natural disaster, you'd need electronic data processing (EDP) insurance. This provides protection for data loss due to your equipment, such as computers and backup systems.
It's best to consult your insurance policy and read the fine print in detail to fully understand what your data breach insurance policy does and doesn't cover.
How much does cyber liability insurance cover if a data breach occurs?
A cyber liability insurance policy helps companies recover from cyberattacks and other data breaches by covering the cost of responding to, investigating, and cleaning up damage caused by attack or breach.
Most small tech companies purchase a cyber liability insurance policy with a $1 million per occurrence limit, a $1 million aggregate limit, and a $2,500 deductible. If a data breach costs a business about $250 per client or customer record, this coverage limit will be high enough to protect any business that handles a few thousand records.
Cyber liability insurance policies have two limits, which typically range from $1 million to $5 million:
- Per-occurrence limit: While the policy is active, the insurer will pay up to this amount to cover any single claim.
- Aggregate limit: During the lifetime of the policy (usually one year), this is the maximum the insurer will pay to cover claims.
Get free quotes and compare policies with TechInsurance
TechInsurance helps IT and tech business owners compare business insurance quotes with one easy online application. Start an application today to find the right policy at the most affordable price for your business.