If you’re like many business owners these days, you know that insurance is a key component to surviving the financial and reputational fallout that can accompany a loss. Still, there seems to be some lingering misunderstanding about which insurance policy offers what protection. For example, one business found itself in legal quicksand when it tried to use a general liability policy to cover the legal costs of a data breach. They were unaware that only a cyber liability policy can cover data breach expenses when a virus or hacker causes the breach. To help you clear up the confusion once and for all, let’s explore the difference between general liability and cyber liability policies and go over tips for ensuring your small business has adequate data breach coverage.
General Liability Insurance vs. Cyber Liability Insurance
Almost all companies currently have some form of general liability (GL) coverage, which usually includes the following:
- Bodily injury – If someone slips and falls on your business’s property, you can be sued for damages. Many GL policies can also cover the injured person’s medical expenses before the accident becomes a lawsuit.
- Property damage – If your business damages or loses someone’s property, your policy can help pay for the legal or replacement costs.
- Advertising injury – This is one aspect of the GL coverage form that has adapted with the times. It can be applied to defamation lawsuits that originate on social media. It can also help your business if it’s sued over copyright issues.
These three areas can hypothetically address certain cyber exposures, but the reality is that they do not. For instance, that second bullet point – the coverage for a third party’s damaged property – spurs a lot of confusion, especially when it comes to data breach. It makes sense that one would think of client data as client property. It’s their information, after all. But insurance companies typically exclude data breach coverage from their GL policies due to significant differences in the risk. They therefore specify that they cover damage to a third party’s tangible property only, excluding electronic data (i.e., information, facts, or programs stored, created, used, or transmitted to or from computer software), which is considered intangible property.
The first step in addressing this gap in coverage happened before the widespread use of the internet. At that time, the only types of businesses that had so-called cyber exposures were technology firms: companies that were actually in the business of writing software, managing networks, etc. In order to address this exposure, these companies purchased professional liability insurance, also known as errors & omissions insurance (E&O), which covered such things as bad software bringing down a customer’s network, unauthorized access to a client’s system, destruction of data, and a virus impacting another company’s system. However with the growth of the internet, most non-tech companies also became exposed to cyber risks, but only in certain areas. These companies didn’t need full-blown E&O, but instead wanted some type of stand-alone protection that would address their particular exposures. Enter cyber liability insurance.
Cyber liability insurance today is typically classified into four components:
- Errors & Omissions –a third-party form, covering negligence or errors in your product or in the performance of your services (including an indirect breach in customer data)
- Network Security –both a first-party and third-party form, covering unauthorized access, transmission of virus or malicious code, theft/destruction of data (GL will sometimes cover physical damage of data), cyber extortion, and business interruption
- Privacy – also both a first-party and third-party form, covering data exposed by a hacker, lost device, rogue employee, and failure to destroy physical records
- Media Liability – a third party form, covering infringement of intellectual property, and advertising/personal injury (the GL version of advertising injury only covers activities performed by you on your own behalf, not activities on the behalf of others)
Depending on the nature of your business, you have the option of selecting the specific cyber liability components you need as part of your overall insurance program.
There are a few key items that are currently not covered in cyber liability policies. These include reputational harm and loss of future revenue (e.g. sales are down due to customers staying away after a data breach), however topics such as these are currently being addressed by the insurance industry as policy forms continue to evolve. Just remember that data breaches and security failures happen all the time, but only cyber liability insurance can protect you against cyber attacks.
Nick Chapekis, CIC, CRM