Cyber Liability Insurance is still relatively new, yet data breaches have been happening for a long time- the first breach to get more than 1 million records was 2005. It’s crazy to think the Sony PlayStation data breach took place 8 years ago, and that’s the first time most people really found out about breaches. Sony was such a huge, headline making story! Someone broke in and stole 77 million user accounts, including credit card data, from a huge international company. That was almost unthinkable at the time. Who could do such a thing? HOW could they do such a thing? And –for people like me –how does insurance respond??
Here are some basic numbers:
The average cost of a single data breach, globally, is $3.86 million
The average cost of each lost or stolen client record, globally, is $148
Notification costs after a breach for a US organization is $740,000
The cost of lost business for a US organization is $4.2 million
Okay let’s stop a minute and think about those numbers. If you’re a small business with 1,000 clients and someone hacks into your system, that’s roughly $1,000,000 including notification costs. And small business owners, don’t think this won’t happen to you- 58% of data breach victims are small businesses. So in reality small businesses have more data breaches than large companies. And your 1,000 stolen client files are going to cost you just about $1 million by the time you’re done paying off all the fees and charges. In 36% of the cases, stealing a name and a birthday or a name and a home address is all it took to be considered compromised data. That’s it. That’s enough to be considered a breach, to call the federal and state authorities, notify clients, and start down the fun path that is containment.
Last week one of my employees received an email from Jarrett, one of our owners. “Jarrett” emailed to say he was in a meeting and could the employee please buy some electronic gift cards and email the gift card info to him. Our employee knew something was off and immediately notified me. Sure enough, someone was tracking Jarrett’s emails. The hacker didn’t get into our client files because the client files are too well protected. They did duplicate his email signature, made it look and sound like an email he would send, and hope that they’d get away with fifty $50 gift cards. That’s small potatoes compared to the company that put a skimmer into our client’s credit card machine and stole every credit card number that ran through their pizzeria for 60 days.
The new trend is for insurance policies to throw in $50,000 of coverage for data liability or cyber liability or data breach. (Those phrases all mean the same thing.) I hope you can now see that $50,000 of insurance is clearly not enough. Cedar Risk Management has a Cyber Liability insurance policy to cover us if anything happens to your information. We’ve been around for 48 years- we have a lot of individual client accounts and a lot of client data. Our policy is about $1,500 this year and includes so much- notification costs, regulatory costs, forensics, communication, crime, loss of income, hardware replacement.