Many data privacy and security conversations these days inevitably lead to discussions about cyberliability insurance policies. What kind? How much? Is what we have enough? Being relatively new, many cyberliability policies remain highly negotiable, although increased standardization of terms is occurring; however, coverage determinations by Courts are few, leaving clients in a somewhat precarious or uncertain position. Until Courts are presented with opportunities to provide additional coverage guidance, clients are left to their own devices to negotiate the terms and conditions of their cyberliability coverages. The prevalence of security incidents is bound to increase, so the necessity of insuring against data breach risk will remain an important risk management tool. Here are a few items to watch out for when procuring cyberliability coverage.
- Amount of Coverage
Quite literally, the million dollar threshold question needing answering is: how much coverage do I need? While there are many types of data breaches, breaches of protected health information are the most costly. According to a 2016, IBM-sponsored study conducted by the Ponemon Institute, the average cost of a data breach for health care organizations was $355 per record. This number can be used as a starting point in determining the amounts and types of coverage a company may need to protect themselves from a data breach.
- Inception Dates—Retroactivity
For first time purchasers of cyberliability coverage, retroactive dates are crucial. Oftentimes the retroactive date is set as the date the policy is procured, or the inception date. This could create a problem because any claims arising out of events that occurred prior to the inception date would not be covered under the policy. While this start-date dilemma will “right size” itself as the company continues to renew coverage, it remains a crucial issue when first procuring cyberliablity coverage.