We previously discussed the new mandatory reporting requirements for data breach. The commencement of this section of PIPEDA legislature has far reaching and potentially costly repercussions.

Today, let’s discuss how a cyber insurance policy can provide coverage for the cost of notification to those impacted by a data breach.

Before we get into the coverage, let’s take a look at some statistics which will help us throughout this post.

Just like in other aspects of business, there are direct costs and indirect costs associated with a cyber breach.

Direct costs are easily quantifiable or tangible. The invoice is issued by the forensic investigator to determine the severity and the scope of the data breach, it is paid, and everyone moves on.

Indirect costs are much harder to quantify. Indirect costs are notification expenses and loss of goodwill.

The direct costs associated with a cyber breach in Canada average $107/record.

Indirect costs contribute $153/record in expenses.

If your policy which provides cyber breach coverage but excludes notification expense then you are not even covering your business for half of the potential cost of your claim!

How much coverage is provided by a cyber insurance policy?

Each policy can carry a varying limit of insurance. These limits can be provided in a package or can be determined individually.

Your policy coverage limit could be the number of impacted individuals or it could be a dollar amount.

If your policy provides coverage for reimbursement, those costs can quickly add up for your business. Though you are provided the freedom to notify your clients in your own way, reimbursement for expenses must be provided quickly. In this instance is it important to partner with an insurance broker who understands that you must be reimbursed quickly.

What happens if I need to notify more people than my policy provides coverage for?

If your policy provides coverage for 10,000 notified individuals then that should be the absolute maximum number of individuals that could possibly require notification.

Otherwise, your business would need to pay for notification of person number 10,001 and beyond.

It is also important to consider that 6,000 client records could quickly become 12,000 individuals. If your business has the personal information stored for families then each member of that family will need to be notified – individually.

When we are determining the number of notified individuals your business could impact by a data breach, we will need to count spouses and possibly children.

Alternatively, if your policy provides a dollar value for notification expenses then some math allows us to determine that a breach of 6,000 client records can climb to over $900,000.

What is the deductible for notification insurance?

There are two deductible options. Your policy may carry a standard deductible such as $1,000 or $5,000 for any claim. It is therefore reasonable that notification expense follows this deductible.

Rather than a dollar amount, the deductible for notification coverage may be the number of impacted persons. This number might be as low as 5 or as large as 1,000. It all depends on the policy which we set up specifically for your business

What other costs can be covered?

• The cost of notifying impacted individuals is unfortunately needed after the breach has occurred. Coverage can be provided to investigate the source and scope of a suspected data breach as well.

   

  These are costs which are incurred by you which you are not legally obligated to pay but could:

  • Effectively mitigate or avoid a data breach claim
  • Effectively mitigate damage to your brand or reputation

    If it is necessary to conduct an independent security audit of your computer systems.

• Credit monitoring services can also be provided. A negative impact on credit score can have a broad impact on the individual.

   

  With a credit monitoring service, action can be taken immediately to remedy the negative impact caused by a data breach for your clients.

• Regulatory fines are also insurable depending on the policy you carry. These regulatory fines are those as a result of a regulatory investigation initiated against your business.

Thank you for reading our article about cyber breach notification. These are costs and fines which can impact not only your bottom line through increased expenses but also divert human resources away from your business’s primary activities. It is so important for all businesses to carry a robust cyber insurance policy.

Zehr Insurance can provide your business with a standalone cyber policy or provide insurance for your entire operation.

For more information on how a cyber breach policy can provide coverage for your business – or to find out what is not covered – contact the Zehr Insurance office closest to you.