When data breaches make the news, they usually involve major corporations and affect millions of people. In 2021, the <a href=" https:="" target="_blank" />Colonial Pipeline breach led the company to shut the pipeline, resulting in a fuel shortage and lines at gas stations. Equifax was breached in 2017, and the financial and credit information of 147 million people was exposed.
With large targets like that, small-business owners might think they’ll be ignored. What would criminals want from a mom-and-pop shop or even a medium-sized business? Money. According to Verizon’s 2022 Data Breach Investigations Report (DBIR), even very small businesses (those with 10 employees or fewer) can be attractive targets, partially because they often don’t have very good defenses.
The report found that attackers exposed the information of small businesses 130 times from November 1, 2020, through October 31, 2021, and noted that these types of data breaches can kill small companies. Data breach insurance might be a business saver, although it’s important to understand what types of insurance you might need and what different policies cover.
What is a data breach?
The definition of a data breach can vary, and that’s something you’ll want to review before buying an insurance policy. Verizon’s DBIR and many others define a data breach as an incident that allows an unauthorized party to access confidential, personal, sensitive, or protected data.
A data breach can be the result of a cyberattack, such as when hackers or criminals exploit vulnerabilities in a computer system, get you to install malicious software, or use social engineering (i.e., trick or scare you into trusting them) to break into your systems. But they can also happen when an employee or business owner uses their legitimate access to personal and business information for malicious purposes—you might call this an insider attack. They can even happen by accident, such as when an employee loses a company laptop that has unencrypted sensitive information on it.
Although data breaches often involve a business’s electronic systems and files, that’s not always the case. If a thief breaks into your offices or rifles through a dumpster and steals personnel files, that could also count as a data breach.
Data breaches can lead to the exposure of different types of data, including a business’s financial statements, intellectual property, customers’ personal and payment information, and employees’ personal information. It can be disastrous for large and small businesses alike.
Some attackers might install ransomware and lock you out of your system or threaten to expose sensitive information if you don’t pay them a ransom. State and federal laws may require companies to pay fines and disclose data breaches, potentially causing harm to your reputation. There can also be legal and restoration costs.
What is data breach insurance?
Data breach insurance is a type of business insurance policy that helps companies cover the costs associated with a data breach. Companies can buy data breach insurance separately, or they might get data breach coverage as a benefit or rider on a different type of business insurance policy.
How does it work?
The specifics will depend on your policy, but the coverage may help you pay for:
- Notifying regulators and the affected parties, such as your customers or vendors
- Buying credit monitoring services for affected parties
- Figuring out how the data breach happened
- Legal counsel and public relations support
- Paying a ransom to get your system or information unlocked
- Lost revenue if your business closes temporarily
- Restoring your system
Why is it important for businesses?
Any business with sensitive information could be at risk for a costly data breach—including ecommerce companies that maintain customer profiles and store customer payment details. Although some companies are more likely to be targets than others, Hiscox’s Cyber Readiness Report for 2022 says companies with annual revenue of $100,000 to $500,000 are as likely to be victims of a cyberattack as companies with sales of $1 million to $9 million a year.
What is cyber liability insurance?
Cyber liability insurance can include different types of insurance related to cybercrime and data breaches.
- First-party coverage: First-party cyber liability insurance is another name for data breach insurance because it covers the policyholder’s eligible costs after a data breach.
- Third-party coverage: Third-party cyber liability can help you cover legal fees and liability claims that arise from a data breach. It also provides coverage for companies whose clients have a data breach. For example, an IT consulting firm that helps companies configure their websites might be liable if a security hole in a website it worked on is exploited.
Some insurance companies offer general cyber liability policies that include both first- and third-party coverage. However, if you don’t need comprehensive coverage, you might save money by buying a more limited data breach insurance policy.
Data breach insurance vs. cyber liability insurance
There’s often an overlap between data breach insurance and cyber liability insurance, but they’re not necessarily the same.
What are the similarities?
Both types of insurance can help companies cover the costs related to a cyberattack and data breach. But the benefits can vary depending on the insurance company and policy, and it’s important to review the fine print to know what is and isn’t covered.
What are the differences?
In general, cyber liability insurance provides more comprehensive coverage that may include first-party data breach insurance and third-party coverage. Cyber liability coverage may also cover claims related to a cyberattack that doesn’t result in a data breach. For example, if a distributed denial of service (DDoS) attack takes down your website by overloading it with extraneous traffic, you might be able to file a business interruption service claim.
Data breach insurance FAQ
What is an example of a data breach?
Data breaches can happen for various reasons. A criminal could break into your computer system or a filing cabinet at an office. Or, someone who has legitimate access to sensitive information could lose a laptop or use the information in a malicious way. The type of information exposed could include trade secrets, financial documents, and personally identifiable information, such as Social Security and driver’s license numbers.
What is the most common cause of data breaches?
Different types of cyber and physical attacks can lead to data breaches. Some of the most common causes include criminals tricking employees into sharing access or login credentials and employees using their legitimate access for malicious purposes.
What is data breach insurance coverage?
Data breach insurance can help companies cover the costs associated with a data breach. These can include the costs for notifying affected parties, paying required fines, and restoring the system. Policies may include (or offer optional coverage) to pay for ransomware demands and lost business income due to the breach.
Is cyber insurance the same as data breach insurance?
Cyber insurance, also called cyber liability insurance, might be the same as data breach insurance if it only offers first-party coverage for data breaches. However, some cyber insurance policies are more comprehensive and cover various types of cyber-related crimes, attacks, and mistakes.
What is not covered by data breach or cyber insurance?
Cyber insurance policies generally don’t cover non-cyber-related crimes or accidents, such as if a customer is injured at your workplace or while using one of your products. But other types of policies, such as liability insurance, can offer that type of protection.