Cyber-Insurance: Is It Right for Your Business?By Guest Author | Posted 2016-03-16 Email Print
As a result of actual and threatened events, the insurance market has responded with a new product to protect businesses from data breaches: cyber-insurance.
Notification Requirements: What’s Needed?
At the time this article was written, 47 states had adopted data breach notification laws, creating a confusing legal patchwork. This landscape makes it difficult for multistate companies to comply in the wake of a large-scale breach.
While the state laws share some common threads—such as requiring companies to notify all individuals if any personal information is lost, stolen or compromised—many state laws differ on various provisions. These include the following:
· The time limit to notify individuals of a breach (laws range from “most expedient time possible” to “no later than 45 days”);
· When notification is triggered, i.e., whether there is a “risk” or “actual harm”;
· How personal information is defined;
· Whether individuals in various states possess a private right of action, or whether only a state attorney general or other state agency can seek relief on their behalf; and
· The type and manner of notification.
In response, federal lawmakers have attempted, without success, to introduce federal legislation to replace this patchwork of inconsistent state laws.
In early 2015, President Barack Obama announced the “Personal Data Notification and Protection Act of 2014” (S. 1976 113th Cong. 2014). Under the proposed legislation, businesses that store “sensitive personally identifiable information” of more than 10,000 people would be required to provide notification of security breaches without “unreasonable delay,” which is currently defined as less than 30 days.
Additional notice would have to be provided to the Department of Homeland Security for breaches involving 5,000 or more. However, there are exemptions to the notification requirement, as well as options to obtain additional time for notification.
There are two main criticisms of the bill. First, the 30-day notice period, which is shorter than that of most states, would restrict the time businesses would have to investigate a data breach. Second, the law would supersede all existing state data breach laws, which does not sit well with many states. Previous attempts to enact federal legislation to streamline notification procedures have repeatedly failed in Congress.
Due to the extensive costs posed by a data breach, cyber-insurance is a viable alternative. Keep in mind that the policies are expensive, and purchasing such a policy will require an extensive analysis of the size of your business and potential risks when considering coverage limits.
Since ancillary costs can quickly erode aggregate policy limits in the event of a large-scale breach, ensuring adequate coverage in the event of a data breach is vital.
Elizabeth Haecker Ryan is vice chair of the technology committee of the International Association of Defense Counsel and a director at law firm Coats Rose. She practices in the area of general civil litigation, with a concentration in products liability, construction, environmental, insurance defense and coverage, admiralty, and pharmaceutical and medical device law. Amanda Wingfield Goldman is an associate in the labor and employment and litigation sections of Coats Rose. Ryan can be reached at email@example.com, and Goldman can be reached at firstname.lastname@example.org.