Cyber Liability and Data Breaches
Cyber Liability insurance is becoming more and more of a focal point over the past few years, however lots of clients and even some in the insurance industry are still not sure as to what it is. Part of the reason to this, as many commentators have said, is that Cyber Liability is an umbrella term which incorporates many areas of cover which aren’t immediately obviously. We have put together this document to hopefully demystify this cover.
We will focus on discussing the following:
What is Covered;
Summary of Terms Used;
Notifiable Data Breaches Scheme;
Why Should Cyber Liability Insurance be Purchased; and
What is Covered
The covers offered are split into first party costs (costs which you incur dealing with losses), third party costs (coming from claims made against you) and business interruption covers.
As we mentioned above Cyber Liability Insurance is an umbrella policy incorporating a range of covers generally these include some or all the following:
Professional Indemnity Insurance (including Multimedia Liability). Claims which emanate from you being sued because of breaching your professional duty of care within your technology services. This can range from breaches of contract and defamation amongst others.
Privacy Liability. Provides cover coming from breaches of privacy. This is important considering the Notifiable Data Breaches Scheme which is discussed below.
Reputational Expenses. Should you have a claim coming for any of the above it can be very damaging for a business as reputation is key for businesses. As such most policies will include reputational expenses, otherwise known as Public Relations expenses.
Business Interruption. Following a claim, especially a breach, there could be a period which you are unable to trade and income is impacted, there may also be recovery costs. Those costs would be covered under this section.
Ransom Payment. More and more you are reading about claims which come from hackers ‘locking’ businesses out of their systems and demanding a ransom payment. This is covered under a cyber extortion /ransom cover.
Regulator Claims. Claims coming from regulatory bodies following a breach
Summary of Terms Used
Cyber Espionage is offensive activity designed to covertly collect information from a user’s computer network for intelligence purposes.
Cyber Attack is a deliberate act to manipulate, destruct, deny, degrade or destroy computers or networks, or the information contained within them.
Cyber Crime refers to criminal acts involving the use of computers or other information communication technology, or targeted against of computers or other information communication technology. This can either be Pure Cybercrime or Technology enabled crime.
Cyber Intrusions also referred to as unauthorised access or hacking, occurs when someone gains access to a computer or device without the owner’s permission. This can include social engineering /phishing.
Notifiable Data Breaches Scheme
Breaches of Privacy is one of the main motivating reasons that businesses seek out Cyber Liability Insurance in the first instance. I would expect that this would continue with the Notifiable Data Breaches Scheme coming into force in early 2018. With that in mind the remainder of this document has a heavy focus on Data Breaches.
What is the Notifiable Data Breaches scheme?
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia.
The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. This notification must be done within 30 days of discovering the breach
This notice must include recommendations about the steps that individuals should take in response to the data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Examples of a data breach include when:
a device containing customers’ personal information is lost or stolen
a database containing personal information is hacked
personal information is mistakenly provided to the wrong person.
When does it take effect?
The NDB scheme will commence on 22 February 2018.
What are the Penalties?
If there are failures to notify of a breach then this could result in fines of $360,000 for individuals and $1.8m for corporations
Why Should Cyber Liability Insurance be Purchased
There are many reasons as to why Cyber Liability should be purchased, but in our mind the overwhelming reason is due to the age that we live in.
Our businesses are utilising technology more and more. Indeed many businesses could not function without the use of their systems. Cyber Extortion is a huge area of exposure and whilst many SME businesses don’t feel that they are targets the statistics don’t back that up. In 2012 Symantec detailed that more than 20% of Australian businesses had experienced Cyber Crime, with circa 40% directed towards SME business. Now we are in 2017 and Cyber Crime has become more prevalent.
With the increased prevalence of Cyber Crime and Privacy legislation being expanded more and more those businesses who hold client files with personal data should be considering Cyber Liability as a matter of course. Even if you have your files stored in data servers then Cyber Intrusion into your systems could still give the intruder access to the files. To highlight how expensive this can be within the Ponemon 2016 Cost of Data Breach Study the average cost over a three-year period to business was $132 per record. If you have 1,000 clients then that cost to a business could be $132,000.
Whilst we are obviously an advocate for Cyber Insurance policies we are also not naïve enough to think that businesses should only consider the risk transfer to an insurance policy, they may have in place robust internal risk management policies and procedures and that ultimately there is a cost benefit analysis to every piece of insurance. This insurance though does give piece of mind and in our opinion, should be placed in conjunction to having strong risk management and controls internally to minimise the potential of a cyber-attack.
Data Extortion: A small health clinic discovered that an unauthorised third party had gained remote access to a server that contained electronic medical records. The third party posted a message on the network stating that the information on the server had been encrypted and could only be accessed with a password that would be supplied if the insured made a “ransom” payment. The insured contacted law enforcement and working with law enforcement, determined that the payment ($2,500) should be made. The payment constituted cyber extortion monies under the policy.
Furthermore loss of business income amounted to $65,000 and IT forensic costs of $5,000 were paid in accordance with the coverage provided by other sections of the policy.
Privacy Regulation: A healthcare provider misplaced multiple storage devices which contained sensitive information for over one million patients. The provider could not determine whether the devices were lost, stolen or destroyed. Lawyers advised the company to notify the affected individuals and assisted the company to address a regulatory investigation into the incident which saw the company fined for failing to adequately protect the information. Cover under this section allowed for the payment of legal fees incurred by the company in connection with responding to the investigation. It also provided coverage for a $75,000 fine. Legal costs were covered and totalled just over $1 million including costs incurred in defending claims brought by affected individuals, costs associated with regulator enquiries, and for miscellaneous notification related work. This type of breach triggers multiple insuring agreements, and overall costs were $5,000,000.
 See 3
 See 3
 See 3
 See 5
 Ponemon Institute 2016 Cost of Data Breach Study: Global Analysis