This article also appeared in Advisen (September 22, 2014).
2014 has seen one massive data breach after another, affecting industries and organizations of every type. One recent report indicated an Eastern European cyber-crime gang by itself has hacked 1.2 billion username and password combinations. Another report indicated that there are more than 350 million stolen credit card credentials available for purchase in underworld markets. And tellingly, identity theft continued to be the number one consumer complaint tracked by the Federal Trade Commission.
Understandably, most insurance and risk management effort with regard to cybersecurity has focused on the immediate losses occasioned by data breaches. These include paying for the almost instant costs of state notification law compliance, forensic investigation, call centers, and defense of class action suits predicated on violation of privacy rights. But there are other areas of data breach-related losses that are expensive and should be addressed through insurance coverage where possible. Most policyholders will want insurance coverage to respond to inquiries, suits and formal investigations by regulators and law enforcement following a breach. Many policyholders will also want to have coverage for the reimbursement of fraudulent account charges if credit card, banking or brokerage accounts are pilfered.