There is much conversation about the cost of the security breach that Sony recently experienced. While a breach of this magnitude is thankfully not the norm, it does provide an opportunity to consider the impact of security breaches and what can be done to protect against them. In addition to insuring the professional liability or negligent errors and omissions exposure arising from a company’s failure to prevent the breach, it does appear that several expenses from a breach can readily be insured.
Specifically, the types of costs that may be transferred via a privacy or security insurance coverage include the cost to notify affected customers of the breach; the cost to repair the systems to return them to working order after a business interruption; the cost of public relations efforts to defray any materially negative publicity arising from the breach; the cost to investigate the breach to determine the cause; the cost to re-secure private data of customers; and the cost to restore damaged or destroyed content. Of course all policies will have conditions and terms that limit the amount and types of costs covered.
Some policy exclusions to watch out for include
a. exclusions for the insured’s failure to maintain or meet a specific security level or standard;
b. exclusions for the insured’s programming error;
c. exclusions for private data on a third party’s system or under a third party’s control (e.g. a vendor); and
d. exclusions for employee private data.
In Sony’s case, it appears the extended downtime is due, at least in part, to efforts to improve the security of their systems and bring their security to a higher level than it was prior to the breach. It’s important to note that while there is commonly coverage for business interruption costs to restore systems following a breach, coverage to improve the systems and make them greater than they were prior to the breach is uncommon. For more details about security breach costs and a tool to evaluate a company’s exposure, see our Security Breach Costs Update.