Data has been a necessary risk for collection agencies: keeping it on hand is an absolute must for confirming that you're speaking to the right consumer; however, having it stored, especially electronically, opens you up to the possibility of a data breach.
As Greg Toler of Cornerstone Support writes, "Cyber liability and network security coverage is a constantly evolving, and often confusing, form of insurance, but a necessary part of every collector’s commercial insurance policy line-up."
Recently, during a Compliance Professionals Forum monthly peer call, members discussed how long companies were keeping consumer data on hand. In response to the question, "Why not just hold all data essentially forever?" one caller said, "The reason we want to purge as soon as possible has to do with insurance: the more records you have the more it costs to insure."
Other factors affecting the cost of cyberinsurance include company revenues and loss history. However, things like strong controls around network access and robust security protocols can help reduce some cyberinsurnace costs.
This FAQ recently published by Cornerstone answers the question, What coverages should be on my policy?
Breach notification cost, sometimes referred to as event management, is the limit of insurance designated to consumer notification in the event of a breach. Forty-eight states and some United States territories have enacted legislation requiring private entities to notify consumers of security breaches when their personally identifiable information is at risk. State laws typically define compliance expectations and what is considered a breach. Often, written and mailed notification is required, which can be a large percentage of the costs paid by the carrier. Based on the number of individual’s records stored, notification costs alone can be a major expense.
Cyber extortion is the act of demanding payment by threat of data compromise, system lockdown, or other threats requiring a ransom. Cyber extortion has become more common, and often triggers multiple forms of coverage. Extortion coverage is the specific limit designed to pay demands and ransom.
Business interruption limits cover the loss of income and operations expenses when interrupted or suspended due to a breach of network security. For example, if an extortionist holds your system for ransom and you can’t conduct business or your system is shut down while trying to repair damage from a hack or virus, the business interruption limit would cover the lost income. Business Owners Policies (BOP) do often include a supplemental limit for business interruption costs, but most BOP’s exclude business interruption claims arising from a network security event.
Regulatory/PCI fines coverage
Specific limits can help cover the costs of dealing with state and federal regulatory agencies which oversee data breach laws and regulations. Costs can include defense, penalties, and fines due to regulatory and PCI compliance violations.
Cyber crime coverage includes limits to indemnify funds lost through email phishing, telephone fraud, fraudulent instructions, or anything dealing with the voluntary transfer of funds due to a scam. Some policies will exclude or sublimit cyber crimes which may help with premium costs. Generally, this coverage is not included on a standard crime/theft policy.