The typical business general liability insurance policy provides ZERO insurance coverage. A special policy referred to as Cyber Liability Insurance includes a section called Network Security coverage that protects you for both first-party and third party liabilities arising from a data breach event. In order to get the special insurance, a merchant must be PCI DSS Compliant at the time the policy is written, and attest to compliance on the insurance application.
Cyber Liability is a generic term for an insurance policy and possible coverages include identity theft from computer network data and paper files.
CRITICAL RED FLAGS:
- Merchant doesn’t know what PCI compliance means (Payment Card Industry Data Security Standards)
- Merchant cannot provide a copy of written policy for actively monitoring PCI compliance- and record of doing so.
- Merchant statements contain “non-PCI Compliance validation fee”.
What if the PCI Compliance status changes during the term of the policy? This is a grey area and likely many factors will influence a decision to pay out, including how egregious the issue was that caused the breach as well as the business efforts to maintain compliance.
If a business qualifies for a discount because they have a building alarm, but then post the alarm code next to the door for everyone to see, would the carrier be happy paying a theft claim? If a business was PCI compliant but then started accepting credit card sales via fax and stored all the forms in a file folder on someone’s desk where other employees or cleaning personnel have access to, do you think the insurance carrier might have an issue with this? What if the business made every effort to meet PCI compliance, but a key senior employee goes rogue?
Businesses can mitigate the risk of losses by data breach by outsourcing the responsibility, using third party payment processing technology, and by purchasing Cyber Liability Insurance.
Thanks to Steven Breitbart, of Cypress Insurance Fort Lauderdale, for contributing to this article.