Privacy and Cyber Insurance: New Protections for New Times

Concerns about cyber threats, attacks on corporate networks, computer fraud and the theft of customer information have become a top consideration in a company’s risk management program.

Before the Internet, identity thieves relied primarily on what we threw away in our trash to steal our identity. Although this tactic is still used or is used as a first step in a deeper dive cyber attack, the advancement of information technology has changed the playing field. Now that most or all of this information is available online, criminals also use the Internet to steal identities, hack into accounts, trick users into revealing personal information, or to infect their devices with malware. Additionally, in the past the people who stole the data were the people who used the data. Today there is a significant black market for the selling of this stolen data. Although industry experts believe that individuals or small groups, due to the large-scale nature of the cybercrime business, commit most cyber crimes, large organized crime groups are also taking advantage of the Internet.

Law enforcement and government agencies tend to have a difficult time tracking cyber criminals due to the anonymous nature of the Internet, the worldwide user base and the ability for a thief in Russia to make it look like he is sitting in Wisconsin.

While a breach of data or other information technology threat to a private club may not make the news, clubs need to be cognizant of their exposures and how to best protect this information.

Private Club Data

Private clubs more than likely keep the data of members they gather during the admissions process, such as name, address, telephone number, date of birth, employer, education and e-mail address. Although this appears to be innocuous information, it is still considered Personally Identifiable Information (PII). PII, as used in U.S. privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual. PII can also be exploited by criminals to stalk or steal the identity of a person or to aid in the planning of criminal acts.

Clubs may also collect Social Security numbers of members during the admissions process to run credit checks. Obviously, in this instance, the stakes to protect this data has risen as the breach of this data could become more detrimental to the member and ultimately to the club.

Also, as employers, clubs keep employee files including the above information that they are required to protect per the various breach legislation laws. Some policies only cover data breaches of third parties, so a club should consider whether additional insurance is needed to protect employee data.

Some clubs are now procuring dues payments and other service payments using credit cards or bank ACH or other payment types through the club’s website or other site. These procuring services could be managed directly by the club or through a third-party procurement company. Obviously, if the club is handling this service directly, there needs to be knowledge of the Security Standards governed by the Payment Card Industry and a plan to develop internal procedures and monitoring of these standards.

If a club handles these services through a third party, the procurement service provider may dictate language that transfers most of the risk and liability to the club. For example, language such as, “Club will defend, indemnify and hold bank and third party service company harmless from and against any and all fines, penalties, claims, damages, expenses, liabilities or fees of any nature whatsoever, including attorneys’ fees and costs (“Damages”), asserted against or incurred by bank and third party arising out of, relating to or resulting from, either directly or indirectly….” There is some wording later in this contract that narrows the exposure to the club, but the above language is too broad to recommend a client sign this without at least some negotiation or deeper discussion on effective insurance to protect the club.

When a club makes the decision to get into this area of member services, it opens up a whole new world of exposure and often leads to a more detailed discussion of purchasing cyber and privacy insurance.

As technology becomes increasingly important for successful club operations, the value of a comprehensive insurance program, including Cyber and Privacy insurance protection, will only continue to increase.

The Insurance Product

Unlike traditional insurance policies for commercial liability, property, automobile, workers’ compensation, etc., where various companies typically utilize the same standard policy, each underwriter utilizes their own policy form when developing an insurance policy to meet cyber and privacy exposures. That being said, most policies have two coverage parts: a first-party coverage and third-party coverage. Typically the first party coverage will provide loss of data, corruption of data, credit monitoring, client notification costs, identity theft remediation and more.

Third-party coverage provides defense against customer-based lawsuits for their potential or actual damages; the insurance carriers under the third-party portion of the policy also typically provide the hefty fines of regulators. Third-party suits can be devastating to a small to midsize company like a private club. Many of the risks surrounding data breaches are significantly reduced by proper first party cost and response coverage but third-party coverage is still recommended for a wide range of businesses. 

Cyber and Privacy Risk Policy

Example of Third-Party Insurance Agreement

• Network and Information Security Liability – Damage and defense costs for covered lawsuits
• Communication and Media Liability – Lawsuits for web trademark and alike
• Regulatory Defense Expense – Failure to Protect – Regulatory fines and penalties

Example of First-Party Insuring Agreement

• Crisis Management Event Expense – Cost to hire a PR firm to mitigate negative publicity
• Breach Remediation and Notification Expense – Breach response, forensics, notice requirements, credit monitoring, cost to obtain and ID fraud policy for affected victims
• Programming and Restoration Expenses – Cost to repair and restore an insured’s programs and data
• Computer Fraud – Loss of insured’s money or other property
• Funds Transfer Fraud – Money fraudulently transferred from its bank account
• E-Commerce Extortion – Expenses to manage incident or money paid to extortioner
• Business Interruption and Additional Expense – Net proceeds/loss resulting from system disruption

Just like all types of insurance, each insurance underwriter will be willing to provide either more or less coverage in a certain area listed above (and also with certain broad or narrow coverage language) and with certain deductible, limit and premium.

Although cyber policies have been around for 20 years or more, insurance for privacy protection became relevant when privacy breach legislation was passed in 2003. Although 10 years seems like a long time, only in recent years has this coverage been discussed regularly. As such, insurance brokers are still educating themselves and it is important for buyers to review their exposures with the broker and review examples of potential claims and how the proposed polices would respond.

Premiums for this policy will typically run between $2,000 and $8,000 for most private clubs purchasing limits of $500,000 to $2 million depending on deductible and how much Computer and Funds Transfer Fraud limit is purchased.

Click here to read Protecting Against Cyber Attacks: A History of Hacking.

Bill Dalton is president of Bridgepoint Insurance Group, a specialty property & casualty insurance brokerage located in Wayne, Pa., with a focus on the golf and club industry. He can be reached at [email protected] or 888-687-5712 x223.