Navigating the Data Breach Insurance Landscape, by Andrew J. Kelly, RPLU

There are a lot of different policies in the market that cover the data breach exposure. Each insurance company offers many different levels of coverage that correspond to a wide range of premium levels. Particular attention should be devoted to how coverage is underwritten, if sublimits are offered for each insuring agreement, applicable exclusions, and how loss prevention and customer service are handled.

There are two ways insurance companies insure data breach exposure. The first method puts a hard limit on the amount of files to be covered. It is critical for an insured keep track of their growth if they have a policy that has a hard cap on covered files. Any unexpected spike in personally identifiable information that puts the insured significantly over a carrier imposed hard cap should be reported to the carrier for review to determine if a higher cap is appropriate.

The second method of covering data breach risk involves the limit of liability being defined by a dollar amount. If this method is selected the broker and agent should explain all of the front and back end risks covered by the policy. A data breach policy with a one million dollar limit can quickly be exhausted by forensic investigations and required notification of the affected parties if the breach is large enough.

Many underwriters assign sublimits to the insuring agreements in their quotes. The notification limit is particularly important. If an Insured has a breach, laws in most states require notification and credit monitoring. A sublimit that reduces the notification limit by 50% of the aggregate limit of liability can easily lead to a partially uncovered claim. Many markets will often give lower notification sublimits upfront, but can increase the sublimit for an additional premium upon request.

Other areas where sublimits can become problematic include the cost to provide identity theft services to consumers when required, regulatory fines and penalties, cyber extortion, business interruption, and media coverage. While some clients may desire a barebones approach due to cost considerations, showing the cost difference of increasing sublimited insuring agreements is important.

PCI coverage or, (payment card industry) covers PCI fines levied by credit card vendors for the loss of credit card data for non-compliance with the accepted card industry standards. Markets may delete encryption exclusions if an applicant confirms there is no PII on portable devices. The agent and broker and should double check for wording that addresses intentional acts of rogue employees and hard copy paper files.

Social engineering is an outside hacker’s use of non-technical tricks on legitimate users of a computer system with specific malicious intent to steal sensitive information. Hackers that use social engineering rely on techniques like faking company badges and uniforms to get onsite, taking cell phone pictures of an unsuspecting employee’s computer screen (shoulder surfing), dumpster diving, and even outright asking for sensitive data under the guise of utility, package delivery, or other legitimate vendors. Once the data is in the wrong hands it is used to gain unauthorized access to the company’s network and sensitive data.

Many agents and brokers often assume social engineering is covered by data breach insurance. Data breach policies will not cover social engineering claims that involve a theft in which the insured is tricked into forwarding funds. A potential coverage declination could be triggered in this case since the insured was deceived into sending the funds directly to the hacker. For the time being, an applicable crime policy can be pursued for this area of social engineering.


All aspects of each quote option should be considered when deciding what recommendation to give the applicant at the time of binding. When making a final decision, consideration should be given to the availability of back end value added services. Some companies offer loss prevention services that are available on a third party website. There are several insurance companies that go a step further and make live assistance available to insureds that have questions about potential claims and how to prevent future incidents.

There are many new and evolving threats that can compromise a company’s sensitive data. Selecting the right data breach insurance and implementing procedures to prevent future claims are necessary so that the exposure does not lead to an untimely uncovered loss.

AJ Wayne

Andrew J.Kelly, RPLU
Vice President
Alexander J. Wayne & Associates, Inc.
Direct Line: 773-559-1883opens phone dialer
Fax: (773) 328-0508opens phone dialer
Alternate Fax: (773) 328-1259opens phone dialer
Email: drewkelly@ajwayne.comcreate new email
2551 North Clark Street, Suite 601
Chicago, IL 60614