From: USA Today

By Ethan A. Miller

(USA Today Editors note: When high-profile companies disclose database breaches, what often goes overlooked in news coverage are the damages that can be associated with losing sensitive data. In this guest commentary, Ethan Miller, an insurance attorney at Hogan Lovells describes new cyber liability policies available to small businesses concerned about data thieves.)

It seems to be that large data breaches or denial-of-service attacks at large corporations get the most media coverage.

The costs of investigating and responding to these losses, and the resulting lawsuits and regulatory fines, can be staggering. The Ponemon Institute has estimated that response costs can be as high as $200 for each compromised record. It is not difficult to understand how total costs for a wide breach can quickly escalate well into the millions of dollars.

But smaller companies also face such losses. When these losses arise, the best friend a small company can have is a well-crafted cyber liability insurance policy. And, cyber liability insurance is often more appropriate for smaller businesses.

Large companies typically have the foresight and ability to manage cyber risk up front and the sophistication to deal with losses. For smaller businesses, this is not always so.

While cyber policies reimburse a business for the damages it must pay its customers, they do much more. A victim of a cyber loss must first investigate the cause, often with the use of IT forensic examiners. The company must then comply with required notices to potentially affected customers.

And of course once word is out about the loss, the victim must manage the negative media attention. Cyber insurance can defray expenses at each of these stages. For instance, cyber insurance may pay the costs of hiring a public relations firm to mitigate negative publicity following a breach.

Such insurance can also pay to retain law firms to determine an insured’s rights to indemnification under independent contractor agreements. Cyber insurance can even pay to monitor affected customers to ensure that they do not become victims of identity theft.

Cyber insurance can cover the costs of paying regulatory fines and penalties. Given that there is no uniform regulation of data privacy protection worldwide, negotiating the fine with the myriad jurisdictions involved in a wide breach can be enormous.

Smaller businesses face more difficulties in absorbing these types of expenses than do large companies. Smaller companies do not always use robust social media procedures and policies for their employees.

Yet in the cyber age businesses of all sizes are more often sued for defamation, unfair competition, breach of privacy and related claims arising from employee postings on social media. Cyber liability policies can be tailored to respond to this type of liability as well.

Similarly, small businesses may be less capable of weathering a shutdown of their business following a denial-of-service attack or even a data breach. A smaller business may be significantly more dependent on any given line of business so that interrupting that line would effectively be a death blow. In addition to covering the response costs, a good cyber policy can cover lost revenue resulting from a business interruption.

Finally, some insurers will go so far as to counsel a company client on avoiding cyber liability in the first instance. This may span the gamut from ensuring adequate firewall protections to recommending appropriate social media protocols conditioning employees against inadvertent disparagement of a competitor’s product or defamation of a fellow employee. The advantages of avoiding a loss before it materializes are clear.

A good cyber liability insurer will partner with a small business in a start-to-finish management of liability — from counseling to claim response, to mitigation of business interruption to monitoring for breaches and payment of ultimate liability. For businesses without a sophisticated risk management department, this can prove to be invaluable.

A good cyber insurance policy may not be cost-prohibitive for small businesses. Depending on factors such as the size of revenues, the company’s international operations and the industry in which the company operates, the cost for such a policy may be as low as $3,000 annually.