Understanding the risk and defending against it.
By Kevin D. Smith, CPCU, ARM, The Graham Company
Among the many risks that property owners must manage is the risk of cyber liability. Years ago, privacy of residents’ personally identifiable data was confined to filing cabinets and office computers, but now this data exists electronically in the cloud, on laptops, smartphones or tablet devices often in addition to the paper files. Access points are everywhere, and the information can be easily transmitted. What’s more concerning is that cyber criminals are on the lookout for this data, and they are becoming more sophisticated every day. If that is not enough to worry about, state and federal regulations are being enacted that require a duty of care for this data, and complying can be difficult.
Cyber liability insurance is relatively new and has become the fastest growing line of coverage over the last 10 years. Few industries are immune to the risk of data breaches that can include customer, vendor or employee data. As with any risk, it is relative to the type and amount of exposure an individual company faces.
For property owners and managers, the amount of data collected on employees, residents or prospective residents can be immense, and a breach of this data would not only be embarrassing but also costly. Cyber liability insurance can provide a level of protection from this emerging risk and should be evaluated as part of any risk management program.
Cyber liability policies
Cyber liability policies are designed to cover a company for a loss or breach of personally identifiable information. Traditional insurance policies were not designed to cover these types of exposures, so any coverage you might find under your general liability, professional liability, crime or property policies or even a directors’ & officer’s liability policy written for a privately held company will either be very limited or simply accidental. Some carriers might offer you an endorsement to provide coverage for a specific component of your cyber liability exposure, but it is usually not as comprehensive as buying a separate policy.
Here are several reasons why your traditional insurance policies might not respond to a cyber liability claim:
■ General liability policies do not respond to claims for damage to intangible property (there is also typically a specific exclusion for claims arising out of electronic data)
■ General Liability policies typically exclude claims arising out of “blogs” you own or host
■ Property policies only provide loss of business income coverage if there was direct physical damage caused to your property (not caused by hackers or rogue employees who shut down your website or computer systems or the systems of a service provider you rely upon to conduct your business)
■ Crime policies do not respond to claims for damage to intangible property (there is also typically a specific exclusion for loss of confidential information)
■ Private company directors’ & officers’ liability policies typically exclude claims arising out of bodily injury (including emotional distress), property damage and specific types of personal injury
■ No traditional insurance policy currently provides coverage for the expenses associated with notifying affected individuals when their personally identifiable financial or medical information was breached while in your care, custody or control
These are just some of the hurdles to overcome in order to find coverage for cyber liability claims under a traditional insurance policy.
Costs resulting from a breach can vary greatly, and when you take into account lost revenue or reputational damage, they can be significant. The costs associated with the breach include defense and judgment costs from lawsuits as well as notification and credit-monitoring expenses. Consider just the costs of notification and credit monitoring for a multifamily property manager with 3,000 residents. The cost of notification and credit monitoring after a breach can range from $30 to $50 per person. If the data lost compromised 3,000 records, these costs alone would be over $100,000.
Policies can be structured to provide limits anywhere from $1,000,000 to $10,000,000 or more, with various deductible and coverage options to tailor the policy to fit the coverage and cost needs of the insured. Premiums will vary and will be dependent upon the amount of coverage, size of your organization, type of data collected and security measures in place. Generally, policies will start around $10,000 for $1,000,000 in limits.
Some of the exposures and costs that can be covered under a well-structured cyber liability policy include:
■ Information security and privacy liability for failure to protect personal or corporate information (like tenant Social Security numbers and credit research) held on computers systems, smartphones, laptops or paper files or entrusted to third-party vendors
■ Costs to notify affected individuals that their personal information has been breached, as required by law
■ Other costs associated with data breaches, such as public relations, investigative costs and defense costs from lawsuits
■ Loss of business income when a “hacker” prevents your customers from accessing your website or disrupts your systems
■ Loss of business income when your service provider’s systems are affected by a “hacker” (such as a cloud service provider or credit card processing company)
■ Personal injury (such as libel) that may result from the use of blogs on your website or other social media
When employees are cyber criminals
Breaches can happen in a variety of ways, and there is no shortage of news of examples of significant breaches. The FTC reports that identity theft complaints were up 32 percent in 2012, and over 12 million people have been a victim of identity theft.
While cyber criminals account for much of these instances, there is also the threat of human error of employees that causes data to be lost. For example, laptops left in cabs, smartphones lost, USB drives left in the open and stolen, or simply emailing a file with this data to the wrong address. While encryption can be a line of defense against the release of this data, many times it is not sophisticated enough, or it simply does not exist on every computer or device. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million settlement for penalties under the HITECH Act for a breach of over 1 million patient records after the theft of computer hard drives (with unencrypted health information).
The use of third parties, such as a rent payment portal, does not eliminate the risk. The company that selected the third party would also be involved in a lawsuit or breach since they selected and promoted the third party for resident rent payments. A lawsuit would examine what level of due diligence was done by the property manager to select the third-party rent payment portal and its security measures.
The need for prevention
Preventing breaches with security protocols is a no-brainer and often a requirement of state or federal government. Good security and prevention measures also make you a more appealing risk for cyber liability underwriters, which help keep costs down if insurance is purchased.
It begins with identifying the type of information collected and putting policies in place to protect this data. This protection can range from employment policies to control employee behavior, such as policies on downloading unauthorized software and rules related to personal device usage to technology solutions such as keeping anti-virus software up-to-date and complex password protection measures. Your IT department should regularly monitor security measures and look for signs of attempted breaches. Many companies have used an outside consultant to perform an audit of the cyber security systems in place to determine vulnerable areas.
The threat of lost data, the ensuing costs, and potential liability for property owners and managers is real and growing each year. Companies spend a lot of money and effort on keeping this data safe, but the sheer number of incidents suggests that it is only a matter of time before companies experience some sort of breach.
Kevin D. Smith CPCU, ARM, is vice president, real estate division director at The Graham Company, a property and casualty brokerage specializing in the multi-housing.