When PHLY first introduced its Cyber Security Liability product in 2009, most interested buyers were firms that held or processed large amounts of sensitive customer, patient, or employee data. Retail and hospitality businesses sought coverage in the event of a credit card breach. Healthcare providers were concerned about disclosures of protected health information and their obligations under HIPAA. Accountants, insurance agents, and other financial service providers worried about unauthorized access to clients’ financial and other personally identifiable information. These data breaches could be carried out through physical breaches (physical theft of documents or equipment containing data), electronic breaches (unauthorized access or attack on a system or network where cardholder data is processed, stored, or transmitted), and skimming (the capture and recording of magnetic stripe data on the back of credit cards). Driving much of the concern were the ever-growing number of state breach notification laws. In 2002, California became the first state to pass such legislation, with other states gradually following suit (as of earlier this year, all 50 states, plus the District of Columbia and Puerto Rico, have such laws on the books).
Requiring breached entities to notify regulators and affected customers in a timely manner meant costly first party expenses. Expenses could include everything from attorney fees to help navigate the patchwork of laws from state to state, hiring forensic experts to determine the source and scope of the breach, notification costs, identity theft monitoring, and public relations expenses. The prospect of these security event costs – not to mention the possibility of individual or class action lawsuits from affected customers or other third parties – made cyber coverage a no-brainer for many industries. Numerous high-profile breaches of retailers, healthcare providers, and financial institutions highlighted the fact that no one was invincible and reinforced the need for cyber insurance.