Should you open a formal identity theft insurance policy for your business? The data indicates you’re taking a big risk if you don’t.
An earlier study by Poneman Institute and Hartford Steam Boiler stated that 55% of U.S. small companies have experienced a data breach.
Conventional wisdom suggests that small companies aren’t an attractive target for identity theft, but that’s a misleading – and dangerous – myth. Poneman reveals that in one instance, identity thieves lifted 20,000 credit card accounts from an online retail site. In another case, fraudsters made off with the records of 10,000 patients, including their credit scores, from a physician’s practice.
Symantec, which has also sponsored a study on business I.D. theft, says smaller firms are vulnerable to hackers and fraudsters for myriad reasons. “These organizations tend to be operating with the tightest budget for security and staff, they have business connections to larger companies through partnerships and products, and the data they are storing and transmitting is still very useful to nefarious individuals,” the company states.
In response to the growing number of identity theft victims, many insurance companies have begun offering formal policies designed to help victims clean up the mess left by the crime. The fact is, most identity theft policies are a good “risk management” deal for small businesses. That said, some business owners do need I.D. theft insurance more than others.
Case in point: If your company handles sensitive customer financial data, such as Social Security data, bank and credit card accounts, or any health and medical records, you’re already a potential target for I.D. fraudsters.
Coverage Matters: The Difference Between Response Expenses and Third-Party Expenses
Here’s where data breach or business identity theft insurance can make a big difference.
By and large, such insurance kicks in when a data breach happens. Policies vary, but most cover expenses incurred in handling a breach, and can cover identity theft losses for as little as $10,000 or as much as $1 million.
Premiums vary as well. Depending on your company’s state, city or town of residence, annual sales, the type of industry your firm operates in, and the level of data breach protection tools you already have in place, you can pay as little as $10 monthly for minimal coverage.
When you buy data breach insurance, you’re primarily looking at two cost issues — “response expenses” and “third-party expenses,” both of which are covered by business data breach insurance. Here’s how each breaks down:
Response expenses – Data breach insurance covers expenses linked to post-breach costs, like tracking down customers and informing them of a data breach. Hiring a credit tracking firm to monitor customer credit reports to see if their FICO scores decline as a result of a data breach is also covered as a response expense.
Those costs can really add up. NetDiligence, a data breach analytics firm, states that the median cost for “crisis services” (forensics, notification, credit monitoring, and legal guidance) in 2013 was $209,625, while the average cost was considerably higher at $737,473.
Third-party expenses – If your company is sued after a data breach event, third-party expense insurance can help bail you out, primarily by taking care of any legal liability costs, including claims. Those costs can hammer a company’s bottom line. NetDiligence states ,“The median cost for legal settlement was $22,500. The average cost for legal settlement was $258,099.”
Ignoring Data Creates a Big Risk
Still, only 3% of small businesses actually carry data breach insurance, according to InsureOn, a business insurance services provider. That’s mostly because cyber liability insurance is relatively new to businesses, and because most small business owners “gravely underestimate their cyber liability risk,” InsureOn states.
That leaves 97% of U.S. small businesses without data breach or cyber liability insurance, and that’s a figure that has to change, especially in an era where cyber crimes are rising to the top of small businesses’ operational risk list – and rising fast.