Data Privacy Liability: Key Considerations

Over the past year, we have seen many cases of the devastating impacts of a data breach. From May’s WannaCry ransomware attack that affected National Health Services hospital operations in England to the Equifax breach that compromised the Social Security numbers, driver’s license numbers, and other personally identifiable information of upwards of 143 million consumers, many individuals have seen their lives negatively impacted by data breaches, and many businesses have found themselves in a position of responsibility for the damages.  Further, there are thousands of data breaches and cyber-attacks that are targeted toward small businesses, non-profits and public entities on a local level that are not depicted in the national news. Having a Data Breach/Data Privacy Liability policy can be a strong defense against many of the liabilities associated with cyber-attacks, but simply having the policy is not enough. As one works to protect one’s business against the liabilities of a data breach, it is important to make sure that the ins and outs of coverage are clearly understood and tailored to one’s business risks.

Common Breach Causes

It is a common misconception that cyber-attacks and data breaches are the work of elite super-hackers with technological skills far beyond the scope of the average citizen’s mind. These attacks may occur, but they are relatively less common than more “low-tech” breach incidents; in fact, the majority of data breaches are a result of exploiting an already insecure network, social engineering, or human error. Improperly storing sensitive customer data (such as bank and credit card information), falling for simple phishing emails, downloading suspicious files, and allowing access to the wrong people are far more likely to result in a breach than a targeted attack from a faraway assailant.


As technology has evolved and cyber-attacks have become a more pressing issue, new legislation has been drafted to address the ramifications of a breach, specifically addressing who will be liable and what they will be liable for. Many federal and state laws require that entities protect personally identifiable information (also referred to as PII; typically includes the individual’s full name, their Social Security number, their driver’s license or other state ID number, and financial account information) be protected regardless of where it is stored.

In addition, 47 states as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have notification laws that mandate that organizations must notify individuals whose personally identifiable information has been breached. These laws typically encompass who must comply, what can be considered personal information, the definition of a breach, requirements for who must be notified as well as when and how, and any exceptions to the above regulations.

What Is and Isn’t Covered

For many cyber liability policies, both first-party and third-party liabilities are covered. The direct costs of responding to a breach will be covered as well as the cost of any third-party claims or lawsuits brought against the business. The following is a non-exhaustive list of some of the areas of coverage that may be addressed on a properly structured Data Privacy (or Cyber Liability) insurance policy.

  • Defense & damages associated with third party lawsuits
  • Regulatory fines, penalties, compensatory awards and associated defense
  • “First Party” costs associated with responding to a breach, such as:
    • Computer forensic and investigative costs
    • Breach notification costs
    • Identity protection services and call center costs
    • Crisis management and public relations costs
  • Cyber extortion response costs
  • Hacker damage/data recovery costs
  • Cyber business interruption

Not all Data Privacy/Cyber Liability policies are created equal, so it is important to work with a knowledgeable broker when structuring coverage.

About NorthStar Insurance Services

NorthStar Insurance Services, Inc. is an independently-owned insurance agency founded in 1995. As one of New England’s largest independent insurance agencies, we take a hands-on, personalized approach to servicing our clients and providing industry expertise and solutions for businesses, individuals, and families. To learn more about how we can help you with your insurance needs, give us a call at (800) 301-1944.