Why business insurance is the key to avoiding an expensive data breach

Tamara E. Holmes

business insurance data breachIt seems every other day another business is hit with a data breach that exposes the personal information of its customers.

But while large national retailers may be making the headlines, small mom-and-pop businesses may be the most vulnerable.

According to the National Small Business Association, 44 percent of small businesses have been the victim of a cyberattack. Of those small businesses, 8 percent either had sensitive data stolen or business bank accounts accessed.

"Given that large sophisticated multinational corporations like Target and Home Depot can be breached, certainly a small business should be taking a very serious look at their own systems to see how secure they are," says Jason Oxman, chief executive officer of the Electronic Transactions Association, a trade association for the payment processing industry.

Why are small businesses more vulnerable to data breaches?

Small businesses typically don't have the resources large companies have to deal with the fallout from a data breach, says Lynn LaGram, assistant vice president of small commercial underwriting at The Hartford.

The costs of a data breach can be staggering. According to the nonprofit Insurance Information Institute, the average total amount U.S. companies lost in 2014 as a result of a data breach was $5.9 million.

That includes not only the costs associated with the breach itself, but the costs of lost business due to customers losing confidence in the business's ability to protect their information.

While we typically hear about data breaches caused by hackers and cyber criminals, they can also occur accidentally, for example, if a laptop is lost or an email with sensitive information is mistakenly sent to the wrong person, LaGram says.

The fallout can be extremely serious.

Any business that deals with sensitive information such as Social Security numbers, credit card data or medical information can be held liable for fraud resulting from the disclosure of customer information and possibly "subject to civil and criminal penalties if they didn't properly secure information," Oxman says.

How business insurance can guard against data breaches

To meet the needs of vulnerable businesses, insurers have developed policies to protect firms from cyber threats and data breaches. Any company that has access to sensitive information about its customers, such as Social Security numbers, bank and credit card numbers and medical information, should consider it, LaGram says.

Data breach insurance covers two different types of expenses:

1. Response expenses are those directly related to a business's handling of the breach, such as the costs of contacting customers to let them know about it or the costs of providing credit-monitoring services to track the credit reports of any customers who were affected to watch for fraudulent charges or identity theft.

2. Third-party expenses are those related to legal liability, LaGram says. So if a customer sues your business because their personal information was stolen, the insurance would cover legal and settlement costs.

For example, at The Hartford, small businesses can buy between $10,000 and $100,000 in response expense coverage and between $50,000 and $500,000 in third-party expense coverage. While that might not be enough insurance for a national retailer, it could be sufficient for small businesses.

According to the National Small Business Association, the average cost for a small business that had experienced a breach resulting from a cyber-attack was $8,699.48.

Other insurers have different limits of coverage. For example, business insurance company Hiscox sells data breach policies that offer up to $10 million in coverage.

The cost of insurance to cover cyber risks and other data breaches varies depending upon the size of the business and the scope of the coverage -- but according to the III, premiums can range from a few thousand dollars to several hundred thousand dollars a year.

Don't have business insurance? How much a data breach could cost you

The premiums and deductibles pale in comparison to what businesses could be responsible for if they don't have insurance.

According to a 2013 study by cyber risk assessment company NetDiligence, the average amount businesses of all sizes spent on services related to a data breach -- such as determining how the breach happened, notifying customers and offering credit-monitoring services -- was $737,473.

The same report found that the average cost for mounting a legal defense in a lawsuit was $574,984. While those numbers might be smaller for a mom-and-pop business, the costs could still prove damaging.

There has been a steady rise in concern about data breaches in the business community. In fact, the percentage of companies purchasing cyber risk insurance policies jumped 21 percent between 2012 and 2013, according to risk-management firm Marsh USA.

Steps you can take to protect against data breaches

Buying insurance isn't the only safeguard. Small businesses can also take steps to lower their risk of experiencing a data breach in the first place.

Any small business that accepts credit or debit cards is expected to comply with the Payment Card Industry Data Security Standard, a set of basic guidelines designed to keep transactions safe.

Things small businesses can do include:

  • Install firewalls to protect data stored on your systems.
  • Store customer data on a different computer than one used to browse the Internet or access outside information.
  • Change computer passwords regularly.
  • Make sure your anti-virus software is up to date.

While it might take some time and effort to secure your systems, it's well worth it, experts say.

"The cost of securing a small business's systems are guaranteed to be lower than the cost of a breach and trying to deal with the consequences," Oxman says.

See how much you could save today on your insurance. Get your free business insurance quotes today!