Home > Credit Card Processing

Should You Buy Data Breach Insurance For Your Business?

By Phillip Parker

Data Breaches Threaten Every Business

Insurance image
© Depositphotos – Andrea Danti

Cyber crime is a growing problem for large and small businesses alike. Although major corporations like Target and Home Depot have suffered the highest-profile data breaches in the past few years, nearly 20% of confirmed data loss incidents in 2015 occurred at businesses with fewer than 1,000 employees. And while the finance and healthcare industries remain major targets for cyber criminals (constituting 44% of breaches in 2015), the retail and service sectors weren't far behind, combining to account for just over 20% of confirmed breaches in 2015. The average cost of a data breach in 2015 was $217 for each lost or stolen record—far more than most small business owners could ever recover from. In other words, cyber security is an issue that can affect businesses of all sizes and industries.

To protect against devastating security breaches, some business owners might consider purchasing data breach insurance policies. General liability business insurance typically does not cover instances of data theft, so modern cyber insurance policies often consist of a customized set of coverages specifically designed to cover the potential costs of lawsuits, investigations, regulatory penalties, advertising, and customer notification. These policies are relatively new for the insurance industry and are generally tailored to finance and healthcare merchants, but they could potentially have value for other small business owners. If you're a merchant who is planning to shop for data breach insurance, you should ask the following questions.

What does the policy cover?

The costs of a data breach can be wide-ranging, and any data breach insurance policy worth its premiums will offer a range of coverages that address your needs. Possible expenses following a data breach include regulatory fines handed down by Visa, legal fees related to customer- or bank-initiated lawsuits, breach investigation fees, breach management costs (such as notifying customers), advertising expenses to restore consumer confidence, and security costs incurred prior to or after the breach. All of these potential costs (and others, depending on your business type) should be accounted for in your policy.

In general, you should make sure that your policy aligns with your areas of greatest risk. If you are in the healthcare industry, for example, you will want a policy that insures against the costs associated with a HIPAA violation. Similarly, if your business relies on just a handful of regular customers, then the costs of customer notification following a breach will likely not be very high. You may be able to secure better coverage for your business's weak points if you're willing to accept less coverage in your business's low-risk areas.

What doesn't the policy cover?

Be on the lookout for clauses that enable the insurer to get out of paying under certain circumstances. Possible instances that may not be covered under a standard policy include third-party negligence (i.e. if you outsource your payment processing to a third party and they are breached), paper record theft, unencrypted data theft, failure to regularly scan or update your systems, breaches through employee-owned devices, and government-imposed fines. In the event that your third-party vendor is breached, the vendor may have an insurance policy that covers any costs related to a breach. You should ask your vendors whether they carry such a policy and consider getting your own policy (or switching vendors) if they don't.

There may also be sub-limits found in your policy's fine print that dramatically reduce how much of a payout you receive in specific instances. For example, you may have a $1 million general liability policy, but only $50,000 of that policy will be applicable to regulatory fees. It's important to ask whether these sub-limits apply, as insurers may or may not impose them.

Does the policy include preventative security assistance?

A breach is in neither your interests nor your insurer's. For this reason, your policy may offer assistance with maintaining proper on-site data security measures. This assistance could take the form of subsidized security audits, installation of fraud monitoring software, employee training, network security assistance, or response planning. Insurance companies are gradually catching up to technology and payment processing experts in their knowledge of the industry, and they may be able to alert you to an unforeseen vulnerability at your business.

Can you qualify for low premiums?

Certain business environments are inherently riskier than others. If your point-of-sale system encrypts card data at the moment it is swiped and then sends that data off-site, it is much more secure than a system that stores unencrypted data on your own servers. Similarly, if you maintain stringent password protocols and regularly scan your systems for malware, your cyber crime exposure is lower than that of a business that grants its employees unrestricted access to sensitive customer data. These difference matter to insurers, and they could help you secure lower monthly premiums that make data breach insurance affordable for you. If you apply for a policy, be sure to ask questions about the kinds of precautions you can take to qualify for a lower premium.

 

Insurance Is Not A Substitute For Security

By asking the right questions and making a full assessment of your business's vulnerabilities, you can secure an affordable, effective data breach insurance policy. However, just because you're insured doesn't mean that you can ignore data security. Insurance markets are ever-changing, and a single breach incident on your record can confine your business to sky-high premiums for the rest of its lifespan. A good data breach insurance policy is just a safety net to keep you in business when the worst happens. Whether the worst happens is up to you.

For more information about data security, see our list of six ways hackers can steal your data and our guide to finding and fixing your point-of-sale system's security flaws.

About The Author

Phillip Parker

In the late 2000s, as a broke college student struggling to make ends meet, I was contacted by a merchant services company after uploading my resume to a job listings website. This company promised substantial commissions and ongoing residual income for simply persuading businesses to accept credit card payments. It seemed straightforward enough—after all, what business doesn’t need to process credit card payments? Following a phone interview with a persuasive “sales director,” I found myself embarking on what I believed would be an easy job that would significantly boost my bank account with reliable monthly income and large sales commissions. However, the lessons I learned would profoundly change my life in ways I could never have imagined.

After completing my sales training, I hit the ground running, eager to make sales. This broke college student was determined to improve his financial situation! My first attempt at a cold call, with no prior appointment, ended with a burly man in his 50s yelling at me to leave, claiming he had been “totally robbed” by someone like me before. As I hastily exited, puzzled and intimidated by his reaction, I couldn’t help but wonder what he meant. Throughout the day, I encountered similar hostility from other business owners, all expressing disdain for the industry I had been so excited to join that morning. Confused and curious, I decided to shift my approach from selling to listening.

I quickly uncovered that the merchant services sector was riddled with unethical practices, including hidden fees, deceptive marketing, fine-print traps, and much more. It dawned on me that I had nearly been tricked by a dubious company into selling overpriced services under contracts with long-term commitments, all without being fully aware of what I was promoting. Outraged, I resigned from that company but learned that there were indeed ethical credit card processing companies that treated their clients fairly. Over the next four years, I worked for one such company, assisting hundreds of businesses in securing cost-effective processing solutions. Yet, I also met many more who had been misled and trapped in onerous service agreements. Determined to help people steer clear of these unscrupulous providers, I launched this website in my spare time, dedicating myself to researching and sharing my findings on every merchant account provider I could investigate.

Gradually, more and more business owners began to discover my articles. As word spread, search engines started to rank my content highly, amplifying its reach. My efforts were making a difference! Eventually, the website garnered enough traffic to enable me to leave my job and focus on it full-time, a journey that has now spanned over a decade. This path has not been without its challenges; unscrupulous company owners have tried to intimidate and sue me into silence on several occasions. Yet, I have stood firm against each threat. Here I am, continuing to publish reviews and articles, hoping to safeguard others from the pitfalls of the credit card processing industry.

If you believe in my mission and wish to contribute, please share my articles on your websites and social media. Thank you for visiting!

Follow Phillip Parker

Reader Comments

Tell Us What You Think

Tell Us How They Treated You

Sharing your experience influences our rating and helps other business owners make informed decisions. Please take a moment to tell us if they are serving you well. Your email address will never be published, shared or sold. We only use it to authenticate that you are a real person and, if you select the option for it, to let you know if someone replies to your comment. Required fields are marked *

Comments must contain details about your experience. Please do not use ALL CAPS. Self-promotion, marketing content, or contact information of any kind will not be published. By submitting a comment, you are agreeing to our Comment Policy

Copyright

Copyright © 2024 CardPaymentOptions.com, Inc. (Digital Fingerprint: 0d38c6720f0d78a701b74d58653af608). Getting paid to re-write this page? Click here to earn a reward.

Any unauthorized copying and reproduction of the content of this page, including all meta data and computer code, is strictly prohibited. While the information in the above article is believed to be accurate as of its publish date, the author and publisher make no representation or warranties with respect to the accuracy, applicability, fitness, or completeness of the contents. The author and publisher shall in no event be held liable to any party for any direct, indirect, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of this material, which is provided “as is,” and without warranties. Any and all use of trade names and/or marks are for identification purposes only and shall not be construed as a claim of affiliation, or otherwise, with CardPaymentOptions.com, Inc. ("CPO") in any form. The sole purpose of the material presented herein is to alert, educate, and inform readers. It is not intended as legal or financial advice. We may earn revenue if you obtain services from a provider that we recommend. See this page to learn how we support our operations.