Imagine you are the CEO of a software company and you experience a ransomware attack that not only affects you but also hundreds of your clients? This situation occurred during the summer of 2019 when The Digital Dental Record and PerCSoft collaborated on a software solution for dentist offices called DDS Safe.
According to the technology website ZDNet, ransomware called REvil was spread to hundreds of computers in dentist offices around the country through DDS Safe. While the makers of the software paid the ransom so that these offices could gain access to their systems with important medical records, there were reports of some offices never fully recovering all of their data, and the process was slow and tedious for all parties involved.
How can makers of software and technology companies protect themselves and their clients from these cyber attacks which are growing in severity and frequency? Thankfully, there is a solution – Technology Errors & Omissions Insurance.
Technology Errors & Omissions, or Tech E&O, is a type of coverage that protects technology companies against third-party lawsuits by a customer(s) because of an error or omission discovered in their technology that negatively impacts the customer (s). Tech E&O is specifically tailored to address the unique errors & omissions exposures presented by technology companies; medical doctors, for example, have errors & omissions insurance commonly known as “malpractice” insurance.
A robust Tech E&O policy has a component covering first-party liability damages as well, referred to as Cyber Liability Insurance. Cyber insurance covers the cost for a tech firm to recover from a data breach, virus, or other cyberattack.
Tech E&O policies provide coverage in a variety of ways. A tech firm may have a suit arise because the customer is dissatisfied with the performance of their technology or the customer’s expectations were higher than the capabilities of the product. In other instances, a customer may misuse the software or technology and file a claim, and Tech E&O would cover the legal costs associated with such claim. This is an important aspect of the coverage, the software may not be defective, yet the tech firm will have to defend itself to demonstrate the effectiveness of the software. In the case of DDS Safe, some medical records may have been stolen and sold on the dark web. Tech E&O would cover any liability, up to the limits of the coverage, and pay for items such as credit monitoring for those victims affected as well as any regulatory penalties levied by federal, state, and local authorities.
Below are the coverages a comprehensive Tech E&O insurance policy should contain:
Third Party Coverages
Network Security and Privacy Liability | Covers damages and legal costs a firm suffers for the failure to protect a customer’s or employees’ Personal Identifiable Information (PII)/ Personal Health Information (PHI) such as SSN data, credit card numbers, medical information, or passwords via theft, unauthorized access, viruses, or denial of service attack. In many policies, the loss of PII/PHI on paper files can also be covered.
Breach Management Expenses | Covers costs for an external IT security expert to determine the cause, scope, and extent of the Privacy Breach or Security Breach. This also covers the legal costs associated with notifying affected customers (via phone, letter, or email) in compliance with privacy regulations. Costs for credit monitoring services, identity monitoring services, or identity theft insurance for customers affected can also be covered for a certain number of months.
Regulatory Investigations, Fines and Penalties | Covers the costs of dealing with state and federal regulatory agencies who oversee data breach laws and regulations, including (1) the costs of hiring attorneys to consult with regulators during investigations and (2) the payment of regulatory fines and penalties that are levied against the insured (as a result of the breach).
Media Liability | Covers claims involving alleged media and advertising exposures, including allegedly improper website-related conduct, defamation, slander, libel, copyright infringement, and other forms of intellectual property infringement in the course of a tech firm’s communication of media content in electronic or non-electronic form.
PCI DSS Assessment Expenses | Offers coverage for assessments, fines or penalties imposed by banks or credit card companies due to non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) or credit card company rules. Firms that collect and store customer credit card information should have this coverage. However, even if a third-party vendor, such as Stripe, collects and stores customer credit card information, a firm should still have this coverage to protect against vicarious liability.
First Party Coverages
Business Interruption | Coverage for a tech firm’s earnings lost during a period of restoration resulting directly from a cyber breach. Business interruption sometimes includes coverage for an unintentional or unplanned network outage, due to either human or system error.
Contingent Business Interruption | Coverage for a tech firm’s earnings lost during a period of restoration resulting from a third-party supplier or distributor shutdown whose interruption directly impacts a tech firm’s ability to provide a product or service to customers.
Digital Asset Restoration | Coverage to restore or recreate any software assets to their pre-loss state. Hardware assets are not covered.
Social Engineering & Cyber Crime Coverage | Covers financial fraud loss, telecommunications fraud loss, phishing attack loss, theft of funds held in escrow, or theft of personal fund.
Reputational Loss Coverage | Coverage for reputational harm or earnings loss sustained during a period of restoration resulting directly from a cyber breach. Includes loss of contracts as a result of a breach.
Cyber Extortion and Ransomware Coverage | Reimbursement for cyber extortion expenses and payments directly resulting from a cyber extortion threat.
Breach Response and Remediation Expenses | Provides coverage for a breach response panel of specialists (IT forensics experts, crises communications specialists, legal team, etc.) to respond to a cyber breach.
You may ask, how do the insurance markets price Tech E&O? The coverage is rated on the following four factors:
-
- Revenue of the tech firm. The higher the revenue, the greater the exposure and “funds at risk” so the premium would be higher.
- The industry of the tech firm. The healthcare industry, for example, has more expensive insurance premiums given the nature of liability involved with health data at stake.
- History of ANY past claims related to data breaches.
- The limits of coverage desired, as well as the retention (deductible.) Limits can range from $1 Million, $3 Million, $5 Million, $10, Million, etc. Retentions can range from $2,500, $5,000, $10,000, etc.
According to IBM, the average cost of a data breach for a U.S. company was $3.9 Million in 2019. These data breaches have long tails; on average 67% of the costs were incurred in the first year, 22% in the second year, and the remaining 11% during the third year. If a technology company is hesitant about procuring a robust Tech E&O policy due to cost, the bigger question to consider is if they can afford NOT to have Tech E&O.