Such policies are most often termed "cyber and privacy insurance," "information security and privacy insurance," or "cyber-security insurance." This insuring agreement covers the insured's liability for damages resulting from a data breach. Such liability most often results from (1) loss, theft, or unauthorized disclosure of personally identifiable information (PII) in the insured's care, custody, and control, (2) damage to data stored in the insured's computer systems belonging to a third party, (3) transmission of malicious code or denial of service to a third party's computer system, (4) failure to timely disclose a data breach, (5) failure of the insured to comply with its own privacy policy prohibiting disclosure or sharing of PII, and (6) failure to administer an identity theft program required by governmental regulation or to take necessary actions to prevent identity theft. In addition, this insuring agreement covers the cost of defending claims associated with each of these circumstances. The information security and privacy liability insuring agreement is the true liability coverage component of a cyber and privacy insurance policy because it pays actual liability losses sustained from claims made against the insured by various parties. In contrast, the privacy notification and crisis management expense coverage that the insuring agreement addresses is the so-called immediate response costs associated with a data breach, making payments on a "no fault" basis and without admission of liability. Similar to other cyber and privacy insurance policies, information security and privacy liability coverage is subject to an annual aggregate limit and an annual aggregate deductible.