An insuring agreement contained within policies written to cover claims caused
by data breaches. Such policies are most often termed "cyber and privacy
insurance," "information security and privacy insurance," or
"cybersecurity insurance."
Privacy notification and crisis management expense coverage includes the cost
of (1) hiring a forensics expert to determine the cause of the breach and
suggesting measures to secure the site and prevent future breaches, (2) hiring
a public relations agency to assist the insured in dealing with the crisis, (3)
setting up a post-breach call center, (4) notifying affected individuals whose
personally identifiable information (PII) has been compromised, (5) monitoring
these individuals' credit (usually for 1 year), and (6) paying the costs to
"restore" stolen identities as a result of a data breach (e.g.,
expenses of notifying banks and credit card companies).
Privacy notification and crisis management expense coverage addresses the
so-called immediate response costs associated with a data breach. This insuring
agreement makes payments on a "no fault" basis and without admission
of liability (as is the case under "medical payments" coverage,
included in a homeowners or personal auto policy (PAP)). The intent of such
payments is to discourage affected customers from making claims associated with
a data breach. In contrast, the information security and privacy liability
insuring agreement is the true "liability" coverage element of a
cyber and privacy policy since it responds to lawsuits and pays liability
losses from claims made against the insured by various parties.
Similar to other cyber and privacy insurance policies, privacy notification and
crisis management expense coverage is subject to an annual aggregate limit and
an annual aggregate deductible.