What does this mean from an insurance standpoint? Cyber insurance policies typically provide "first-party" coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage. In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required. That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined. And of course if your business lacks cyber coverage entirely, it is time to explore your options. The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology). By comparison the cost of regulatory fines and lawsuits was tenth in the ranking of impacts on businesses experiencing a breach. The conventional wisdom is that a business should expect to spend at least $188 per record on notification and similar first-party response-related costs. With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs. So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.
ps. Speaking of Washington, not 48 hours after news broke this week of a major data breach at Premera in Washington a class action was filed. But the cause of action -- breach of contract -- may cause coverage problems. The liability portions of cyber policies often exclude breach of contract actions. One more reason to check those policies.
Update April 22: The bill has passed and is now awaiting signature by the Governor.
Update April 22: The bill has passed and is now awaiting signature by the Governor.
