About the author
Bob Johnson is the founder and
CEO of NAID. He can be reached
Breach Notification Coverage
It is common for data protection liability policies to provide
specific coverage for breach notification responses incurred
by a security breach. In fact, the cost of meeting breach
notification requirements provided the original motivation
for the wave of data protection coverages that flooded
looked for the same
coverage from their
states that “the
due to a breach
notification event are covered up to a specific amount. That
amount may be the full limit of the policy or a percentage
thereof, known as a sublimit.
This language is appropriate for a data controller that will
bear the costs of a data breach notification event, however,
the service provider will have no such expense. Although
they are “the insured,” their regulatory obligation is to notify
the data controller. It may be possible for the data controller
to later sue the service provider under their acceptance
of liability, but the breach notification coverage that the
customer was so careful to make sure the service provider
had in place is of no benefit since the breach does not belong
to the insured.
Only now are professional liability products emerging that
are specifically aimed at the unique exposures of data-related
service providers. Data controllers are advised to verify their
service provider has this coverage because ultimately, the
quality of the service provider’s coverage protects the data
This concludes Part 1 of a series on Risk Management.
Read the entire piece, which also covers the role of Service
Contracts and Vendor Selection in mitigating data disposition
risks, in chapter one of the Information Disposition textbook.
This language is appropriate for a data
controller that will bear the costs of a data
breach notification event, however, the
service provider will have no such expense.