Consider the following points if you decide to shop for cyber insurance.

KNOW THE DIFFERENCE BETWEEN FIRST-PARTY
AND THIRD-PARTY COVERAGE
Data breach policies generally provide two broad categories of coverage: first-party coverage and third-party coverage.

First-party coverage is for losses the policyholder incurs directly, such as the costs entailed by investigating the cause of a breach, restoring the company’s reputation and notifying affected customers as well as follow-up costs, such as credit monitoring services.

Third-party coverage kicks in when a policyholder (the company) is sued by someone (a customer) claiming to have suffered a loss resulting from the data breach and alleging the policyholder was at fault for allowing the breach to occur. This coverage encompasses the costs of defending against litigation and of any judgments or settlements up to policy limits.

Startups can buy data breach insurance policies that offer both types of coverage or policies that cover only one or the other. Omitting third-party coverage can be risky. In Innovak Int’l Inc. v. Hanover Ins. Co., a software developer had purchased a data breach insurance supplemental policy to its commercial general liability insurance policy.

The supplemental policy stated that the insurance company would provide certain coverage for losses related to data breaches but that it would not cover expenses arising from lawsuits against the developer. In other words, the policy provided first-party, but not third-party, coverage. While the policy was in effect, hackers accessed the developer’s database and stole users’ personal information, including Social Security numbers, addresses and employment information.