Early cyber policies were intended to cover organizations who accidentally transferred a virus to a third party and were then sued as a result. It turned out that these incidents were rare. This idea that cyber risk would typically take the form of a transferred virus or a criminal hacking into an online network turned out to be incorrect. Instead, the larger risk came from inside an organization – typically in the form of a malicious employee. It turned out that private information was often stolen in paper form. The culprits were not always sophisticated hackers, but regular employees who stole financial information and personally identifiable information (PII) for their own profit. In response, the insurance industry adjusted policies to protect private information in electronic and physical forms. This is a key change that is reflected in cyber policies today. As a board member or property manager, you may maintain the private information of your residents in a variety of forms. It could vary from an excel document listing unit owners, their addresses, and phone number to paper forms that hold unit owners’ bank account or social security numbers. Regardless of how the information is stored, a breach can be quite costly.
Cyber insurance got its start in the late 1990s. According to Insurance created by AIG in 1997. At that had access to the internet and, as
As cybercrime continued to grow, state governments began to pass legislation intended to protect individuals from information leaks. In 2002, California passed the California data security breach notification law. This law required organizations to notify any resident of California whose personal information was obtained by an unauthorized person. Today, all 50 states, DC, Guam, Puerto Rico, and the Virgin Islands have enacted laws that require organizations to notify individuals of security breaches that result in lost private information. The Illinois Personal Information Protection Act (PIPA) requires any data collector (this includes community associations) to notify a resident at no charge and as expediently as possible. Providing these mandatory notifications is costly. In 2017, the average global cost of a data breach was calculated to be $141 per stolen record. So, depending on the size of your association, a data breach could cost your association thousands of dollars in notification costs alone. Luckily these notification costs are insurable. After the regulations were passed, insurance carriers began covering notification costs in their cyber policies. This coverage led to a significant increase in the purchase of cyber policies as organizations began to realize the high costs associated with a breach and the value of insuring it. It has proven to be a vital coverage item – to this day, most of the money paid out under cyber policies has been to cover notification costs.
In addition to notification costs associated with a data breach, an association may also face a lawsuit from one or more unit owners whose information was lost. A unit owner whose personal information was stolen from a community association and/or property manager may take both entities to court to recover damages that occurred because of their mishandling of private information. Because this is typically not covered in a standard General Liability or D&O policy, today’s cyber liability policies may specifically include
www.cai-illinois.org • 847.301.7505 | 43
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60
