An employee cost his company $1 million in compliance fees when he decided to veer off his normal route and dump bags of confidential bank and hospital documents in an open field as opposed to taking them to the shredding facility. Fortunately the bags were found before anyone could get to the sensitive information. Even so, the company was required* to provide notification and credit monitoring to potentially affected individuals because the data could have been breached. The paper shredding company began the arduous task of notifying each individual about their exposed information and offering credit monitoring services to banking customers and hospital patients.
While this case didn’t result in a formal lawsuit, it carried a high price tag since the company was required to comply with government regulations. Thanks to the cyber insurance policy that the company previously retained through HUB, they paid their deductible and the policy took care of the difference, a cyber claim of over $1 million for customer notification and credit monitoring costs.
Like any breach event, there’s no one-size-fits-all when it comes to cyber coverage. In this case, the shredding company emerged relatively unscathed because their cyber claim was covered by appropriate coverage limits and pre-negotiated exclusions. Without such comprehensive coverage, a cyber event – especially one worth over $1 million as in this case - could be crippling.
* By Federal HITECH Act of 2009 and Texas state law