Data Breach
Unauthorized access to or disclosure of personally identifiable information or protected data held by an organization.
What It Is
A data breach occurs when personally identifiable information (PII), protected health information (PHI), or other confidential data is accessed, acquired, or disclosed without authorization. In the insurance context, the definition of a breach is critical because it triggers the insured's notification obligations under state and federal laws and activates first-party and third-party coverages under a cyber policy.
Breach definitions vary by policy form. Some define a breach narrowly as unauthorized access to electronic data, while others include paper records, oral disclosures, and even employee snooping. The trigger may be actual unauthorized access or a reasonable belief that access occurred. Brokers must compare policy language carefully because the breadth of the breach definition directly controls whether a given incident is covered.
All 50 US states plus DC now have breach notification laws, each with different thresholds for what constitutes notifiable PII, timeframes for notification (ranging from 30 to 90 days), and penalties for non-compliance. Federal regulations like HIPAA and GLBA impose additional requirements for healthcare and financial services clients.
Why It Matters for Brokers
Brokers advising commercial clients must understand how each carrier defines a data breach because that definition determines the scope of coverage. A policy that covers only electronic data breaches will not respond when an employee loses a box of paper records containing Social Security numbers. Additionally, brokers need to match the policy's notification cost coverage to the applicable state laws where the client's customers reside, not just where the client is headquartered.
Real-World Example
A mid-market e-commerce retailer with customers in 38 states discovers that a vulnerability in their checkout page exposed 82,000 credit card numbers over a four-month period. State notification laws require individualized letters within 30-60 days depending on the state. The cyber policy's breach response coverage pays $4.50 per record for notification and credit monitoring, totaling $369,000, plus $85,000 for a breach coach attorney to coordinate multi-state compliance.
Common Mistakes
- 1Placing coverage based solely on the client's home state notification law while ignoring the states where affected individuals actually reside.
- 2Overlooking the policy's requirement for a specific breach determination process before first-party coverages are triggered.
How brokerageaudit.com Handles This
brokerageaudit.com's Policy Checker cross-references the insured's customer footprint against breach notification requirements and validates that the cyber policy's per-record sublimits and aggregate limits are sufficient for the estimated exposure. The COI Manager tracks cyber coverage status across all accounts so brokers can quickly identify clients lacking breach response coverage during renewal season.