Notification Costs
First-party cyber coverage for expenses to notify affected individuals, regulators, and credit agencies after a data breach.
What It Is
Notification costs coverage is a first-party insuring agreement that pays expenses associated with notifying individuals, regulators, and other parties after a qualifying data breach. Covered expenses typically include printing and mailing notification letters, setting up call centers to handle inquiries from affected individuals, providing credit monitoring or identity theft protection services (usually 12-24 months), and filing notifications with state attorneys general and other regulators.
The cost per affected individual varies by state requirements and the sensitivity of the data involved. Industry benchmarks range from $3 to $8 per record for basic notification and credit monitoring, with healthcare breaches at the higher end due to HIPAA requirements and the sensitivity of PHI. For large breaches, notification costs can be the single largest expense category.
Notification coverage may be subject to a separate sublimit or included within the overall first-party coverage limit. Some policies cap the duration of credit monitoring at 12 months, which may be insufficient in states like California that require 24 months for certain breach types. Policies also typically require that the insured use the carrier's approved vendors for notification services, which can provide cost efficiencies through pre-negotiated rates.
Why It Matters for Brokers
Notification costs are often the first and most predictable expense after a breach, and they can quickly consume policy limits on small to mid-market accounts. Brokers must estimate potential notification costs based on the client's data volume and match coverage limits accordingly. Underestimating the number of records at risk is a common planning failure that leaves clients underinsured for this basic breach expense.
Real-World Example
An accounting firm with 15,000 individual tax clients suffers a breach exposing Social Security numbers and financial data. Notification costs include $67,500 for printed letters and postage at $4.50 per record, $45,000 for a 90-day call center, $337,500 for 24-month identity theft protection at $22.50 per person, and $12,000 for regulatory filings in 8 states. Total notification costs: $462,000. The cyber policy's notification sublimit of $500,000 adequately covers the expense.
Common Mistakes
- 1Sizing notification coverage based on active customers only, without accounting for former customers, employees, and other individuals whose data is retained.
- 2Overlooking the policy's approved vendor requirement, which can result in the carrier refusing to reimburse costs if the insured engages its own notification vendor without prior approval.
How brokerageaudit.com Handles This
brokerageaudit.com's Policy Checker calculates estimated notification costs based on the insured's reported record count and applicable state requirements, then compares that estimate against the policy's notification sublimit. The system flags when the sublimit appears insufficient and recommends limit increases during the renewal process.