The Internet has dramatically changed the way most companies operate. For many businesses, their insurance may not have kept pace with their exposure when it comes to the rapidly evolving and emerging world of cyber liability. Restaurants are no exception.
In the last few years, it has become commonplace for restaurants to use the Internet in many different ways to promote and to operate their businesses. Any given restaurant will likely have its own website, a Facebook and/or Twitter account, an Internet-connected computer network at one or more office or restaurant locations, and an electronic payment processing system (credit card or e-check). The owner, manager or other employees may own laptops that contain customer information. Some restaurants have a frequent diners club that may require customers to enter credit card information on a website. In addition, restaurants may sell food products or other merchandise online.
These are all useful business tools but they also may leave a restaurant exposed to risk that is not covered under a standard commercial insurance policy. Typical general liability policies often do not cover activities associated with website publishing or network security, for example. Common cyber risk exposures include, but are not limited to:
- Data/security breach
- Copyright or trademark infringement
- Data destruction and/or corruption as a result of a virus
- Cyber extortion
- Hackers, worms, and other cyber meddlers
- Firewall and network security attacks
Restaurants that regard cyber risk coverage as optional may not be accurately assessing their potential uninsured exposure. The cost of cyber liability losses can add up quickly. For example, according to a widely-cited 2009 Ponemon Institute Study, the average business loss from a lost laptop is $49,276 and most of that expense is associated with the cost of a data breach.
It behooves any insurance agent to review with his or her restaurant clients the current coverage in relation to potential cyber liability exposures based on the nature and size of the operation. There are a number of key areas to include in this assessment. (Note – this list is not all-inclusive.)
A restaurant that maintains a website may be held liable for wrongful acts associated with the content posted on that web site. A wrongful act may include (but be limited to) actual or alleged errors, misstatements or misleading statements that result in an infringement of another’s copyright, trademark, service mark or right to privacy.
Restaurants that maintain a computer system that is connected to the Internet have a potential liability due to a breach of that system. Unauthorized access may result in the dissemination of personal information held on the computer system and/or the transmission of a virus to a third party. Additionally, the restaurant may incur costs to replace or restore electronic data or computer programs that are damaged or destroyed as a result of a security breach.
Cyber extortion is a crime involving an attack or threat of attack against an enterprise, in combination with a demand for money to avert or stop the attack. Cyber extortion may take different forms including the use of software that encrypts a victim’s data and then the cyber criminal demands money for the decryption key. Cyber extortion may also include threats to publish a client’s personal information or destroy or corrupt records. In recent years, incidents of cyber extortion have grown significantly and the criminals often operate from countries other than those where their victims are located thus making it difficult to prosecute.
Loss of Income
A restaurant may experience a loss of business income and/or extra expense as a direct result of an e-commerce incident. For example, if a virus or other malicious attack damages or destroys a computer system vital to the restaurant operation, it may result in a shut down of operations for a period of time and a corresponding loss of income.
Security Breach Expenses
Insurance agents should be familiar with Data Breach Notification Laws in the state (or states) where they operate. The cost of compliance with notification laws can be a major expense for a business to absorb. When evaluating possible insurance products to address cyber risk, it is important to consider what services the product includes for dealing with the potentially devastating consequences of a data breach. Most businesses will need outside expertise to manage the crisis and to ensure they are meeting regulatory requirements. The leading insurance products today include assistance with tasks like developing an incident response plan and sending notifications to affected people, credit bureaus and government offices. Some insurance carriers provide data breach services via a third party firm that specializes in assessing, mitigating and managing a breach crisis.
Public relations expense is another area that it would be wise to consider. A restaurant may suffer damage to its reputation in the event negative publicity results from an e-commerce incident. The most comprehensive insurance policies will provide coverage for public relations expenses related to protecting or restoring the reputation of the business.
Cyber Risk: E&O Threat or Opportunity Knocking?
The emerging area of cyber risk presents an opportunity for an insurance agent to differentiate him or herself from the competition. The agent who understands the exposures and the available insurance products can provide a valuable service to his or her clients and prospects. On the flip side, the uneducated agent may experience a potential errors and omissions risk if existing clients do not understand the cyber risk exposures that are not covered by their current insurance program. Further, that same agent is missing the potential marketing opportunity that cyber risk represents.
Every restaurant that keeps electronic data and also uses the Internet to conduct e-commerce or general business operations has an exposure. Are you ready to educate your clients?
Heidi A. Strommen is president of ProHost USA, Inc., a specialty insurance program administrator in Minneapolis, Minn. She can be reached at 952-924-6973 or by e-mail at HStrommen@ProHostUSA.com.