The last time I had a separate insurance policy, it covered hardware and software, but not data. It had certainly never occurred to me that someone might need liability insurance against the possiblity of erasing someone else’s data when it was stored on your computer. What really blew me away was the idea that an insurance company could require a business or individual to meet particular standards when it came to backup hardware, software, and schedules.
So I asked Charles Wilson of RiskSmart Solutions what he knew about it. Charles is a risk management consultant, which means he advises businesses about likely threats to their assets and how to protect against them.
Charles explained that data is a very tricky thing to insure, because it’s intangible property and can’t normally be assigned a dollar value. (I suppose if one had paid for a particular mailing list or database, it might be possible to insure it for that amount, as if it were software, but I’m only theorizing.) One might, on the other hand, be able to get coverage for the costs of recovering data or lost business time. That would most likely fall into the category of Errors and Omissions insurance, and wouldn’t be covered in an ordinary liability policy, which deals with tangible property and personal injury.
As for insurance companies requiring the insured party to make backups, he’d never heard of such a thing being done, but considered it parallel to the requirement to have working smoke alarms. The insurance agent comes out to make sure that the alarm is in working order before signing the policy, but once the inspection is over, you can take the batteries out of the smoke alarm if you really want to.
Any company which deals primarily with data (such as an internet service provider) would need a special media insurance policy. I went looking for these and found a few. AIG’s netAdvantage Complete, for instance, covers both “information assets” (that’s your data) and “physical theft of data on hardware,” along with web content liability, cyber extortion, and a number of other things. Insuretrust covers both loss of data and loss of income, as well as HIPAA compliance.
I was still curious, though, so I wrote to the editor of Kickstartnews.com, Howard Carson. It turns out that Howard isn’t just an expert on SOHO technology, but a researcher who has done a few insurance investigations. He started by saying that in California (where both Charles Wilson and I work) and in New York, underwriters simply won’t cover data loss, because they’ve had to pay out (or at least process) too many claims. In the rest of the US, in Canada (where Kickstartnews.com is based) and in Europe, however, “most underwriters are prepared to sit down and negotiate data loss insurance.”
Howard went on to provide a very detailed response. I’ll quote the most immediately relevant parts here; you can read the rest on the Kickstartnews.com blog, where he published it on September 3rd.
“Coverages break down into several components, some pre-existing, others representing additions to existing policies. For example, data loss coverage is sometimes negotiated for U.S. and Canadian businesses to cover the cost of data recovery from backups. Data recovery from DLT tape backup systems is often an arduous process which spans many days. A small extra premium paid to increase coverage for general business losses, specifically negotiated to compensate for the 48-72 hours it takes to resurrect a soaked, burned or stolen file server, will benefit a business in many important ways. Note that a business without an effective backup and security system will never be able to negotiate such a premium with its insurer.
“Values of data (and hence the cost of that portion of the insurance premium) are determined in negotiations based on an estimate of the business losses which take place over a predetermined data restoration period. Also considered is the cost of replacement equipment needed to restore data. In many cases, replacement equipment costs have already been folded into general coverage for losses and theft. For small businesses with limited resources, making use of web backup systems (which essentially store data in typically hardened data centers) will be attractive to underwriters.
“Insurers know that the best defense they have against payouts for business interruption is to negotiate business loss coverage which fully integrates the requirement for exacting and consistently reliable data backup and recovery systems. In many cases, loss claims against such policies are settled at amounts much lower than businesses expect. On the other hand, because the original coverage involved assiduously monitored and managed backup systems, actual loss recovery and restart by the business is much faster than anticipated. Some businesses will be able to get what amounts to data loss coverage, others will not. But as you’ve said or implied repeatedly in your blog, real insurance has to take several forms, the most important of which includes a rational and unerring daily and weekly data backups.”
What that means in a nutshell is that it’s possible to get insured against the cost of losing your data, but you’re only going to be insured in the amount it would cost you to restore your data if you had up-to-date backups. If your business is out of operation for weeks or your client data is permanently lost because you have no backups, you’re out of luck.
Many thanks to both Charles Wilson and Howard Carson for their input on this subject.