A Variety of Capital is Availablefor Acquisition & Rehab Financing

www.multi-housingnews.com August 2013

The Pacifi c Northwest: Record Revenue Growth

Capital Stack

Are You Fully Protected Against Cyber Liability?

Construction Methodsfor Extreme Weather

38 August 2013 | Multi-Housing News

Cyber Liability

Among the many risks that prop-

erty owners must manage is

the risk of cyber liability. Years

ago, privacy of residents’ per-

sonally identifi able data was confi ned to

fi ling cabinets and offi ce computers, but

now this data exists electronically in the

cloud, on laptops, smartphones or tab-

let devices often in addition to the paper

fi les. Access points are everywhere, and

the information can be easily transmitted.

What’s more concerning is that cyber

criminals are on the lookout for this data,

and they are becoming more sophisti-

cated every day. If that is not enough to

worry about, state and federal regulations

are being enacted that require a duty of

care for this data, and complying can

be diffi cult.

Cyber liability insurance is relatively new

and has become the fastest growing line

of coverage over the last 10 years. Few

industries are immune to the risk of data

breaches that can include customer, vendor

or employee data. As with any risk, it is rela-

tive to the type and amount of exposure an

individual company faces.

For property owners and managers, the

amount of data collected on employees,

residents or prospective residents can be

immense, and a breach of this data would

not only be embarrassing but also costly.

Cyber liability insurance can provide a

level of protection from this emerging risk

and should be evaluated as part of any risk

management program.

technology

Cyber liability policiesCyber liability policies are designed to

cover a company for a loss or breach of

personally identifi able information. Tradi-

tional insurance policies were not designed

to cover these types of exposures, so any

coverage you might fi nd under your general

liability, professional liability, crime or prop-

erty policies or even a directors’ & offi cer’s

liability policy written for a privately held

company will either be very limited or simply

accidental. Some carriers might offer you an

endorsement to provide coverage for a spe-

cifi c component of your cyber liability expo-

sure, but it is usually not as comprehensive

as buying a separate policy.

Here are several reasons why your tradi-

tional insurance policies might not respond

to a cyber liability claim:

■ General liability policies do not respond to

claims for damage to intangible property

(there is also typically a specifi c exclusion

for claims arising out of electronic data)

■ General Liability policies typically ex-

clude claims arising out of “blogs” you

own or host

■ Property policies only provide loss of

business income coverage if there was

direct physical damage caused to your

property (not caused by hackers or rogue

employees who shut down your website

or computer systems or the systems of a

service provider you rely upon to conduct

your business)

■ Crime policies do not respond to claims

for damage to intangible property (there

is also typically a specifi c exclusion for

loss of confi dential information)

■ Private company directors’ & offi cers’ li-

ability policies typically exclude claims

arising out of bodily injury (including

emotional distress), property damage

and specifi c types of personal injury

■ No traditional insurance policy currently

provides coverage for the expenses asso-

ciated with notifying affected individuals

when their personally identifi able fi nan-

cial or medical information was breached

while in your care, custody or control

These are just some of the hurdles to over-

come in order to fi nd coverage for cyber liabil-

ity claims under a traditional insurance policy.

Evaluating costsCosts resulting from a breach can vary

greatly, and when you take into account lost

revenue or reputational damage, they can

be signifi cant. The costs associated with the

breach include defense and judgment costs

from lawsuits as well as notifi cation and

credit-monitoring expenses. Consider just

the costs of notifi cation and credit monitor-

ing for a multifamily property manager with

3,000 residents. The cost of notifi cation and

credit monitoring after a breach can range

from $30 to $50 per person. If the data lost

compromised 3,000 records, these costs

alone would be over $100,000.

Policies can be structured to provide limits

anywhere from $1,000,000 to $10,000,000 or

more, with various deductible and coverage

options to tailor the policy to fi t the coverage

Understanding the risk and defending against it

By Kevin D. Smith, CPCU, ARM, The Graham Company

Image by Vertigo3d/iStockphoto.com

www.multi-housingnews.com | August 2013 39

underwriters, which help keep costs down

if insurance is purchased.

It begins with identifying the type of in-

formation collected and putting policies in

place to protect this data. This protection

can range from employment policies to

control employee behavior, such as poli-

cies on downloading unauthorized software

and rules related to personal device usage

to technology solutions such as keeping

anti-virus software up-to-date and complex

password protection measures. Your IT de-

partment should regularly monitor security

measures and look for signs of attempted

breaches. Many companies have used an

outside consultant to perform an audit of

the cyber security systems in place to de-

termine vulnerable areas.

The threat of lost data, the ensuing costs,

and potential liability for property owners

and managers is real and growing each

year. Companies spend a lot of money and

effort on keeping this data safe, but the

sheer number of incidents suggests that it

is only a matter of time before companies

experience some sort of breach. MHN

Kevin D. Smith CPCU, ARM,

is vice president, real estate

division director at The Gra-

ham Company, a property

and casualty brokerage spe-

cializing in the multi-housing.

To comment on this story, e-mail Diana Mosher

at dmosher@multi-housingnews.com

reports that identity theft complaints were

up 32 percent in 2012, and over 12 million

people have been a victim of identity theft.

While cyber criminals account for much

of these instances, there is also the threat of

human error of employees that causes data

to be lost. For example, laptops left in cabs,

smartphones lost, USB drives left in the open

and stolen, or simply emailing a fi le with this

data to the wrong address. While encryption

can be a line of defense against the release

of this data, many times it is not sophisticat-

ed enough, or it simply does not exist on ev-

ery computer or device. In 2012, Blue Cross

Blue Shield of Tennessee paid a $1.5 million

settlement for penalties under the HITECH

Act for a breach of over 1 million patient re-

cords after the theft of computer hard drives

(with unencrypted health information).

The use of third parties, such as a rent

payment portal, does not eliminate the

risk. The company that selected the third

party would also be involved in a lawsuit or

breach since they selected and promoted

the third party for resident rent payments.

A lawsuit would examine what level of due

diligence was done by the property man-

ager to select the third-party rent payment

portal and its security measures.

The need for preventionPreventing breaches with security proto-

cols is a no-brainer and often a requirement

of state or federal government. Good se-

curity and prevention measures also make

you a more appealing risk for cyber liability

and cost needs of the insured. Premiums will

vary and will be dependent upon the amount

of coverage, size of your organization, type

of data collected and security measures in

place. Generally, policies will start around

$10,000 for $1,000,000 in limits.

Some of the exposures and costs that

can be covered under a well-structured cy-

ber liability policy include:

■ Information security and privacy liability for

failure to protect personal or corporate in-

formation (like tenant Social Security num-

bers and credit research) held on comput-

ers systems, smartphones, laptops or paper

fi les or entrusted to third-party vendors

■ Costs to notify affected individuals that

their personal information has been

breached, as required by law

■ Other costs associated with data breach-

es, such as public relations, investigative

costs and defense costs from lawsuits

■ Loss of business income when a “hacker”

prevents your customers from accessing

your website or disrupts your systems

■ Loss of business income when your ser-

vice provider’s systems are affected by a

“hacker” (such as a cloud service provider

or credit card processing company)

■ Personal injury (such as libel) that may

result from the use of blogs on your web-

site or other social media

When employees are cyber criminalsBreaches can happen in a variety of

ways, and there is no shortage of news of

examples of signifi cant breaches. The FTC