Businesses that have personally-identifiable information in their possession now have the legal duty to disclose any suspected breach, and there are now fines and penalties for not reporting a breach. The business must notify any person who may have been affected and the Attorney General. In addition, the business faces potential lawsuits from those affected.
Under most State statutes, personally-identifiable information can include:
Most General Liability policies specifically exclude the ramifications of losses of data. In fact, it does not matter whether the business loses a flash drive, a laptop, or even paper; the personal information is considered breached and is not covered by most liability policies unless a specific “Cyber Breach” endorsement is added, and such endorsements often carry limited protection. Only network security and privacy liability policies are designed to cover the risk of lost or stolen information.
The widespread number of successful attacks against even the best run organizations have evidenced the vulnerabilities every business faces.