1. Forms
2. BP
3. BP-04-96

Form BP 04 96: Data Compromise And Identity Restoration

1. What the form is

The BP 04 96 "Data Compromise And Identity Restoration" endorsement is designed to be added to a Businessowners Policy (like the BP 00 03). Its primary purpose is to provide coverage for certain expenses and services arising from a data breach, where sensitive personal information of customers or employees is compromised. It also typically offers services to help affected individuals restore their identities.

This endorsement helps businesses manage the significant financial and reputational consequences of a data breach. Key functions include:

• Data Compromise Response Expenses: Covering costs for things like forensic IT reviews to determine the cause and scope of a breach, notification expenses to inform affected individuals as required by law, legal counsel, and public relations services to manage reputational damage.
• Identity Restoration Services: Providing services for affected individuals, which may include credit monitoring, fraud alerts, and case management assistance to help victims of identity theft restore their credit and identity records.
• Third-Party Liability (may vary): Some forms may also offer coverage for defense and liability costs if the business is sued by individuals affected by the data breach, or faces regulatory actions.

Coverage is typically triggered by the discovery of a data breach during the policy period, provided the breach occurred after the policy's first inception date or a specified retroactive date.

2. Classes of business it applies to

This endorsement is generally targeted towards small to medium-sized businesses that collect, process, or store personally identifiable information (PII) or protected health information (PHI) of customers, clients, or employees. Given that a high percentage of data breaches occur in smaller businesses, this coverage is broadly applicable. Examples of businesses that would benefit include:

• Retail stores: Handling customer payment information and loyalty program data.
• Restaurants: Processing credit card payments and potentially storing customer reservation details.
• Professional services: Such as accounting firms, law offices (though professional liability for the service itself is different), or consultants who maintain client records. Example: An accounting office has a server hacked, exposing clients' tax records and social security numbers.
• Healthcare providers (smaller practices): Such as doctors' or dentists' offices managing patient records (though larger healthcare institutions often have specialized cyber policies). Example: A small clinic's employee loses an unencrypted laptop containing patient PII.
• Service businesses: Like salons, repair shops, or contractors who keep customer databases.

However, certain classes of business are often considered ineligible or require more specialized coverage due to the high sensitivity or volume of data they handle, or specific regulatory frameworks. These commonly include:

• Financial institutions (banks, credit unions)
• Hospitals and large healthcare organizations
• Educational institutions
• Credit reporting agencies
• Businesses primarily involved in credit card or financial transaction processing
• Municipalities or government entities

3. Special considerations

• Scope of Data Covered: Coverage typically applies to personal data in the insured business's care, custody, or control. This can include data held on their systems or physical files, and potentially data entrusted to a third-party vendor directly related to the insured's services.
• Notification Laws: All states have data breach notification laws with specific requirements for informing affected individuals and sometimes regulatory bodies. This endorsement helps cover the costs associated with complying with these varying and often complex laws.
• Retroactive Date: Policies often include a retroactive date, meaning breaches that occurred before this date may not be covered, even if discovered during the policy period.
• Definition of a "Data Breach" or "Compromise": It's important to understand how the policy defines a covered event. This can include theft of electronic or physical files, accidental loss or release, or voluntary release due to fraud or manipulation.
• Sublimits: Coverages for different components (e.g., notification costs, legal defense, identity restoration services) may have individual sublimits, which are lower than the overall aggregate limit of the endorsement.
• Exclusions: Common exclusions might include breaches resulting from dishonest acts by partners or executives, failure to maintain adequate security standards (though this varies), or acts of war/terrorism.
• Real-world example: A small retail business experiences a point-of-sale system malware attack. The BP 04 96 could help cover the costs of a forensic investigation to understand which customer card data was stolen, the expense of notifying affected customers, and providing them with credit monitoring services. Without this, the retailer would bear these potentially crippling costs out-of-pocket.

4. Key information for agents and underwriters

• Risk Assessment: Underwriters will assess the type and volume of sensitive data the applicant handles (e.g., payment card information, social security numbers, health records). They will also evaluate the business's existing data security measures, including network security, employee training, data encryption practices, and incident response plans.
• Pricing Considerations: Premiums are influenced by the limits of liability selected, the industry class of the business, the number of PII/PHI records handled, past breach history, and the strength of its data security controls. Businesses in higher-risk industries or those with weaker controls can expect higher premiums.
• Coverage Gaps to Address:
  • This endorsement may not cover all cyber-related risks. For instance, losses due to social engineering that don't directly involve a data breach of PII might not be covered, or coverage for business interruption due to a cyber-attack might be limited or require a separate cyber policy.
  • Fines and penalties from regulatory bodies (e.g., HIPAA, PCI-DSS) may have specific limits or may not be covered under all versions of this endorsement.
  • Loss of the insured's own funds due to cybercrime (e.g., fraudulent wire transfers) is typically addressed by crime insurance or specific cybercrime policies, not primarily by data compromise endorsements focused on third-party data.
• Underwriting Guidelines:
  • Insurers will often have specific underwriting guides detailing eligible and prohibited classes.
  • A thorough application detailing data handling practices and security protocols is usually required.
  • Underwriters may look for evidence of basic security hygiene, such as firewalls, anti-virus software, regular data backups, and employee awareness training regarding phishing and data security.
• Relationship to BP 00 03: As an endorsement, BP 04 96 modifies the base Businessowners Coverage Form (BP 00 03). It does not stand alone and its terms must be read in conjunction with the main BOP. The BP 00 03 typically provides property and general liability coverage, and this endorsement adds specific data breach and identity theft related coverages that are often excluded or very limited in the base BOP.
• Agent's Role: Agents should discuss the specific data breach exposures their clients face, explain the coverages and limitations of this endorsement, and help determine appropriate limits. They should also advise on risk management practices to prevent breaches.