Data Breach Insurance: What It Is, Which Businesses Need It

Any business with an internet connection is at risk of a data breach. The good news is there's a policy for that.
Whitney Vandiver
By Whitney Vandiver 
Edited by Rick VanderKnyff

Many or all of the products featured here are from our partners who compensate us. This influences which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.

Data breach insurance protects a business financially if someone accesses or steals confidential information. And being a small business doesn’t mean you are immune to the vulnerabilities of storing customer data. If anything, it might put you more at risk.

According to The Manifest 2020 Small Business Survey, 15% of small businesses surveyed in 2019 had experienced a virus, system hacking or data leak in the previous year. What’s more, nearly 50% of small businesses that experienced a breach took weeks or longer to discover it, according to Verizon’s 2021 Data Breach Investigations Report. And breaches at small businesses don’t always come with cheap price tags — it’s not uncommon for them to pay tens of thousands of dollars in recovery costs.

With small businesses becoming visible targets for data breaches, owners must plan ahead for how they will recover from such an incident. And data breach insurance is one of the best options to consider.

Looking for tools to help grow your business?

Tell us where you're at in your business journey, and we'll direct you to the experience that fits.

on Nerdwallet's secure site

What is a data breach?

A data breach occurs when information is accessed without permission. The breach can be intentional and the act of outside individuals targeting business data; or accidental, such as an employee accidentally exposing confidential information. There are several forms that data breaches can take, but here are a few of the most common types:

Ransomware: A malicious party encrypts data so that it is inaccessible until a business pays a ransom to have access to its data.

Phishing: An employee unknowingly grants someone access to confidential data because they believe the imposter to be a trusted organization such as a bank.

Malware: A business gives hackers access to its data by downloading infected files.

Who needs data breach insurance?

Most businesses collect and store at least some customer data, which puts them at risk of a data breach, and businesses that have access to sensitive and personal information are especially vulnerable. Any business that retains customer data is a good candidate for data breach insurance. This includes businesses that store customers’ payment methods, email addresses and physical addresses — and even more so if they store information that would make it easy for someone to steal a customer’s identity, such as Social Security numbers or banking information.

You’ll also want to consider coverage if your business is in an industry, such as accounting, that commonly stores other businesses’ data, which means you are more likely to be a target.

What is data breach insurance?

While falling under the cybersecurity insurance umbrella, data breach insurance — sometimes referred to as data compromise insurance — specifically focuses on the unauthorized access or exposure of private data directly from your company.

This policy applies to most situations where confidential information is accessed without permission. This can include your business’s financial data as well as customers’ personal information, such as credit card numbers or health information. Employee data including Social Security numbers and W-9 forms also qualifies as protected personal information.

While you might think your business is too small to worry about data breaches, there are many ways outsiders can find their way to your data. Using weak passwords, leaving credentials where others can see them and downloading infected files can all lead to compromised data. Data breach insurance is specifically designed to protect a company in the aftermath of such an unexpected event. Not only will it help stave off the financial burden of an immediate response, but data breach insurance also helps your business identify how the breach occurred, what data was compromised and how you can help affected customers. » MORE: 7 tips to protect your small business from cyberattacks

Shop Now

on Tivly's website

Or call 888-698-3034

What does it pay for?

Data breach insurance provides first-party coverage. This means that it covers expenses that your business incurs when addressing a breach of data on your business's system or network. Here are a few examples of coverage:

Notification: Many states have requirements for how quickly businesses must notify affected customers. Data breach insurance can help pay for some or all of the cost of properly notifying customers of the breach and explaining what information was stolen. Many policies also cover the costs of providing affected customers with anti-fraud services, such as credit and identity theft monitoring.

Investigation: A policy can also pay a third-party company to investigate the breach, determine how it happened and advise on how to prevent it from reoccurring. This might require a business to hire a consultant and in some cases involve law enforcement.

Income loss: Some insurers offer additional policy coverage to replace lost income if you have to temporarily close your business after a data breach, as well as pay expenses to reclaim your business’s data if someone holds it for ransom. What is covered will depend on the specific policy.

What constitutes a data breach when it comes to compliance, however, is a matter of state law. Because there are currently no federal regulations regarding data security outside of financial institutions, the states in which you do business might affect your policy's coverage.

What does it not pay for?

Most insurers do not provide an all-inclusive policy that will cover all of the expenses associated with a data breach, and there are a few common exclusions to data breach policies.

Data breach insurance does not provide third-party coverage. This means that your policy will not kick in if your business makes a mistake that causes a customer’s server or network to be compromised. In other words, you’re not covered if you cause someone else’s data to be breached. This risk is more common for companies that provide technology services and support to other companies. Such third-party coverage usually requires an additional cybersecurity policy.

Generally, data breach insurance does not cover indirect losses that result from a data breach, such as the financial costs associated with stolen intellectual property. And it usually doesn’t cover the cost of upgrading your technology to protect against future incidents.

There might be other circumstances where a data breach policy doesn’t apply, so always ask about exclusions to make sure you understand what is not covered and what will require an additional policy to protect your business.

How much does data breach insurance cost?

Data breach insurance can fall under a larger cybersecurity policy but is often considered a separate policy. Like most business insurance products, the cost of data breach insurance depends on several factors, including the type of data that can be compromised, how many customers you serve and your annual revenue.

Premiums can be as little as a few hundred dollars a year for businesses that store minimal data and only want basic coverage. However, businesses that handle a lot of personal data, are at a higher risk of a data breach and want a policy that can cover the majority of costs for recovering from an incident will have a much higher annual premium.

Professions that commonly collect and store personal data are likely to pay higher premiums because they pose a greater risk and tend to have larger expenses for data recovery following a data breach. As with most insurance, if you’ve had claims in the past, you are likely to pay more than businesses with no history of data breach claims.

A cost factor that a business can control is a policy’s coverage limits. Like with other types of insurance, the more monetary coverage you elect for a policy, the higher the premium will be. But evaluate how much your business will need to sufficiently recover before lowering your policy limits just to save a few bucks each month. The insurance won’t serve its purpose if your coverage isn’t enough to keep your business from folding because of the financial weight of recovering from a data breach.

Some insurers also consider a business’s level of security when it comes to technology. Being proactive in protecting your data with antivirus software and other cybersecurity measures might show that your data is more secure and potentially lower your premium. Small businesses should also consider how they limit access to their data to show they are taking cybersecurity seriously among their employees. » MORE: How to get business insurance

What's the best fit for your business?
Answer a few questions and we'll match you with an insurance partner who can help you secure quotes.
Frequently asked questions

No, data breach insurance is a specific type of cybersecurity insurance that only covers expenses related to data breaches. General cybersecurity insurance often covers additional situations.

Regardless of size, any business that stores customer or employee data digitally is at risk of having its data compromised. How vulnerable a company might be depends on the type of data it stores and what cybersecurity measures it has in place.

What type of insurance coverage is best for a small business is unique to the business in question. Every small business should evaluate its vulnerabilities and risk when deciding what coverage will work best. If you aren't sure what your business needs, consider talking to a small-business insurance agent.

Generally, data breach insurance does not cover indirect losses, such as lost income due to compromised intellectual property, or expenses for upgrading hardware or software to prevent another data breach. It often does not cover any liability a business has for causing another company's data to be breached, which is usually covered by a separate cybersecurity policy.