A must have for corporate travel agents – cyber liability insurance

A report last year by data protection organization Ponemon Institute estimated that almost half (47%) of US adults had some form of ,ersonal information compromised in 2013, and breaches at US companies made up more than $100 billion of the $575 billion global market in cyber theft in 2014.

Many companies – including those in travel e-commerce  – believe they will be covered by their standard commercial general liability (CGL) insurance in the event of a data breach where customers’ personal information is compromised. Most, if not all, of these policies have ‘personal injury’ coverage which includes an ‘invasion-of-privacy’ clause. 

However experts believe the wording in some of these policies is ambiguous, leaving travel companies open to litigation from affected clients. Take the Sony hacking scandal as an example. Sony claimed indemnity under its CGL policy but its insurers failed to pay out on the claim, citing small print which did not cover damages relating to the breach. A subsequent lawsuit filed by the company was thrown out but Sony appealed. Sony eventually settled out of court with the insurers, denying the insurance industry and businesses an important precedent.

Even before the Sony case, insurers had begun excluding liability from cyber crime from their policies, and at the same time offering stand-alone insurance for cyber liability.

This is a relatively new strand of insurance that varies widely between insurers making it difficult to compare, and many firms are still unaware that a specialist policy like this even exists.

However one corporate travel agent says cover is an absolute must.

"Corporate travel agencies are one of the few businesses that absolutely must keep active credit card numbers in their client profiles. Maintaining those active profiles opens you up to tremendous liability that is not covered by your standard business liability insurance,"   says Michael Reich, owner of Florida agency Master Travel and Cruises.

"Corporate agencies have no choice about keeping client card numbers," Reich added.

"It is encrypted, as required by card issuers, but the card number can be stolen from any number of sources. And no one can guarantee that encryption can’t be broken."

Dedicated cyber liability insurance is still something of an unknown quantity in the travel business and it will be some time yet before there is enough traction to see whether the current crop of policies meets the needs of companies in an ever evolving landscape of cyber crime.

In the meantime companies can take measures to ensure they are fully covered:  

•    Companies should check their current CGL policy for any exclusions relating to cyber liability.

•    If a policy does not currently have a cyber liability exclusion, it doesn’t mean that will be the case in the future. A business should specifically check to see if an insurer is planning to exclude cyber liability cover.

•    Travel businesses should purchase a stand-alone cyber liability policy if not covered under the main CGL insurance.   Any business, like corporate travel agencies that holds card users’ data on file – even encrypted data – should not go without.