This component offers coverage for regulatory fines and penalties and/or regulatory compensatory awards incurred in privacy regulatory proceedings/investigations brought by federal, state, or local governmental agencies, such as proceedings/investigations alleging HIPAA violations.
In 2015, a large hotel chain suffered a data breach due to a form of social engineering called “pretexting” in which an individual tricks another party into divulging confidential information. In this case, the hacker posed as an employee in the hotel chain’s corporate IT department and convinced two other employees to enter their employee IDs and passwords into a fake, or “phishing”, website.
The hacker used the employees’ security credentials to access the personally identifiable information (“PII”) of hotel guests. The breach exposed the names, home addresses, email addresses, phone numbers, driver’s license numbers, license plate numbers, credit card numbers and telephone numbers of thousands of customers.
The Federal Trade Commission (FTC) investigated and found that a lack of technical safeguards, such as multi-factor authentication, contributed to the theft of customer information. The FTC also found that the hotel chain failed to report the data breach to federal authorities, as required by law. At the conclusion of its investigation, the FTC ordered the company to pay $595,000 in civil penalties.
Cyber liability insurance would cover the civil penalties, as well as any costs associated with defending the hotel chain in the investigation.