Cyber liability underwriters often want to confirm that your clients are encrypting information stored on portable devices such as laptop computers, USB drives and backup tapes.
This underwriting requirement is a result of a both frequency of loss events, as well as some significant large loss events, involving data stored on portable media. When information stored on portable media is lost or stolen, it will generally result in an obligation to notify consumers of the data breach, and may also result in consumer class action claims against the entity or fines and penalties from government regulators.
This is particularly true for entities in the healthcare industry that are subject to regulations under HIPAA and HITECH.
Here are some examples of siginificant events involving lost or stolen portable devices:
The good news is that when the data is encrypted on portable devices, in most cases, there is no obligation for the entity to notify consumers of a data breach event, and class action or regulatory claims can generally be avoided. As a result, encryption of data stored on portable devices is a low cost and effective risk control tool to a data breach loss, and a loss control technique that cyber liability underwriters look for.
Beazley Breach Trends June 2016 - Portable Devices, Portal Data