Privacy notification and crisis management expense coverage refers to an insuring agreement contained within policies written to cover claims caused by data breaches.
Such policies are most often termed "cyber and privacy insurance," "information security and privacy insurance," or "cybersecurity insurance." Privacy notification and crisis management expense coverage includes the cost of (1) hiring a forensics expert to determine the cause of the breach and suggesting measures to secure the site and prevent future breaches, (2) hiring a public relations agency to assist the insured in dealing with the crisis, (3) setting up a post-breach call center, (4) notifying affected individuals whose personally identifiable information (PII) has been compromised, (5) monitoring these individuals' credit (usually for 1 year), and (6) paying the costs to "restore" stolen identities as a result of a data breach (e.g., expenses of notifying banks and credit card companies). Privacy notification and crisis management expense coverage addresses the so-called immediate response costs associated with a data breach. This insuring agreement makes payments on a "no fault" basis and without admission of liability (as is the case under "medical payments" coverage, included in a homeowners or personal auto policy (PAP)). The intent of such payments is to discourage affected customers from making claims associated with a data breach. In contrast, the information security and privacy liability insuring agreement is the true "liability" coverage element of a cyber and privacy policy since it responds to lawsuits and pays liability losses from claims made against the insured by various parties. Similar to other cyber and privacy insurance policies, privacy notification and crisis management expense coverage is subject to an annual aggregate limit and an annual aggregate deductible.