There are a lot of risks to doing business these days and cyber attacks have become a dangerous and costly threat to every organization that uses computers and the Web to operate. Fact of the matter: Many small businesses never recover from attacks on their data and infrastructure. The security pros at Symantec found that a whopping 71% of small businesses that suffer from a cyber attack never recover.

Can your business afford that kind of hit? Do you have insurance that will protect you from the costs of both damage to your data and the costs associated with the cleanup?

A recent lawsuit highlights the importance of a data breach insurance policy that specifically covers the losses suffered during an IT security incident.

In 2005, DSW Shoe Warehouse was the victim of a data breach in which hackers stole financial information of more than 1.4 million customers, causing an estimated $5 million of damage to DSW.

The company tried to get compensation for those costs from its insurance policy — however, the insurance company refused to pay.

Though lacking data breach insurance, DSW’s general crime policy contained a clause providing coverage for losses “resulting directly” from a data breach incident. According to the insurance company, the $5 million included money for customer communications, public relations campaigns, funding for investigations, legal fees, etc. — which did not directly result from the data breach.

In other words, since the hackers didn’t directly steal money from DSW during the breach, the company wasn’t owed any reimbursement under the policy. DSW disagreed and took the insurance company to court.

A panel of judges agreed with DSW and ordered the insurance company to pay (Cite:Retail Venture, et. al v. National Union Fire Insurance). According to the court, the wording of the policy was ambiguous and should therefore be interpreted in the insured party’s favor.

Although DSW won in the end, many observers warn that the case could have gone either way and that the long legal battle shows why companies should have data breach insurance policies that specifically provide coverage for losses due to IT security incidents.

Since DSW’s breach, insurance companies have changed the way policies are worded, and experts say it could be even tougher now to get reimbursement for data breach losses under a general policy.

Does that mean all companies need data breach insurance? A survey from earlier this year showed businesses are mostly split, with just under half (46%) purchasing cyber insurance policies. Experts recommend companies assess their own cybersecurity risk and look into the cost of those insurance premiums and compare that to the potential costs of a data breach at their organization.

Tags: coverage, cyber attack, insurance, risk