Real 1st Party Claims that were defended and paid under The Hartford’s Tech E&O Policies
- Type of Claim First Party Data Privacy Loss – Notification, Data Privacy Regulatory, Credit Monitoring, and Crisis Management Expenses
- Policy Type FailSafe GIGA with First Party Data Privacy Endorsement or FailSafe TERA with First Party Data Privacy Endorsement
- Type of Insured Computer Hardware Manufacturer
- Facts A computer hardware firm manufactures network connectivity products and sells them online to customers. As part of the online transaction, non-public personal information is collected from customers and stored on the hardware firm’s servers, which contain over 20,000 individual records. While conducting maintenance on the company’s network, the security elements are disabled to allow applicable changes required for the network. When the network is brought back online, the security elements are inadvertently left in the disabled mode. The network is left unprotected for a period of 30 days. Although there is no evidence of a breach to the network or a compromise of the 20,000 individual records, the company has violated data privacy laws in several states and is required to notify all affected individuals of the possibility that their personal information has been exposed. Even though the hardware firm does not receive any allegations from third parties for damages, the data privacy wrongful act results in the following expenses for the hardware firm: • $300,000 in notification expenses required to comply with applicable notification laws as a result of the data privacy law violation • $700,000 in credit monitoring expenses for individuals impacted by the breach in their non-public personal information • $300,000 in legal expenses in the defense of a data privacy regulatory proceeding that occurs as a result of the incident • $75,000 in crisis management expenses associated with the use of a crisis management firm to minimize the potential harm to the hardware company from the data privacy wrongful act.
- Resolution The total first party expenses incurred by the hardware manufacturer were in excess of $1.3 million
- Type of Claim First Party Data Privacy Loss – Cyber Extortion Expenses
- Policy Type FailSafe GIGA with First Party Data Privacy Endorsement or FailSafe TERA with First Party Data Privacy Endorsement
- Type of Insured Hosting/Connectivity Service Provider
- Facts A company provides customers with hosting and connectivity solutions, including Internet access, hosted environments for internal and external facing Web sites, hosted application services, etc. Access is restricted to authorized users through assigned user identification with user-controlled passwords. The company receives a threat from an unknown third party that will cause an interruption of the company’s network and unauthorized access to the data stored on the company’s servers. After investigating the threat, it is determined that the threat is credible and the company makes an extortion payment to the person or group making the threat. The cyber extortion threat results in the following expenses for the company: • $25,000 cyber extortion expenses
- Resolution The total first party expenses incurred by the service provider were $25,000.
- Type of Claim First Party Data Privacy Loss – Notification, Credit Monitoring, and Cyber Investigation Expenses Policy Type: FailSafe GIGA with First Party Data Privacy Endorsement or FailSafe TERA with First Party Data Privacy Endorsement
- Type of Insured Software Developer
- Facts A software developer manufactures and distributes workforce management software that allows third parties to track employee hours, overtime, vacation time and compiles information for payroll processing. The software is offered on a “Software as a Services” (SaaS) model that allows the developer to provide customers with access and use of the applications through a hosted environment, including storage of customer data on a server controlled by the developer. An unauthorized access to this data results in the improper dissemination of non-public personal information for 1,000 individuals and violates data privacy laws in several states. Although the software developer does not receive any allegations from third parties for damages, the data privacy wrongful act results in the following first party expenses for the developer: • $15,000 in notification expenses required to comply with applicable notification laws as a result of the data privacy law violation • $35,000 in credit monitoring expenses for individuals impacted by the breach in their nonpublic personal information • $7,500 in cyber investigation expenses to hire a company to investigate the cause of the security breach
- Resolution The total first party expenses incurred by the software developer were in excess of $50,000.
