Data Breaches: How Staffing Firms Can Prepare for Unexpected Lawsuits
March 25, 2023
In today’s digital world, Cyber Insurance is critical to keep your business, your clients, and their private data safe. As a Staffing & Recruitment agency, you might even be contractually obligated to hold it by a number of key partners, like investors, vendors, and clients. Depending on the services you provide and the industries you serve, your clients may even insist on higher limits due to increased risks.
But while Cyber Insurance can help you recover from a breach, your clients might overestimate the amount of protection it provides them. Plus, in certain situations, like when a data breach is linked to someone you placed, your Cyber Insurance might not respond to cover the damages at all. This, in turn, could expose your firm to increased professional liability risks.
So how does Cyber Insurance work for Staffing & Recruitment firms? What’s covered? What’s not? And more importantly, how can you protect yourself? Keep reading to learn more.
Cyber Insurance: What’s Covered?
Cyber Insurance, also known as Data Security & Privacy Breach Insurance, covers a variety of expenses following a privacy breach, cyberattack, or network security issue, like if your company’s information is stolen by a hacker or accidentally released by an employee. Most policies contain two types of coverage to help you manage breach fallout:
First-Party Liability Insurance
First-Party Expenses Coverage pays for any costs incurred by your organization to restore your own systems and data. That can include:
- Client notification and credit monitoring for affected parties;
- A specialized data forensics team to investigate the cause of the breach;
- A legal breach coach to advise you on response and regulatory compliance;
- PR consulting services to manage reputational harm;
- Additional remediation services: Depending on your policy, you might even have funds for network business interruption coverage during incident-related downtime, digital asset restoration, computer replacement, and more.
Third-Party Liability Insurance
Third-Party Liability Coverage pays damages and defence costs if you’re sued by a third-party, like a candidate or a client, who was affected by a breach on your network. For example, if your systems were hacked and any sensitive data belonging to your client was compromised, they could hold you liable for failing to properly protect their data. This coverage includes costs associated with: privacy regulation penalties, multimedia liability, payment card industry fines, legal fees, and court-awarded settlements.
Simply put, First-Party Liability Insurance pays for your direct breach costs, whereas Third-Party Liability Insurance covers the cost of dealing with a breach-related lawsuit.
Cyber Insurance: What’s Not Covered?
1. Client’s Own First-Party Expenses
As the digital world grows, more clients, particularly those in the IT space, are requiring Staffing & Recruitment firms to carry high amounts of Cyber Insurance, with limits of up to $5 million or more, as part of their contract. Why? They believe your policy will reimburse their remediation costs if a security issue is traced back to your organization.
Unfortunately, the higher your limits, the more expensive your policy, especially in today’s market, where increased cybercrime and mounting claims payouts have driven up insurance rates. Even if your individual risk of a breach is low, clients’ coverage demands can cause your premium to soar.
However, while the Third-Party Liability Coverage does go toward clients’ losses, your policy is in place to benefit you, not your clients. The funds are intended to protect your assets against potential damages, rather than to cover a client’s expenses directly. Additionally, the amount paid is determined by the court, so your client won’t automatically have access to your insurance policy; they’ll have to take legal action first. Finally, while these funds can be used by the clients to repair their systems, what’s paid might not be enough to make them completely whole again.
To be clear, this exclusion isn’t limited to Staffing & Recruitment Firms. Regardless of your industry, Cyber Insurance is designed to protect whoever purchases the policy, not the affected third-party; clients should have their own Cyber Insurance policy to cover their first-party expenses.
You enter into a contract with a consulting firm, who requests that you have a Cyber Insurance limit of $1 million for breach expenses. Sometime later, your organization suffers a cyberattack, compromising hundreds of sensitive files. You report the incident to your insurance company, who helps you respond and notify the Privacy Commissioner and all affected parties. A few weeks later, the consulting firm sends you an invoice for the $120,000 they spent recovering their own assets. However, your Cyber Insurance doesn’t extend to clients’ first-party expenses. When you explain this to your client, they become upset and file a lawsuit against you.
2. A Breach Caused by a Candidate on Assignment
When it comes to privacy breaches, most organizations only have to worry about their own staff. If your own employee makes an error that causes a breach on your systems, Cyber Insurance will cover your first-party and third-party expenses. But as a Staffing & Recruitment firm that hires and places candidates, cyber-related mistakes that are made by someone on assignment, like a temporary worker or independent contractor, can fall into a grey area.
If a candidate’s error results in a breach and your client sues you for damages, your Cyber Insurance policy won’t respond. Why? Cyber Insurance excludes claims related to professional services. Since the error occurred while the candidate was providing their professional services, your insurance company would consider it negligence or a failure to render services, which is typically covered by your firm’s Professional Liability Insurance policy.
Your firm places an administrative assistant at an accounting firm for a three month-contract. While responding to some emails, the assistant accidentally clicks on a phishing link that unleashes malware into your client’s system. Your client incurs $200,000 to remove all traces of the malware from their system and sues you for negligence because you provided the assistant. However, the breach didn’t occur at your company and the mistake was made while the client was on the job, so your Cyber Insurance won’t apply.
3. A Breach Caused by an IT Consultant
Your agency is particularly at risk if you work with consultants in highly specialized fields, like IT, tech, or engineering. Although you aren’t directly providing software, technical, or design services, you could be liable if a consultant’s mistake made your client vulnerable to attack or compromised data.
Here are two examples to illustrate:
CASE STUDY A:
Your firm provides an IT consultant to create some software coding for a large client. A few weeks into the contract, the consultant makes a coding error that releases the client’s private data. Your client hires a breach coach and a data forensics team to mitigate the breach internally and restore their systems, costing $150,000 in total. They file a suit against you and the consultant, alleging that the consultant’s negligence led to the loss. The consultant’s actions stem from their professional services as an IT consultant; this triggers your Professional Liability Insurance policy to cover the lawsuit, rather than your Cyber Insurance policy.
CASE STUDY B:
Your company is tasked with developing some software for a client to manage their contractor database. You source the IT consultants yourself to create, test, and finalize the program, before providing it to the client. After some time, your client discovers a bug in the software, which accidentally exposes contractors’ personal information. The client sues you for providing a faulty product and to cover the $200,000 they spent to send out notification letters and arrange identity theft coverage for affected individuals. Because your company created the program, your Professional Liability Insurance policy responds to the lawsuit instead of your Cyber Insurance.
What’s the impact?
So why does it matter which policy pays as long the damages are covered? Two reasons:
What if your Professional Liability Insurance limits aren’t high enough? Or what if you’ve already had a few professional liability claims that year and your policy limits are exhausted? If you don’t have enough coverage, you could be liable for up to hundreds of thousands in damages, settlements, and judgements out-of-pocket. And if you can’t pay up at all, it could cost you your clients, your reputation, and maybe even your business.
Keep in mind: insurance companies base premiums on your risk profile, in addition to a variety of other factors. Multiple lawsuits could indicate a higher likelihood of future claims and put you in a high-risk category. Plus, the higher the losses, the more your policy will have to pay out. That means a long, drawn out litigation process or a few major claims could cause your premium and deductible to spike at renewal time. Frequent claims might even lead to your coverage getting denied altogether.
Taking the time to understand your coverage and what it can do for you might make all the difference when it matters most. Here are some tips to keep in mind to help you avoid any grey areas and coverage gaps:
1. Be transparent.
When negotiating with clients or their legal counsel, thoroughly review your contract to get a sense of your Cyber Insurance requirements and why they want you to carry a certain limit. Be clear about where your Cyber coverage ends and exactly how much coverage third-parties are afforded in the event of a breach. Make sure clients know your policy isn’t a catch-all for all breaches and encourage them to invest in their own coverage.
Additionally, unless you act as a Managed Service Provider or direct IT Consultant, it’s worth noting that most Staffing & Recruitment firms don’t typically store vast amounts of client-owned data beyond basic contact or payroll information, so you might not even need an excessive amount of coverage. Be sure to clarify how much of your clients’ data resides on your network to determine the level of coverage needed and temper their expectations; they may consider reducing their requirements.
2. Review your Cyber Insurance.
In general, most Staffing & Recruitment firms don’t see themselves as at risk of a breach and often only purchase Cyber Insurance to meet client demands. And if you don’t need as much coverage as your clients assume, you may be tempted to lower your limits or remove specific services to save on costs.
But don’t cut too much. After all, any business that collects, stores, and transmits confidential data is at risk of a breach. Even if you don’t have a lot of client information on file, you still have important employee and candidate data, intellectual property, and valuable connections of your own that need protecting. And in the event of a breach, you’ll need enough Cyber Insurance to offset your losses, get your business back online, and address any other third-party lawsuits.
3. Review your Professional Liability Insurance.
You may already have a Professional Liability Insurance policy in place to defend your business against allegations of errors, omissions, and negligence. However, with the unique exposure of Staffing & Recruitment firms, it’s a good idea to review your policy and ensure you have enough coverage for your day-to-day operations, as well as the added liability you face from candidates on assignment. Increase your limits as needed and consult with an expert for any risk management tips or coverages you can implement to protect yourself and your clients.
4. Ensure your candidates have enough insurance.
If a client suffers a breach, they won’t just sue you—they’re also likely to sue the candidate directly. To mitigate this risk, ensure all temporary workers and independent contractors to maintain adequate Professional Liability Insurance in case of a lawsuit.
For maximum protection, candidates can obtain insurance through PROLINK’s comprehensive Independent Contractors Insurance Program. Our tailored offer includes Professional Liability Insurance and Commercial General Liability Insurance to defend against claims of professional negligence and errors made within the scope of practice, as well as third-party injuries, property damage, and more. Highlights include:
- Extends to Independent Contractors in the Accounting/Finance, Administration/Clerical, IT, Management Consultants, or Technical/Engineering fields;
- Customizable coverage periods ranging from one week to 18 months to suit different contracts;
- Limits ranging from $1M, $2M, or $5M;
- And more!
Learn more about the the Independent Contractors Insurance Program here.
5. Work with a risk advisor.
Keep in mind: every agency is different and the right policies and limits for your needs will depend on a variety of factors, including your size, location, operations, the industries you serve, and more. And you might have trouble finding an insurance company who understands the unique needs of your firm, your independent contractors, or the continuously evolving requirements of your industry.
That’s why it’s key to work with a licensed broker—like PROLINK—that specializes in the Staffing & Recruitment sector. With over 40 years of experience and over a decade of serving some of the largest staffing firms nationwide, we’ve seen it all. We can demystify coverages, share what steps others in your industry are taking, and help you chart the road to organizational resilience.
Our dedicated team of advisors will help you:
- Identify exposures based on your business operations and unique needs;
- Conduct a full analysis of your existing insurance policies to detect any coverage gaps;
- Adopt a proactive approach to risk management to control your costs long-term;
- Stay on top of emerging threats, legislations, and innovations that could affect you;
- Secure comprehensive Professional Liability, Cyber, Directors & Officers Insurance solutions and more, tailor-made for your strategic objectives and budget.
To learn more about your risks—and how you can protect yourself—connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.