Clark County government computer servers don’t store sensitive plans about upcoming feature films, like Sony Pictures Entertainment servers did when hackers breached the company and revealed emails with embarrassing comments about celebrities.
The county isn’t a big retailer like Target, which also suffered a big data breach and compromised credit card information about customers.
Even so the county and other government agencies are increasingly turning toward liability insurance to safeguard against the financial fallout from data breaches.
Unlike Sony’s hacked emails about film stars, Clark County’s secure data isn’t very tantalizing, although it is important: sensitive personal information about employees, such as Social Security numbers and medical insurance information.
The county purchased its first cyber liability policy in July, getting insurance that protects it financially from the damage caused by hackers and other types of security breaches on its computer systems.
The county’s policy is part of a growing trend to insure computer systems and data from breaches. Cyber liability coverage is a relatively new form of insurance for government agencies, according to insurance industry and county officials.
The $25 million policy from New York-based Beazley Group cost the county $10,138 for a year of coverage. The county is part of a shared risk pool, which keeps the rates down.
The county added the coverage by working with its broker, who suggested it, said Les Lee Shell, director of Clark County’s Office of Risk Management.
It hasn’t had any breaches in recent years that would have required an insurance claim, Shell said, noting that the policy was an easy choice to add to the county’s existing property liability coverage with a reasonable cost.
The county’s system is vast: it has about 7,000 computers and about 2,000 cellphones. Those figures don’t include District Court, University Medical Center, the Department of Aviation or the district attorney’s office.
Nicholas Economidis, an underwriter for Beazley, said cyber liability insurance represents a shift from the industrial era, when insurance policies covered physical assets such as equipment and buildings.
Now, network computer systems holding vast troves of information pose a risk to privacy and potential damage from identity theft. That damage is less tangible than the traditional insurance coverage that pays for things such as damaged property and bodily harm from accidents.
“The average Americans have realized that their information is out there,” he said, noting there are privacy concerns.
For example, cyber liability insurance policies, including the county’s, pay for the costs of notifying people that their personal information was compromised and additional services such as credit report monitoring.
The policy also covers losses from cyber extortion, defined as extortion payments made under duress to prevent or end an extortion threat, and any damage inflicted on county equipment and data. The policy also provides legal advice and forensics expenses for investigating the source of a security breach.
It also offers protection against libel if confidential information were to appear on the county website because of a breach.
Beazley’s response to a breach also would include public relations and crisis management costs.
The pool group that the county belongs to for the insurance has a wide spectrum of government agency members across the United States and in Southern Nevada. Members include the city of North Las Vegas and cities in California, Alaska and Oregon, to name a few.
In the 1990s, cyber liability insurance was more of a niche form of coverage that only interested large banks and retailers, Economidis said.
In the past several years, that’s changed, he said. While there hasn’t been one major breach to bring attention to the issue, there has been a steady drumbeat of incidents that show businesses and government agencies that protection is needed, he said.
Hacking and hackers get the most attention, he said. But there are other risks for any company — rogue employees stealing information and malware that damages computer systems, for example.
A variety of local and state government agencies have seen breaches that compromised personal information in recent years, including Miami-Dade County, Fla., Detroit and state agencies in California and Colorado, according to the Privacy Rights Clearinghouse, a nonprofit advocacy group that compiles accounts.
The county hasn’t yet had to file any claims on the new policy.
Contact Ben Botkin at email@example.com or 702-405-9781. Find him on Twitter: @BenBotkin1