Christianity Today

The growing need for cyberliability insurance

Bobby Ross Jr.by

shutterstock_159902675

The growing need for cyberliability insurance: How increased online and electronic activity exposes congregations to new risks.

In recent years, major data breaches involving millions of stolen credit card numbers have targeted national retailers such as Target and Home Depot. Experts warn, though, that smaller organizations — including churches — increasingly fall victim to cybercrimes and other online mishaps.

As congregations wade further into the world of technology usage, they handle rising volumes of sensitive personal data about staff, volunteers, and members — from payment information tied to “e-tithing” to Social Security numbers obtained to run background checks.

Churches also stream intellectual property on their websites, use email and social media to interact with both members and nonmembers, and publish or distribute prayer requests electronically that sometimes reveal private, confidential details of people’s lives.

All of this electronic activity potentially exposes congregations to greater liabilities, be it a copyright claim for a song distributed through online streaming or a libel claim after a disgruntled staff member uses a church-owned social media platform to reveal damaging information about someone.

Given these heightened liabilities, insurance carriers have responded by developing special “cyberliability” coverages — beyond prototypical general liability policies — to cover technology-related claims and damages.

This article appears online at ChurchLawandTax.com, a website of Christianity Today.

• • •

The Growing Need for Cyberliability Insurance

How increased online and electronic activity exposes congregations to new risks.

Bobby Ross Jr.

In recent years, major data breaches involving millions of stolen credit card numbers have targeted national retailers such as Target and Home Depot. Experts warn, though, that smaller organizations—including churches—increasingly fall victim to cybercrimes and other online mishaps.

As congregations wade further into the world of technology usage, they handle rising volumes of sensitive personal data about staff, volunteers, and members—from payment information tied to “e-tithing” to Social Security numbers obtained to run background checks.

Churches also stream intellectual property on their websites, use email and social media to interact with both members and nonmembers, and publish or distribute prayer requests electronically that sometimes reveal private, confidential details of people’s lives.

All of this electronic activity potentially exposes congregations to greater liabilities, be it a copyright claim for a song distributed through online streaming or a libel claim after a disgruntled staff member uses a church-owned social media platform to reveal damaging information about someone.

Given these heightened liabilities, insurance carriers have responded by developing special “cyberliability” coverages—beyond prototypical general liability policies—to cover technology-related claims and damages.

“This area of cyberlaw has continued to expand astronomically,” says Lisa Runquist, a California-based attorney and editorial advisor to ChurchLawAndTax.com. “Just because you feel like you’re okay today, that doesn’t mean that next year you’re not going to have a problem.

Asked if she would urge churches to consider cyberliability policies, Runquist says: “It depends on how active they are in that area. But it is certainly moving in that direction, and it certainly wouldn’t hurt anyone when they’re reviewing their insurance policies to talk to the insurance company and see what’s available and what it would cost to have that type of insurance rider.”

Susan Fontaine Godwin, founder of Christian Copyright Solutions, says, “there are so many things going on (at a church website) that could leave you open or vulnerable” and that the emergence of cyberliability insurance makes sense because of that. Godwin says it’s easy to overlook some of these risks. “You’ve thought you’ve gotten everything taken care of, and then somebody posts something that leaves you at risk.”

Most churches have not taken adequate steps to protect themselves, says Peter Persuitti, managing director for religious practice at Arthur J. Gallagher & Co., a global insurance broker. “Even among the very largest of churches of America, this is an area where they have truly not kept up,” Persuitti says.

Eric Spacek serves as director of risk management and loss control for GuideOne Insurance. He notes that while cyberliability policies emerged a decade ago, only in the last few years have they gained traction among churches. “Certainly, the interest is growing, and the amount purchased is growing because there’s more information about this now than there was some time ago,” Spacek says. “We do see a growing number of people or churches asking for the coverage compared to what we would see three, four, or five years ago.”

Steve Robinson, Area President at Risk Placement Services (a division of Arthur J. Gallagher & Co.), also says he sees increased interest among churches for cyberliability coverage. However, he notes, “I would still put the number of churches who have purchased it at probably less than 20 percent.”

General versus Cyberliability Coverage

Cyber policies range from an endorsement on a general liability policy to a comprehensive plan that includes coverage for paper documents and risk management programs, says Rosetta Ford, a specialty services manager for Church Mutual Insurance Company. “Cyber policies not only offer broader liability coverage, but they spring into action before those breached are even aware of it, providing coverage and services regardless of liability,” she says.

“Many of the expenses related to a breach are not liability based,” Ford adds. “An example would be a forensic investigation to determine which information was accessed and how, locating all the affected individuals to provide proper legal notification that their information has been accessed, the legal notifications themselves, credit monitoring, legal consultation, public relations, regulatory fines and penalties, and reconstruction of data.”

Traditional insurance coverage “didn’t contemplate today’s modern risks involved with data and privacy breaches, intellectual property, [or] infringement, media,” Robinson notes. That means, churches may have to adapt to these new technology uses and risks.

“Churches are utilizing websites and various forms of communication to reach their constituencies in creative new ways, to help grow their churches, and to spread the mission of what they’re doing in great ways,” Robinson says. “So, as a result, you have new risks that aren’t being addressed through the traditional insurance channels, and that’s created this void in the marketplace that’s opened the door for what we referred to as cyber-risk.”

Types of Cyberliability Coverages

To help noninsurance professionals understand the types of cyberliability coverage available, Robinson said he speaks in terms of a “left side of the policy” and a “right side of the policy.”

Left side: This deals with the basic qestion of “What if we get sued and have to defend ourselves?”

This would include the liability a church incurs because of its negligence in the release of personally identifiable information. “It provides a level of coverage for that privacy and data breach security liability,” Robinson says. “This would be for intellectual property infringement or personal injury in the electronic environment, social media, or website environment, where that would typically be excluded in regular policies also.”

Right side: This includes what is known as the “first party costs.”

As Robinson explains, “These are the out-of-pocket expenses the church would have to incur to make a problem go away. Examples of that would be a lawyer who specializes in privacy law and breach response. … They’re the ones that align all the resources on behalf of the church, if they need to hire an IT forensics firm to determine where the breach occurred and how.”

Other possible first party costs include notifying victims of the breach, providing credit monitoring, hiring a public relations firm, and navigating the crisis management.

“And there’s various other coverage also, like business interruption,” adds Robinson. “A good example of that would be a church is relying on their website to collect online donations, and if that website is hacked, and as a result of that, they’re out revenue—it could replace that revenue.”

Costs and Coverage Levels

Services offered by Church Mutual Insurance Company include data risk liability insurance, data breach response remedies, incident response on-demand, identity protection for all full-time employees, and risk management services and education, Ford says. Premiums vary per customer as the pricing is based not only on the coverage and limits requested, but by revenue size, Ford says.

GuideOne’s Spacek says his company offers data breach liability coverage ranging from $100,000 to $1 million. The premiums that churches pay for this range of coverage will vary based on a church’s total annual revenue and the number of records kept on church members. “In other words, if (a church) were doing tithing through online means, they might have bank account information in their system versus if they just have a website that says, ‘Here’s what we do, and here’s what our ministry is all about,’ without keeping the personally identifiable information in their system,” Spacek says. “Then, the prices would be less.”

“The smallest limits out there and the smallest churches out there might be looking at less than $200 (a year) potentially for the coverage,” adds Spacek. “But the largest churches, or the ones that select the higher limits, could be looking at several hundred to several thousand dollars for coverage.”

Robinson agrees that costs for cyberliability coverage vary widely: “The coverage can be as inexpensive as $750 for a church whose annual revenue is $500,000, and they want a $1 million limit. That’s basically your ‘bare bones,’ about as inexpensive as you’re going to get. It could climb up for a church whose revenue is maybe more like $25 million, and they want a $1 million dollar limit. … It’s over $5,000 a year for a policy like that.”

What to Ask of an Insurer

When looking for an insurance carrier, it’s important to ask what services are provided in the event of a breach or even a suspected breach.

Church Mutual’s Ford says that other important questions to ask include:

  • Does the company have any tools to help make the church’s system more secure?
  • Is employee training available to avoid typical traps?
  • Are sample incident response plans provided by the insurer?
  • Are employees and volunteers covered as insureds? (Ford says that employees and volunteers should not be excluded from a policy for services and identity protection if their own information is included in a breach.
  • Are both electronic and paper data covered?
  • What limitations does the policy have?

“The average church needs a partner with the expertise and services to get them through the process,” Ford warns. “It is a technical and specialized experience.”

In Depth:

Bobby Ross Jr. is an Oklahoma City-based journalist with 25 years of professional experience with media ranging from The Associated Press to The Christian Chronicle.

SIDEBAR

Best Practices for Avoiding Cyberliability Problems

No amount of cyberliability insurance coverage can protect a church against a hurt reputation. That’s why it’s important to take steps to keep data breaches and other technological mishaps from happening in the first place, experts say. “Prevention is extremely important, and it’s not that expensive,” says Nick Nicholaou, president of Ministry Business Services, Inc., a team of IT strategists.

Something as innocent as offering free public wireless networking can get a church in trouble, according to Nicholaou.

One example Nicholaou gives is that of a Missouri church that neither password-protected nor adequately managed its open Wi-Fi. “Managing it could mean turning it off when it’s not needed for big group meetings and that kind of thing,” says Nicholaou. “There was a guy that was pulling into their parking lot in the evenings, and he was distributing child porn through their public Wi-Fi connections.

“When the FBI determined what the IP address was that this was coming from, they knew it was such-and-such church, so they swooped in and confiscated all the computers, including the servers, that the church had.”

Even though no one with the church was involved in the crime, the church ended up on the news and staff members lost access to their computers for months, he says. “That was a very heavy cost on that church, and it could have been prevented very easily and for almost no cost.”

Along with addressing potential hacking and cybercrimes, churches also must work hard to maintain their integrity in copying and sharing information online, says Frank Sommerville, an attorney, CPA, and Editorial Advisor for ChurchLawAndTax.com. “No church would knowingly steal someone else’s property and use it in their newsletter,” Sommerville says. “But [they think], ‘Oh, it’s on the Internet, so it must be free.’”

In reality, most copyright laws do apply to churches, says Susan Fontaine Godwin, president and founder of Christian Copyright Solutions. “Many churches and church leaders have a lack of knowledge,” says Godwin, who writes about such issues at TheCopyrightCoach.com, “and they sometimes just don’t even think about the way they might be using copyrighted material, and that they could be at risk of infringement.”

“There are some exemptions which cover churches and religious organizations,” she adds, “But for the most part, a church would be viewed under the copyright law pretty much in the way that any business or organization would.”

Another crucial issue for churches to take into consideration is member privacy, according to Sommerville. He cites the case of a church that posted Vacation Bible School pictures and then discovered that some of the children were part of a family in a witness protection program.

“What we recommend is, if you’re going to take pictures, whether it’s broadcasting your Sunday services or Sunday school activity, you post signs in your parking lots and at your entrances,” advises Sommerville, “noting that the signs give people an opportunity to turn around and go home if they don’t want to be photographed or recorded.”

Jeremy Thompson, an information security and IT manager for Church Mutual Insurance Company, offers these tips:

  • Engage third parties to host payment information and Social Security numbers so that this sensitive information does not reside with the church. “Utilize established firms who have an established presence. Do not look to be anyone’s biggest customer. Find someone for whom these transactions are a core competency. It may be your local financial institution, it may be a niche specific provider, or it may be a nationwide presence, like a PayPal.”
  • Use firewall and network defenses to fend off hacking attempts and encryption tactics if sensitive information must be held by a church staff member (for example, a youth pastor who needs to bring medical information about youths on his laptop for a missions trip overseas). “Antivirus, anti-malware, and having a personal firewall enabled are the bare minimum tactics you need. Ensure all software has current security patches or fixes applied. Make sure the user accounts on the laptop do not have blank passwords. Utilize multifactor authentication, such as a fingerprint swipe, and use file or whole disk encryption for additional protection.”
  • Educate staff to exercise caution when opening and clicking through email: “Be suspicious of email you aren’t expecting, either based on the sender or content. Do not click on unfamiliar links. If you have doubts, follow up with the sender via a separate, ‘new’ email (not a reply) or via phone, to see if it is a legitimate request. Follow the safety practices outlined by the National Cyber Security Alliance.”
  • Know prayer request distribution best practices: “Keep any personal or sensitive details out of the [distributed] prayer request. Do not pass along anything other than publicly available information without written consent.” (Learn more about privacy rights at org.)
  • Establish or enforce a social media use policy: “A social media policy should include a list of dos and don’ts to guide acceptable behavior. It should specify who can publish content on the church’s behalf. It should give guidelines as to the use of parishioners’ names or sensitive information. Social media are more akin to a ‘press release’ rather than a ‘church newsletter,’ so keep in mind that your messages and posts may be read by the general public, as well as your members.”
%d bloggers like this: