The idea that a dealer may be held liable for personal identity theft began to come up about 10 years ago. At that time most policies were silent on the matter, which meant that there may or may not be coverage depending on how the claims adjuster interpreted the policy as it related to the specific claim.
Over the past few years a number of dealer specialty companies have been adding some personal identity theft coverage to their forms and a few stand-alone polices are now offered. The coverage varies dramatically both in form, limits and deductibles.
This article will attempt to break out the various coverages offered. It is fair to say that few of the policies offer all the coverages available. It is worth your time to ask your agent specifically what is covered. As I’ve stated any number of times, “The devil is in the details” and that is certainly the case with personal identity theft coverage.
Personal identity theft coverage is also called vicarious liability coverage as it relates to liability vicariously assumed by the dealership by the act of employees or other third parties. The most basic of coverage offered is crime coverage. It only covers the actual loss of money or other property as the result of the actions of an employee. A claim example would be an employee taking the credit card information of a customer and going on a spending spree. The policy would pay for any money taken by the employee and provide defense expenses in the event of a lawsuit related to the identity theft.
Other insurers offer the coverage as part of the garage liability portion of the policy. However, claims resulting from ID theft are often limited to $40,0000 to $50,000 per occurrence and $100,000 aggregate. In some cases the coverage may be given a broader interpretation because the coverage is for “damages” instead of being limited to money only. However, once again, the coverage is limited to theft or misuse of the credit information by employees.
So, what happens if an outsider hacks into your computer system and steals your computer files and thus many customers’ identities? This opens a whole new can of worms both from the standpoint of coverage and potentially your response to the hacking. In the coverage formats mentioned already, there would be no coverage unless your employee was involved with the hackers. For the purposes of this article we’ll assume they are not.
In addition to the coverages mentioned before, some carriers and stand-alone policies offer broader coverage that does address the issues related to having your computers hacked by an outside party. Should an outside party steal your clients’ private information you may have governmental bodies involved, the press and a host of angry past customers and possibly their attorneys. All this potentially damages the good reputation you’ve worked long and hard to build. None of these policies address the financial loss of reputational damage. Be certain class action suits are not excluded. Some polices do provide some level of expense coverage to help you mitigate any damage.
Should you be hacked you would need to make everyone whose data was stolen aware of the potential identity theft as soon as possible so they can take the proper steps to mitigate any damage they may suffer. This process could be time consuming and expensive.
Your problems may also make the news. In that case you may want to make a specific public relations effort to address the situation and explain the new steps you are taking to improve the safety of your customers’ information. Some policies will even pay for credit monitoring services for your customers who have their data stolen.
There is also the possibility that such a situation would draw the attention of regulatory authorities. These authorities may require you to take specific steps to assist and notify any potential victims. Your policy should pay for expenses for steps you take voluntarily, such as after the event, public relations and those required by a governmental agency.
Polices that offer coverage for data breach expenses usually have a higher deductible than those that do not or the expense coverage may be limited to some amount lower than that of the overall coverage.
One situation that does occasionally occur is when your employee steals an identity to get a deal done. The customer may or may not be aware of the situation. A few months go by and the customer defaults or the lender during an audit finds the discrepancy. The lender then comes to you under the recourse clause in your lending agreement and demands payment. This creates quite a coverage problem. Some policies specifically exclude any claim related to a recourse clause. Some policies are limited to suits brought by customers and the bank would not be deemed a customer, thus it would be excluded. Some polices are silent and do not address the subject. In that case the claims adjuster would interpret the policy as it related to your specific set of circumstances. No policies we have seen specifically offer coverage for recourse situations.
In summary, these policies, their coverages and premium charges vary a great deal. Some cover the acts of your employees only while others offer coverage for outside hackers. Some cover the expenses associated with an identity theft while others only cover real financial loss by your customer.