What data breach insurance covers
Data breach insurance is designed to cover the full cost cascade that follows a breach — from the moment you discover it to defending yourself in court and paying regulatory fines.
- Breach notification costs — Legally required in many jurisdictions. GDPR requires notification within 72 hours. US state laws vary but all 50 states have notification requirements. These costs include postal mailings, email notifications, and call centre support.
- Credit monitoring and identity protection — For affected individuals. Can cost $100-$200 per person for 2-3 years of coverage.
- Forensic investigation — Determining what was accessed, how it was accessed, and whether data was actually stolen or just exposed. This can cost $50K-$200K depending on the scale.
- Legal counsel — Breach coach, regulatory specialists, and employment lawyers (in case of lawsuits from affected individuals).
- Regulatory defence costs and fines — Where insurable by law. Not all jurisdictions allow fines to be insured, but defence costs usually are.
- Class action defence and settlements — If affected individuals sue. Settlement costs can exceed the insurer's policy limit.
- PR and crisis communications — Managing your brand reputation during and after a breach.
- Call centre costs — For handling inquiries from affected individuals, employees, and media.
Data breach costs by the numbers
- Average cost per breached record: $165 (IBM 2024 analysis)
- Average total breach cost: $4.88M
- Healthcare breach: $10.93M average (sensitive patient data, HIPAA fines)
- Financial services: $6.08M average (regulatory exposure, customer trust)
- Time to identify a breach: 194 days average
- Time to contain after discovery: 64 days average
- Cost multiplier: Breaches identified by third parties cost 30% more than those identified internally
Regulatory landscape
Regulations vary dramatically by location. Your data breach insurance needs to account for where your data lives and where your customers live.
| Region | Regulation | Notification Requirement | Max Fine |
|---|---|---|---|
| EU/UK | GDPR | 72 hours to authorities; without undue delay to individuals | Up to 4% of global turnover or €20M |
| United States | State-by-state (all 50 have laws) | Varies; typically 30-60 days | Varies; some states have private right of action |
| Australia | Notifiable Data Breaches scheme; Privacy Act | Reasonable steps, without undue delay | Up to A$50M |
| Canada | PIPEDA; provincial privacy laws | Mandatory breach reporting | Up to C$100K per violation |
| Payment Cards | PCI DSS | Varies by acquiring bank | $5K–$100K per month non-compliance |
Important: If you operate internationally, your data breach insurance must cover the strictest jurisdiction where you hold customer data. GDPR fines are significantly higher than US state penalties. Many insurers have regional caps, so verify your coverage includes all markets where you operate.
Who needs data breach insurance?
If you store any personally identifiable information (PII), you need data breach insurance. This includes:
- Any online business — Customer names, email addresses, and postal addresses are PII.
- Healthcare organisations — Patient records are the most valuable data on the black market (worth 10-50x credit card numbers).
- Financial services — Account numbers, transaction history, and payment data.
- E-commerce — Payment card data (even if processed through a third party, you may be liable for breach notification).
- SaaS companies — Customer data stored in cloud infrastructure.
- Professional services — Client confidential information (contracts, tax returns, legal documents).
- Educational institutions — Student records.
- Government contractors — Personal data on citizens, employees, or beneficiaries.
If you're unsure whether you hold PII, the answer is almost certainly yes. Email addresses alone are sufficient for most regulatory definitions.
Key policy terms to understand
Data breach policies have some unique terminology. Make sure you understand these before you buy:
- Retroactive date. This is when your coverage begins. A policy with a retroactive date of January 1, 2025 will cover breaches that occurred before your policy start date, but were discovered after. This matters for legacy breaches discovered later.
- Defence costs: inside vs outside the limit. "Inside the limit" means defence costs reduce your available claim payout. "Outside the limit" means your full policy limit is available even after paying legal fees. Always prefer "outside the limit."
- Regulatory coverage: defence only or defence + fines. Some policies only cover defence costs, not the fines themselves. This is a major gap if you're in a high-fine jurisdiction like the EU.
- PCI DSS coverage. If you accept payment cards, PCI DSS fines are separate from data breach fines. Make sure your policy covers PCI assessments and fines specifically.
- Duty to defend. Does your insurer control the legal defence, or can you choose your own counsel? "Duty to defend" means your insurer picks the lawyer. You generally want more control, not less.
Real-world scenario: Medium-sized e-commerce breach
A mid-market e-commerce company with 500K customer records discovers a data breach. Here's the real cost breakdown:
- Forensic investigation: $120,000
- Breach notification (email + letter): $85,000
- Credit monitoring (3 years): $180,000
- Legal counsel and regulatory response: $150,000
- PR and communications: $75,000
- Lost revenue during incident response: $300,000+
- Potential settlement (class action): $500,000+
Total potential exposure: $1.4M+ A $1M data breach insurance policy would cover most of this. Without it, this company faces bankruptcy.
Don't let a data breach cost you millions
Get matched with a specialist cyber insurance broker who'll ensure your data breach coverage is comprehensive and appropriate for your business.
Get a Quote Learn More About Coverage