Another company processes all our credit card transactions. If customer data is lost or stolen, can we make a claim against their, or our, insurance policy?

Yes, you can claim, says Ben Beeson, partner in the global technology and privacy risks practice Lockton Companies LLP. Your customers’ personal data, despite being processed by a supplier, remains your responsibility.

A problem of online trading is that personal data can often be held in several places, making tracing and stopping a breach difficult and costly – an IT forensic investigation will be needed to identify where and how the breach occurred. Beeson says you can transfer the costs of this via an indemnity or “hold harmless” agreement in the terms of your contract with your supplier. “You could structure this agreement so that you hold your supplier responsible for any remediation costs,” he explains.

You can also use your insurance policy to claim for any costs associated with defending any legal action that a customer might bring against your company as a result of the data breach. Your insurance policy will cover the costs of notifying your customers, which, depending on the size of your customer base, can be significant, says Beeson. “Such cover would help against the costs of customer credit monitoring as a result of the data loss,” he explains. It would assist with the costs of specialist crisis PR, which would help limit any potential reputational damage through negative publicity.”

Adding yourself onto your supplier’s insurance policy is always advisable. But, says Beeson: “This should never negate the need to buy your own insurance as your supplier’s policy is only as good as their assets.”