Can "ethical hacking" be covered by errors and omissions insurance?
The market for hackers has been alive and well for years, but recently, it's started following the footsteps of the "sharing economy." On the website HackersList.com, people can post jobs for freelance hackers, and such a site could make hacking services more accessible to the general public. For IT professionals, it may seem like a golden opportunity to make a little extra money.
Of course, hacking-for-hire comes with its own set of issues. First, the legality of it all. Advisen reports that some of the jobs on Hacker's List are anything but legal, such as breaking into another person's email or social media account. Though the site's terms of use forbids using the service for any illegal purposes, there are plenty of postings requesting hackers to steal client lists from competitors or change a school grade.
There are also legitimate (read: legal) freelance jobs for ethical hackers – i.e., penetration testers who have a company's consent to find security weaknesses in its system. But the question remains: can hacker-for-hire jobs jeopardize your IT errors and omissions coverage? Let's take a look.
At the crossroads of more money and more problems
First, let's set the record straight: ethical hacking means something very different from hacktivism.
Ethical hackers – also called pen testers, white hat hackers, and legal hackers – have consent to break into computer systems that the individual or entity owns and controls. The goal is to find security weaknesses to help reduce the chance of insider threats (e.g., employee data theft) and external cyber attacks that lead to costly data breaches.
Hacktivism, on the other hand, involves breaking into a computer system for a politically or socially motivated reason. Though the motivation may be altruistic in nature, hacktivists often don't have permission to break into these systems, which makes the activity illegal.
Here's the thing: companies and government bodies often hire white hat hackers to help them shore up their cyber defenses. It can be a lucrative way to earn extra money if you have a background in IT security.
But if you're accepting freelance pen testing jobs off a site like Hacker's List, it may be hard to determine whether you're actually being hired by someone who has the authority to give you the consent you need to make your activities legal. And if you provide illegal services (including hacktivism), your E&O Insurance policy won't cover you if you end up being sued over that work.
What E&O insurance can cover
Your errors and omissions insurance may be able to protect your white hat hacking company under the following circumstances.
You don't conduct illegal activities
If you don't know who's hiring you to do the pen test, don't take the job. A court may decide that given your background, you should know how to conduct white hat testing and the fact that you ignored your better judgment could be construed as intentional wrongdoing. Your E&O policy can't cover you if you're charged with criminal activity or intentional wrongdoing.
You get sued over mistakes while providing legal services
Say a company hires you to find vulnerabilities in its IT security system. If you fail to find an obvious vulnerability and the company suffers a data breach because of it, you may be sued over the oversight. (For more on that, read, "How you can get sued after a data breach.") When that happens, your E&O coverage can help pay for legal expenses.
Lastly, it's worth noting that the word "hacking" is still a scare word for plenty of folks. So if you list "ethical hacking" on your description of services in an E&O insurance application, it may be a red flag for providers. Some may hike up your rates; others may outright deny coverage. You may want to opt for the more benign "penetration testing" in your services description.
Compare quotes from trusted carriers with Insureon
Complete Insureon’s easy online application today to compare insurance quotes from top-rated U.S. carriers. Once you find the right policy for your small tech business, you can begin coverage in less than 24 hours.
