Reviewed by Tom Moore, Agency Partner, CA Agency Insurance License 6003355
Last reviewed: 3/27/2026
Outline
Key takeaway: Data privacy liability is the legal and financial exposure a business faces when customer or employee data gets compromised. For small businesses in Spokane, that exposure exists whether you have five employees or fifty — and whether you have an IT department or not. If your business collects names, email addresses, payment information, or health data in any form, you have data privacy liability. The question is whether you have anything protecting you when something goes wrong.
Most Spokane small businesses don't think of themselves as data companies. You're a salon, a contractor, a boutique, a dental office. You're not running servers. You're not storing social security numbers in some database. You're just doing business.
But you're also emailing customers. Running a booking system. Saving credit card numbers through your POS. Keeping employee records somewhere. That's data. And in Washington State, the moment that data gets into the wrong hands, the clock starts on your legal obligations — and your exposure.
The businesses that get hurt the worst aren't the ones who knew they had a problem and ignored it. They're the ones who had no idea they were sitting on liability at all.
What Data Privacy Liability Actually Means for a Small Business
Data privacy liability is what you're on the hook for when personally identifiable information (PII) your business holds gets breached, stolen, leaked, or misused. It covers the cost of notifying affected people, any regulatory fines, legal defense if someone sues you, and the work required to respond to the incident.
The Washington State My Health MY Data Act — which took effect in 2024 — significantly expanded privacy obligations for businesses that collect consumer health data, including fitness apps, wellness programs, and some medical service providers. But Washington also has a long-standing data breach notification law that applies to almost any business storing personal data. If you experience a breach and fail to notify affected Washington residents within 30 days, you face civil liability on top of whatever damage the breach already caused.
None of that requires you to be a tech company. It requires you to hold data. Which you do.
You're Collecting More Data Than You Think
Ask most small business owners what personal data they hold and they'll say, "Not much." Then walk through it with them and the list gets long fast.
Customer names and contact info. Credit card data or bank account numbers from payments. Email lists from marketing. Employee social security numbers for payroll. Driver's license copies from job applications. IP addresses logged by your website. Health history if you're in any kind of wellness or medical-adjacent business.
That's not a hypothetical inventory. That's what a typical Spokane retail or service business is holding right now.
The Types of Data That Trigger Liability
Under Washington law, a breach notification is required when the following categories of data are compromised: Social Security numbers, driver's license numbers, financial account numbers, health insurance or medical information, login credentials, and biometric data. If your business holds any of these — even in a spreadsheet someone emailed you three years ago — you have notification obligations the moment that data is accessed without authorization.
Why "We Don't Have a Tech Team" Doesn't Lower Your Risk
Here's where the liability actually gets worse, not better.
A business with a dedicated IT team has someone monitoring for threats, maintaining patches, and catching anomalies before they turn into incidents. A 10-person shop using a shared Google account and a POS terminal from 2019 doesn't have any of that. The exposure doesn't disappear because the infrastructure is simpler. In some ways it's higher, because the defenses are lower.
The NAIC has published guidance repeatedly warning that small businesses are disproportionately targeted in cyberattacks precisely because attackers know the defenses are thin. A phishing email that hits a 200-person company might get caught by a spam filter or flagged by a security-trained employee. The same email hitting a 6-person business where the owner handles her own email? Different outcome.
The liability exposure is the same size. The likelihood of a breach is higher. The ability to absorb the aftermath without insurance is basically zero.
What Happens After a Breach: The Costs Most Owners Don't See Coming
Most people assume a data breach means someone hacks your system and steals credit card numbers. That happens. But the majority of incidents small businesses face are smaller and messier: a laptop left in a car, a phishing email that got clicked, a vendor who had access to your system and didn't secure it, an employee who emailed a client list to the wrong address.
Any of those can trigger your notification obligations under Washington law. And the costs pile up in ways most owners haven't budgeted for.
Notification Costs Alone Can Be Brutal
Washington requires timely notification to affected individuals and, in some cases, to the state attorney general when a breach affects more than 500 Washington residents. That means identifying everyone affected, drafting compliant notification language, mailing or emailing notices, and in some cases offering credit monitoring services to people whose financial data was exposed.
The IBM Cost of a Data Breach Report (verify current year's edition) consistently places the average cost of a breach for small and mid-size businesses in the hundreds of thousands of dollars. The notification process alone — before any legal fees, before any fines — can run $50,000 or more when you factor in outside counsel to ensure compliance.
Most small businesses don't have that sitting in reserves.
Does Your Current Business Insurance Cover a Data Breach?
Probably not. And this is the part that catches people off guard.
A standard Business Owner's Policy (BOP) — the bundled general liability and property coverage most small businesses carry — was designed for physical risks. Slip-and-fall claims. Fire damage. Equipment theft. It was not designed for digital incidents, and most standard policies either exclude data breach losses entirely or provide very limited sublimits that don't come close to covering the actual cost of an incident.
The Insurance Information Institute is explicit on this point: standard commercial liability policies typically do not cover cyber events, and businesses that assume otherwise often find out the hard way after a claim is denied.
If you haven't read your policy recently — or ever — that's not unusual. But it's worth knowing what you have before you need it.
What Cyber Liability Coverage Actually Does
Cyber liability insurance is the coverage built specifically for data-related incidents. It's divided into two parts that work together.
First-party coverage pays for your own costs after a breach: forensic investigation to determine what happened, notification to affected people, public relations support, credit monitoring services if required, and business interruption losses if the incident takes your systems down.
Third-party coverage pays for legal defense and settlements if someone sues you because of the breach — a client whose financial data was exposed, an employee whose personnel records were accessed, a vendor claiming damages from a system compromise that started with your network.
Some policies also include regulatory defense coverage, which matters because Washington's privacy statutes create civil liability and the state AG's office has shown it will pursue enforcement actions. The Washington State OIC has published resources on cyber liability coverage that are worth reviewing before you buy — or before you decide you don't need it.
How Much Coverage Does a Spokane Small Business Actually Need?
There's no universal answer, but there's a useful starting framework.
Think about how many customer records you hold, what categories of data they include, and what your annual revenue is. A Spokane service business with 500 clients and basic contact and payment info has a meaningfully different profile than a medical adjacent wellness business holding health history on 2,000 patients.
Most small businesses with under $2 million in revenue and a modest customer database look at policies in the $1 million to $2 million range with deductibles they can actually absorb. Premiums for that level of coverage are often more reasonable than people expect — frequently in the range of a few hundred to low thousands annually, depending on the industry and data profile.
The right number depends on your specific operation. Which is exactly why it's worth talking through rather than picking a number off a quote form.
Steps to Take Before You Buy Anything
Before you spend money on coverage, take 30 minutes to understand what you actually hold.
Make a list of every place customer or employee data lives: your email system, your POS, your booking software, your payroll provider, your website's contact form, your CRM if you have one. That list tells you your exposure. It also gives a broker something real to work with when they're quoting coverage.
Then read your current BOP. Look for any mention of data breach, cyber, or electronic data. Note any sublimits. This takes less time than you think and tells you immediately whether you have a gap.
From there, a conversation with an independent broker who knows small business coverage in Washington — not a national call center — gets you to the right answer faster than any amount of online research.
If you want to run through your current coverage and see where the gaps are, we're happy to do that with you. No pitch. Just a look at what you have.
Get a quote or schedule a coverage review with All Lines Insurance
Frequently Asked Questions
Does Washington State require small businesses to carry cyber liability insurance?
No. Washington does not mandate cyber liability coverage. But Washington does impose legal obligations on businesses that experience a data breach — including notification requirements and potential civil liability. Having coverage doesn't change the law. It changes whether you can afford to comply with it.
What counts as a data breach under Washington law?
Under RCW 19.255.010, a breach is defined as unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information. That includes electronic records and, in some cases, paper records. It does not require a sophisticated attack — an email sent to the wrong recipient containing personal data can qualify.
Can a small business be sued over a data breach?
Yes. Affected individuals can bring civil claims under Washington's privacy statutes. The state attorney general can also pursue enforcement actions. Legal defense costs alone — before any settlement — can be significant for a small business without coverage.
What's the difference between cyber liability and general liability for a small business?
General liability covers bodily injury and property damage claims arising from your business operations. It was not designed for digital incidents. Cyber liability is a separate coverage type built specifically for data breaches, system failures, and the regulatory and legal consequences that follow. Many standard policies exclude cyber events entirely.
My business uses a third-party payment processor. Doesn't that mean they're responsible for the data?
Partially. A reputable payment processor carries its own security and compliance obligations. But if the breach originates from your side — your system, your network, your employee — you're still exposed. Shared infrastructure doesn't eliminate your liability; it just adds another party to a complicated conversation.
How does the Washington My Health MY Data Act affect small businesses?
The My Health MY Data Act applies to businesses that collect consumer health data, which includes fitness tracking, wellness programs, and some telehealth or medical-adjacent services. It gives Washington residents expanded rights over their health data and imposes specific consent and deletion obligations. Businesses in those categories should verify their obligations with legal counsel — this is a relatively new statute and enforcement posture is still developing.
Is cyber liability expensive for a small business?
Less than most people expect. For a small Spokane business with a modest data footprint — a few hundred customers, standard contact and payment info, no health data — coverage in the $1M range can often be secured for a few hundred dollars annually. The variables are your industry, the type of data you hold, your revenue, and your existing security practices. A conversation with a broker takes 20 minutes and gives you a real number.
What if I already had a breach and didn't know it?
This happens more often than you'd think — many breaches go undetected for months. If you suspect a past incident, the first call is to an attorney familiar with Washington's breach notification law, not an insurance broker. Coverage typically applies going forward, not retroactively. But knowing your current posture — what you hold, what your obligations are, and what coverage you have now — is the right starting point.
