Reviewed by Tom Moore, Agency Partner, CA Agency Insurance License 6003355
Last reviewed: 3/25/2026
Key takeaway: When employees use personal phones, tablets, or laptops for work — a practice known as BYOD (Bring Your Own Device) — your business takes on liability exposure that most standard commercial policies don't cover. For Spokane small businesses, the gaps most likely to hurt are in cyber liability and data breach response costs. If your business handles any customer data, employee records, or financial information, BYOD exposure is worth a direct conversation with your broker — not something to assume is covered.
You didn't hand your employee a company phone. They pulled out their own. They answered a client email, logged into your scheduling software, and texted a coworker a photo of a job estimate. Perfectly normal. And in the process, your business data just passed through a device you have zero control over, running apps you've never seen, on a home Wi-Fi network anyone in the neighborhood might be able to access.
That's BYOD. And most small business insurance policies aren't built for it.
Outline
What BYOD Actually Means for Your Business Insurance
BYOD stands for Bring Your Own Device. It describes any situation where an employee uses a personal phone, laptop, or tablet for work purposes. No formal policy required. It happens constantly in small businesses — often without the owner thinking of it as a policy at all.
From an insurance standpoint, BYOD creates a specific problem: your business data lives on hardware you don't own, in an environment you can't control or audit. When something goes wrong — a device gets lost, a phishing email opens the wrong door, an app leaks stored credentials — the liability question isn't just "whose device was it?" It's "whose data was compromised, and who's responsible for the fallout?"
The answer to that second question is almost always: your business. Your customers don't care whose phone it was. Your state regulator doesn't either. The Washington State Office of the Insurance Commissioner doesn't specify BYOD in insurance regulations, but the underlying data breach liability laws apply regardless of what hardware the breach originated from.
That's the exposure. And it doesn't disappear just because you never issued a company device.
Where Standard Business Policies Come Up Short
General Liability Doesn't Follow the Device
General liability insurance covers bodily injury and property damage to third parties. It's the foundation of almost every small business policy, and it's genuinely useful for a lot of things. Data exposure from a personal device is not one of them.
If your employee's phone is stolen and a client's address list or payment information is in their email, that's not a general liability event. There's no physical injury. There's no property damage in the traditional sense. The claim that follows — notification costs, credit monitoring, regulatory fines, potential lawsuits — falls into a category most standard GL policies simply don't respond to. The Insurance Information Institute notes that cyber-related losses require specific coverage, not just a general commercial policy.
Cyber Liability Is the Bigger Problem
Cyber liability coverage is the layer designed to respond to data breach events — and it's the coverage most Spokane small businesses either don't have or underestimate. A standalone cyber policy or a cyber endorsement on a Business Owner's Policy (BOP) can cover notification costs, data recovery, legal fees, regulatory defense, and sometimes even business interruption if systems go down.
The catch: many cyber liability policies are starting to ask about BYOD practices during underwriting. If your employees regularly use personal devices for work and you have no written BYOD policy, some carriers may limit coverage or apply exclusions for losses that originate from unmanaged devices. That's not theoretical. It's showing up in policy language.
What a Data Breach Looks Like When It Starts on a Personal Phone
Here's a scenario that plays out in small businesses more often than the news cycle reflects. An employee uses their personal phone to log into your business's project management software. The phone has an older app that hasn't been updated in eight months — the app has a known vulnerability the developer patched, but they never updated it. Someone exploits that vulnerability and pulls login credentials.
Now the attacker has access to your project management system. Your client list. Your billing history. Maybe your employees' personal information stored in HR files. Washington's data breach notification law requires businesses to notify affected individuals — and in some cases the state attorney general — when personal information is compromised. That notification alone costs money. Legal review, letter preparation, mailing, sometimes credit monitoring for every affected person.
And the device it started on? Your employee bought it themselves. It was never on your network. You never touched it. Doesn't matter.
Does Your Business Owner's Policy Cover BYOD Exposure?
Maybe. The honest answer is: it depends on what endorsements are attached to it and how your carrier interprets the policy language.
A standard BOP — the packaged policy most small businesses carry — includes general liability and commercial property. Some include a basic cyber endorsement. Most don't include robust standalone cyber coverage, and very few address BYOD specifically. If you're not sure what yours includes, the fastest way to find out is to look for the words "cyber," "data breach," or "electronic data" in your declarations page or policy endorsements.
The NAIC tracks cyber insurance as one of the fastest-growing coverage lines in the country — in part because so many businesses are discovering after a loss that their standard policy didn't respond the way they expected.
What Spokane Business Owners Are Usually Missing
The businesses I see most exposed to BYOD risk aren't reckless. They're just small. A landscaping company with five employees who all text job photos from personal phones. A physical therapy clinic where staff check the scheduling app on their own iPads. A boutique retailer whose manager handles vendor invoices from a home laptop.
None of these operations have a written device policy. Most of them assume their BOP covers "computer stuff." And most of them haven't had a broker sit down and specifically ask: what devices touch your business data, and are any of them personal?
That question gets skipped a lot. It shouldn't. Washington doesn't have a size exemption in its breach notification law — a five-person shop has the same notification obligations as a 500-person company if customer data is compromised.
How to Close the Gap Without Replacing Your Whole Policy
You don't necessarily need to overhaul your entire insurance program. Start here:
Step 1: Find out what cyber coverage you already have. Pull your BOP or commercial package and look for cyber endorsements. If it's not there, it's not covered.
Step 2: Write a basic BYOD policy. Even a one-page document that outlines expectations — approved apps, required password protection, what to do if a device is lost — signals to carriers that you're managing the risk. It can affect underwriting.
Step 3: Talk to your broker about standalone cyber coverage. Limits on endorsements are often too low for even a modest breach. A standalone policy gives you dedicated limits and broader coverage triggers.
Step 4: Ask specifically about BYOD exclusions. If you're shopping cyber coverage, ask whether unmanaged personal devices affect your coverage. Some carriers are more restrictive than others.
The Small Business Administration offers baseline guidance on small business cybersecurity practices — a useful starting point for building internal policy before you talk to your broker.
If you want an honest look at where your current policy stands and where it doesn't, we're happy to do that review. No pressure, no pitch — just a clear answer to the question your current broker may not have asked you.
Get a quote or coverage review for your Spokane business with All Lines Insurance
Frequently Asked Questions
Does general liability insurance cover data breaches from employee devices?
No. General liability covers bodily injury and property damage to third parties. A data breach — even one that originates from an employee's personal phone — is a cyber event, not a GL claim. You need specific cyber liability coverage for that exposure.
What is BYOD and why does it matter for small business insurance?
BYOD stands for Bring Your Own Device. It refers to employees using personal phones, laptops, or tablets for work. It matters for insurance because your business can be liable for data breaches that originate from those devices — even though you don't own them or control them.
Does my Business Owner's Policy cover cyber losses?
Some BOPs include a basic cyber endorsement. Most don't include robust standalone cyber coverage. Check your declarations page for the words "cyber," "data breach," or "electronic data." If it's not there, it's not covered.
Is my small business required to notify customers if their data is breached?
Yes, in Washington State. Under RCW 19.255.010, businesses are required to notify affected individuals — and in some cases the state attorney general — when personal information is compromised. There is no size exemption for small businesses.
Can I be denied cyber coverage because my employees use personal devices?
Not denied outright in most cases, but carriers are increasingly asking about BYOD practices during underwriting. No written BYOD policy and no device management controls can result in higher premiums, lower limits, or exclusions for losses from unmanaged devices.
What's the cheapest way to reduce BYOD insurance risk?
Write a basic internal BYOD policy — even one page — that sets expectations around approved apps, password protection, and lost-device reporting. It costs nothing and can affect how carriers view your risk. Pair it with a cyber endorsement or standalone policy.
How much does cyber liability insurance cost for a small business in Spokane?
It varies significantly based on revenue, industry, data volume, and existing security practices. A small service business with limited data exposure might pay a few hundred dollars annually for a basic endorsement. A business handling significant customer financial or health data will pay more. The only way to know is to get a quote for your specific operation.
What should I ask my broker about BYOD coverage?
Ask three things: (1) Does my current policy respond to a data breach that originates from an employee's personal device? (2) Are there any exclusions for unmanaged or personal devices? (3) What would it cost to add standalone cyber coverage with limits appropriate for my operation?
