Data Breaches Are Serious Exposures for Fitness Businesses

CONTENT BROUGHT TO YOU BY: Sports & Fitness Insurance Corp.

Technology is a huge advantage for the fitness industry today, but it also has brought with it serious exposures as well. A data breach can destroy a fitness business by damaging its reputation and relationship with its members, clients and employees. Small and mid-sized business owners need to be aware that they are just as vulnerable to data breaches and hacking as large businesses. The personal information of members, clients and employees can be lost, stolen or destroyed by computer hackers, thieves and even dishonest employees. Sensitive data can be improperly exposed through accidental or inadvertent release.

With recent publicity about large data breaches of prominent organizations, concerns about cyber liability have grown to a point in which most state legislatures have passed laws requiring business owners to notify affected persons. In most states, a business must be able to notify all parties whose personal information may have been released or exposed, communicate the scope of the potential data breach to them, and provide access to credit monitoring assistance and identity restoration to them. In addition, the business owners may face legal defense and settlement costs if claims are brought against them because of the breach.

The first step to addressing the exposure is to understand what a data breach is. To do so, it is necessary to define the "personal information" that would compose a data breach. Personal information that can uniquely identify an individual is called Personal Identifying Information (PII) and includes an individual's first name or first initial and last name, in combination with any one of the following data:

  • Social Security number;
  • driver's license number;
  • bank account number;
  • credit or debit card number with personal identification number such as an access code, security codes or password that would permit access to an individual's account;
  • home address or email address; and
  • medical or health information.

A data breach makes PII available to unauthorized individuals inside or outside of the organization.

All fitness businesses collect PII on members and employees, as well as many prospects and guests. Please note that Health Insurance Portability and Accountability Act (HIPAA) compliance relates to an organization's need to comply with the privacy rules set out by the Health Insurance Portability and Accountability Act. This is not usually triggered unless a business receives direct insurance reimbursement for services. All fitness facilities have liability for data breach, but only those receiving insurance reimbursement will have the requirement to meet HIPPA guidelines for privacy as well.

The data breaches making media headlines right now are systems-related and have to do with computer hackers gaining unauthorized access to PII data electronically. It is important to remember that physical data breaches still occur as well and include misplaced backup files, paper files being lost or misplaced or a stolen laptop. Both types of data breach can result in an expensive variety of damages for a fitness business including:

  • interruption of ongoing operations;
  • destruction of hardware and software;
  • release of sensitive business information; or 
  • the exposure of the PII of members, clients, employees, vendors or partners.

Beyond the legal requirements imposed by state laws and the costs associated with meeting them, how a business owner responds to a data breach can mean the difference between preserving members verses losing them. When confronted with a data breach, many business owners make short-sighted or panicked mistakes that can significantly increase their cost of responding and put their reputation at risk as well. It is imperative to develop a data breach action plan before an incident occurs that will assist the business to address the situation one step at a time if it does occur. Unfortunately, in our present technology-driven environment, it is not a matter of "if" a data breach will occur but "when" for many fitness businesses.

A thorough data breach action plan should start with preventive measures including training staff to properly handle PII data and maintaining appropriate protection software on all systems that store the data. Methods of containment to limit the scope of the data breach should be outlined in the data breach action plan. It will then address effective means of response, including immediate communication to those individuals affected and provide appropriate solutions for them, as well as restoring the safety of the systems going forward. The goal of the plan is to not only restore the systems so that data is once again safe, but to restore the reputation of the business by effectively addressing the well-being of the individuals affected. A well-communicated, timely and compassionate response will go a long way toward retaining the membership's confidence.

Available Resources

Most fitness business operators, however, lack the resources to address each aspect of the data breach action plan and respond effectively if they have to face a data breach incident. This is why insurance companies have worked to offer both protection and education to provide assistance before and after a data or cyber loss.

Data Compromise coverage is available via different forms from most insurance carriers to help business owners pay for the expenses involved in properly responding to a data breach and the recovery or restoration of computer systems and data. This coverage is usually listed under Electronic Data Processing (EDP) in the Commercial Property Insurance policy coverage forms and frequently called Cyber Liability in the Commercial General Liability Insurance policy coverage forms, or it can be added by extension or endorsement to either policy.

It is important to review the Electronic Data Processing (EDP) and Cyber Liability coverage provided by all business insurance policies in effect for a fitness business:

  1. Review the existing limits to make sure they are sufficient to cover the exposure of the specific fitness business.
  2. Review the number of members or clients and employees that could be affected by a data breach.
  3. Review the potential cost to restore systems and data when calculating how much coverage the business needs. The insurance carrier may have additional coverages available that would provide better protection and/or higher limits at an additional premium if it is determined that more coverage is needed.

Ultimately, Data Compromise and Cyber Liability protection are insurance coverages that protect the reputation of the business. The incremental cost of additional coverage is small compared to re-establishing a business’s brand.

Esteemed insurance carriers already offer outstanding resources that can help fitness business owners understand and prepare for data breach and cyber liability exposures. Their resources can include:

  • sample data breach incident response plans;
  • training for business owners and employees on best practices for handling PII data,
  • risk assessment of current operations; and
  • risk management tools to improve safety, as well as up-to-date articles, webinars and legal advice.

Most carriers provide these resources to their policy holders at no additional charge. Utilizing these tools can save operators of a fitness club a great deal of time and money in their evaluation, preventive and response stages.

Data breach is a serious threat to all fitness businesses. Addressing the exposure prior to a breach can save the reputation and future of the fitness facility. Find out what insurance coverage you have and what resources are available to prepare and protect your business now. 


Jennifer Urmston Lowe has been with Sports & Fitness Insurance (SFIC) as a licensed insurance agent insuring health clubs and fitness centers since 1998. She helped her father, John Urmston, found the IHRSA Insurance Program for Property and Casualty Insurance in 1999 and has functioned as SFIC’s national account manager since then. She is a founding member of the advisory board of the Association of Fitness Studios. She can be reached at [email protected] or at (800) 844-0536 ext. 2333.

Sports & Fitness Insurance Corp. (SFIC) was founded in 1985, and has been dedicated to the fitness industry, exclusively insuring health clubs for 30 years. SFIC offers general liability insurance, including professional liability, property insurance, umbrellas, workers compensation and surety bonds for large and small fitness centers, as well as group exercise, yoga, Pilates, dance and martial arts studios and fitness professionals. SFIC is the managing general agent for Liberty Mutual Insurance for the fitness industry. Liberty Mutual offers resources for preventing and addressing data breach threats and provides these resources at no additional cost to their insureds.