Cyber-liability insurance: Understanding what you have and what you may need by Andrew Lustigman & Jeremy M. King
Cyber-liability coverage cannot be addressed in a one-size-fits-all fashion
In the growing technologically interdependent marketplace, any company that stores either its own data or data from customers and business partners in an electronic format is at risk of data breach liability arising from unauthorized access to and use of that data. New federal legislation is being proposed to standardize the reporting and notification framework.
The increase in data breach incidents in recent years may only be matched by the increase in media coverage and articles inundating companies with one message: Network and computer security needs to be a priority for any business. While a company’s own cybersecurity regime needs to be the first point of defense against such losses, significant attention should be given to what insurance protections the company has in place.
Recent large-scale data breach incidents demonstrate the scope of the exposure a company faces. In 2011, Sony Corporation suffered a hacking attack that resulted in its facing more than 60 class action lawsuits related to unauthorized access to 200 million customers’ data and 12 million credit card numbers. In 2013, Target suffered a data breach that exposed the information of over 110 million customers and included information regarding over 40 million credit and debit card accounts. In 2015, Anthem Inc., the nation’s second-largest health insurer, revealed that personal information of about 80 million customers was compromised as the result of a hacking attack. As a result of these and other data breaches, Congress is poised to act.
Any corporate officer confronting the question of how to best protect his or her company from the increasing threat of such losses should ask more than just whether existing security protocol provides appropriate protection. Once a plan for network security and data protection is in place, the next step should be to determine whether the company has insurance in place appropriate for its exposure.
Companies typically have two types of exposure: liability to third parties (including the government) resulting from data breaches, and the companies’ own losses resulting from a loss of data and the associated interruption to the business. Addressing this exposure requires an understanding of the scope of the insurance your company currently purchases and an understanding what additional protections may be available in the marketplace based upon the type of business the company does.
Your current insurance
It is quite likely that your company purchases commercial general liability (CGL) insurance, directors’ and officers’ liability (D&O) insurance and commercial property insurance. Depending upon policy terms, these coverages may offer some protection against data breach-related liability and losses. But, the landscape of the insurance market is changing, and the insurance industry is taking steps to exclude data breach incidents from coverage under these standard policies. Insurers now offer a number of specialized insurance products to fill in the gaps. It is more important now than ever before to have a good understanding of exactly how your insurance program responds to data breach situations and whether a special cyber-liability policy is right for your company.
Your company’s current CGL policy may provide some protection against allegations of liability resulting from a data breach, and the fact that the costs of defending claims will not erode the limits of the policy often makes this possibility very attractive to policyholders. CGL policies cover a company’s liability because of “property damage” and often also because of injury caused by violation of a “person’s right of privacy.” Insurers have challenged the applicability of these coverages to data breach situations, arguing that damaged or lost data is not the type of “tangible property” to which CGL coverage applies. Insurers have also successfully argued that a data breach does not result in a necessary “publication” of information resulting in a violation of privacy rights.
While the legal wrangling over these issues remains to be resolved, last year, the insurance industry took affirmative steps carve “data-related liability” out of CGL insurance policies via a new exclusion. It remains to be seen how uniformly this exclusion will be adopted across the industry, but it behooves any insurance-purchasing company to be aware of the exclusion and the manner in which it reduces the scope of the company’s CGL protection.
Your company’s D&O insurance may also provide some protection against liabilities resulting from a data breach or network security failures. Typical D&O insurance protects individuals from claims of wrongful acts, and to the extent that liability is predicated upon the alleged error of an individual to take appropriate steps to safeguard electronic data, then D&O insurance should respond to the claim. For example, in a putative class action pending against Target arising out of a 2013 data breach, the claimants allege, among other things, liability arising out of “failure to maintain adequate computer systems and data security practices,” and “failure to disclose the material fact that Target’s computer systems and data security practices were inadequate.”
But typical D&O insurance only insures the company against its own liability for securities claims, which generally include only claims arising from solicitation of transactions for securities of the company or claims arising from a security holder’s interest in the company. As such, while the D&O policy may give individual directors and officers comfort, the company itself may need to obtain additional protection elsewhere.
Commercial property insurance covers loss to the company’s own assets, as opposed to CGL and D&O policies that protect against allegations of liability to a third party. A property program should cover the value of what has been lost, plus the losses resulting from the interruption of business and expenses incurred in getting the business back to normal operations. While property insurance policy language can vary significantly, many insurers exclude coverage for loss of electronic data or underwrite such insurance with sublimits that are much lower than the overall limit on the policy.