BreachExchange mailing list archives
Preparing for the Inevitable: Insurance for Data Breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 18 May 2015 18:16:40 -0600
http://www.newyorklawjournal.com/id=1202726774292/Preparing-for-the-Inevitable-Insurance-for-Data-Breaches?slreturn=20150418190205 In the past few years Michaels Stores, Jimmy Johns, Adobe, Google, Yahoo, LinkedIn, Living Social, Wyndham Hotels and even the U.S. government have all faced data security breaches. More recently, Blue Cross Blue Shield, Anthem, Target and Home Depot were the subjects of similar attacks. In the face of these ever-increasing high-profile data breaches, companies are now realizing that they must take proactive positions against the risk of such loss and ensure that they are doing everything possible to protect themselves and their customers from increasingly sophisticated data breaches. It is now more important than ever for companies to purchase cyber liability insurance coverage or to review their existing insurance portfolio to determine if they have adequate coverage. While many people associate cyber coverage with insurance to protect a company's website, cyber risks are far more pervasive. Nearly every company has digitized certain types of information, such as accounting data, customer records and employee information, which are available over a computer network through email or other electronic access. All this digitized data is subject to corruption, loss or theft. A company's operations may come to a halt at the hands of a computer virus, hacking, or disruption of its computer network caused by, for example, the negligence of an IT contractor or malfunctioning software. Disgruntled employees may sabotage electronic data and cripple a company's ability to conduct business operations or even more likely, an employee may misplace or lose a company laptop or BlackBerry containing sensitive information. Every business can suffer this type of catastrophic loss, and few businesses have adequate insurance coverage for it. A 2014 Cost of Data Breach Study performed by Ponemon Institute Research found that the average cost of a corporate data breach in the United States increased 15 percent in the last year to $5.9 million, that the average cost for each lost or stolen record containing sensitive and confidential information—where data breaches ranged from 5,000 to 100,000 records—was $201, and that the cost per record for a data breach due to malicious or criminal attacks was $246. The study found that a probability of a company experiencing a material data breach over the next two years, involving a minimum of 10,000 records, was nearly 19 percent, with a higher probability of occurrence estimated for public sector organizations. The study also found that the cost of a larger breach is much higher. For example, the most recent high-profile data breaches involving Target and Home Depot cost each company millions of dollars in financial damages. Target disclosed that its data breach cost it $148 million, with $38 million being covered by insurance. Home Depot expects to pay $62 million to recover from its data breach with $27 million of that being covered by insurance. All told, insurance will cover over $65 million to Target and Home Depot. With numbers like this, insurance coverage for data breaches must be a part of any company's insurance portfolio. Despite these known risks, it is estimated that only one in three companies now has insurance specifically to protect against such losses. As the Boston Globe reported, a spokesman for a Boston area hospital which recently purchased its first cyber insurance policy shortly after a data breach put personal information of patients at risk in 2010, stated "[w]ho would have thought about cyber insurance? It's such a new coverage to have to have." For cyber insurance coverage, companies should look toward their existing commercial general liability coverage, crime and fidelity policies and specialty cyber liability policies. Traditional CGL Coverage Commercial general liability (CGL) insurance is the most common type of coverage found in most insurance programs. Many insurers have contested that CGL coverage was intended to cover cyber risk and data breaches, and often deny claims brought under CGL policies. Case law on coverage under CGL policies has focused on whether there is "property damage" under coverage part A of the CGL policy or whether there is "personal injury" under coverage part B of the CGL policy. For coverage under part A of a CGL policy, the main issue is whether the data breach or loss constitutes damage to, or loss of, property. Courts have taken varying approaches to coverage under this part. For example, in Liberty Corporate Capital v. Sec. Safe Outlet, 937 F.Supp.2d 891 (E.D. Ky. 2013) the court declined to find coverage for losses resulting from the improper access to a customer database under a CGL policy because the policy excluded "electronic data" from the definition of property and because customer information in an electronic database was not "tangible." However, inRetail Systems v. CNA Insurance, 469 N.W.2d 735, 737 (Minn. Ct. App. 1991), the court found coverage where the insured had lost its client's computer tape and data. The court held that the data was tangible property and compared the data storage tape to a motion picture, where "the information and the celluloid medium are integrated," holding that "[t]he data on [a missing computer tape] was of permanent value and was integrated completely with the physical property of the tape." Whether data breaches are covered under coverage part B usually depends on the policy's definition of a "personal and advertising injury." While "personal and advertising injury" can constitute several different types of "injury," data breach claims will typically trigger a form of personal and advertising injury defined as "oral or written publication, in any manner, of material that violates a person's right of privacy." The two main issues arising out of this injury for data breach claims are whether the breach constitutes a "publication" of that data, and whether it violates a "right of privacy." In a situation where personally identifiable information is stolen or downloaded from a retailer's network, insurers will argue that this does not qualify as "publication" of that information, since it is not disclosed to other third parties. Insurers also have argued that the "right of privacy" simply means the right to be left alone rather than the right to keep private information protected. At least one recent decision has considered the key term "publication." In Travelers Indemnity v. Portal Healthcare Solutions, 35 F.Supp.3d 765 (E.D. Va. 2014), the U.S. District Court for the Eastern District of Virginia held that making medical records accessible triggered the policy coverage, even though no third party was alleged to have viewed the information, because, according to the court, "[p]ublication occurs when information is 'placed before the public' not when a member of the public reads the information placed before it." By contrast, in Zurich Am. Ins. v. Sony, 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. Feb. 21, 2014), a New York state court ruled in favor of several insurers, finding that the insurers had no duty to defend Sony in connection with numerous underlying putative class action lawsuits relating to the company's 2011 PlayStation data breach. The policies at issue were general liability policies, and the coverage dispute surrounded the meaning of personal and advertising injury. The court found that there was a publication when the "safe box" where all the information was kept was opened, but that coverage was only afforded to the extent Sony was responsible for the publishing and not because of the actions of the third-party hackers. The case was up on appeal and was just recently settled. While it may not affect current CGL policies, insurers are beginning to add specialized exclusions to CGL policies to preclude coverage for data breaches. ISO has already filed several data breach exclusionary endorsements for use with standard-form policies, which are effective May 1, 2014, in most jurisdictions. Crime and Fidelity Policies Coverage for a data breach may also be available under other policies, such as crime and fidelity policies. In Retail Ventures v. Nat'l Union Fire Ins., 691 F.3d 821 (6th Cir. 2012), the U.S. Court of Appeals for the Sixth Circuit rejected AIG's denial of insurance coverage under a crime and fidelity policy for the losses that resulted when a policy holder in 2005 suffered a data breach at the hands of a computer hacker. The policy holder, a nationwide retailer, was the victim of a data breach after hackers stole credit card and checking account information for over one million customer account transactions. This breach resulted in fraudulent credit card charges, credit monitoring costs, re-establishment of accounts, call center costs, legal expenses, and class action suits. The court found that coverage existed under the retailer's crime policy for the losses suffered for, among other things, reimbursing others for fraudulent credit card charges and expenses for addressing an FTC inquiry. Cyber Liability Policies Policy holders who do not want to risk a dispute over whether a data breach claim falls within a CGL, property, or other form of insurance coverage can purchase specialty policies designed specifically to protect against data breaches. Specialty cyber liability policies will cover reimbursement of expenses and costs of investigation with respect to the cause of a data breach, the cost of engaging a public relations firm, the recovery and/or re-creation of the electronic data, the losses resulting from business interruption as a result of the breach, and the costs of the defense, loss, damages and expenses of third-party claims arising out of invasion of privacy or any theft of personal and confidential data. Companies should be aware that the cyber-insurance market is a complex marketplace with a variety of different products available, and because these policies are still relatively new and untested, courts have not yet had the opportunity to rule on any new concepts and language they might introduce. Accordingly, to obtain the appropriate protection, a company may need to rely on an insurance professional before purchasing coverage. There are a number of key provisions to look out for in negotiating and ultimately selecting a policy to cover cyber risks. First, cyber policies usually provide definitions for the key term "claim," which, depending on the definition, can be problematic for insureds. Because cyber claims can arise in a variety of contexts, the policies often have broad definitions of "claim." One problem with these broad definitions of "claim" is that they can easily trigger a defense obligation and result in late notice that forecloses coverage. Moreover, all cyber policies are claims-made policies—policies that provide coverage in the year in which the insured receives a claim. In all jurisdictions, the insured forfeits coverage if it provides notice after the end of the policy period. Further, some policies contain provisions that require notice within a shorter period of days. Therefore it is important to understand and, if applicable, negotiate the meaning of the term "claim" so that notice is provided to the insurer. Second, choice of law and choice of forum provisions are also prevalent in cyber policies. The construction of insurance policies differs dramatically from one state to the other, with New York generally considered an unfavorable jurisdiction for policy holders. Many new policies contain New York choice of law provisions and require the insured to submit to alternative dispute resolution before litigation. Policies can also require that disputes be arbitrated in, for example, England or Bermuda, pursuant to the laws of that jurisdiction. Getting stuck with a policy that requires ADR before litigation in a far-away jurisdiction can lead to an expensive road to recovery. All told, the purchase of a "cyber policy" should be treated with the sort of caution that is warranted for such a new and nuanced insurance product. Since insurers are seeing a definite uptick in claims activity, more aggressive claims handling will naturally follow. Doing more work negotiating your policy up front will ensure that the intended coverage is actually set forth in the policy. Conclusion As companies are now recognizing that it's not a question of if they will suffer a data breach, but rather, when, being prepared with a strong security posture and a formal incident response plan in place prior to a breach will increase your company's odds of surviving a breach. Having the right insurance and knowing how to best apply your insurance portfolio will help mitigate the financial consequences of a data breach. As we've seen in the most recent high-profile data breach cases, the companies that have proactively sought out insurance coverage for data breach claims are now starting to benefit from their actions, and their risk managers have saved their companies, their investors, and their shareholders millions of dollars by securing the right insurance coverage. In today's environment, while it may be impossible to build an impenetrable firewall, you can certainly ensure that if that firewall is breached, there is insurance to help cover any damages arising out of it.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Preparing for the Inevitable: Insurance for Data Breaches Audrey McNeil (May 21)