Preparing for the Inevitable: Insurance for Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.newyorklawjournal.com/id=1202726774292/Preparing-for-the-Inevitable-Insurance-for-Data-Breaches?slreturn=20150418190205

In the past few years Michaels Stores, Jimmy Johns, Adobe, Google, Yahoo,
LinkedIn, Living Social, Wyndham Hotels and even the U.S. government have
all faced data security breaches. More recently, Blue Cross Blue Shield,
Anthem, Target and Home Depot were the subjects of similar attacks. In the
face of these ever-increasing high-profile data breaches, companies are now
realizing that they must take proactive positions against the risk of such
loss and ensure that they are doing everything possible to protect
themselves and their customers from increasingly sophisticated data
breaches. It is now more important than ever for companies to purchase
cyber liability insurance coverage or to review their existing insurance
portfolio to determine if they have adequate coverage.

While many people associate cyber coverage with insurance to protect a
company's website, cyber risks are far more pervasive. Nearly every company
has digitized certain types of information, such as accounting data,
customer records and employee information, which are available over a
computer network through email or other electronic access. All this
digitized data is subject to corruption, loss or theft.

A company's operations may come to a halt at the hands of a computer virus,
hacking, or disruption of its computer network caused by, for example, the
negligence of an IT contractor or malfunctioning software. Disgruntled
employees may sabotage electronic data and cripple a company's ability to
conduct business operations or even more likely, an employee may misplace
or lose a company laptop or BlackBerry containing sensitive information.
Every business can suffer this type of catastrophic loss, and few
businesses have adequate insurance coverage for it.

A 2014 Cost of Data Breach Study performed by Ponemon Institute Research
found that the average cost of a corporate data breach in the United States
increased 15 percent in the last year to $5.9 million, that the average
cost for each lost or stolen record containing sensitive and confidential
information—where data breaches ranged from 5,000 to 100,000 records—was
$201, and that the cost per record for a data breach due to malicious or
criminal attacks was $246. The study found that a probability of a company
experiencing a material data breach over the next two years, involving a
minimum of 10,000 records, was nearly 19 percent, with a higher probability
of occurrence estimated for public sector organizations.

The study also found that the cost of a larger breach is much higher. For
example, the most recent high-profile data breaches involving Target and
Home Depot cost each company millions of dollars in financial damages.
Target disclosed that its data breach cost it $148 million, with $38
million being covered by insurance. Home Depot expects to pay $62 million
to recover from its data breach with $27 million of that being covered by
insurance. All told, insurance will cover over $65 million to Target and
Home Depot. With numbers like this, insurance coverage for data breaches
must be a part of any company's insurance portfolio.

Despite these known risks, it is estimated that only one in three companies
now has insurance specifically to protect against such losses. As the
Boston Globe reported, a spokesman for a Boston area hospital which
recently purchased its first cyber insurance policy shortly after a data
breach put personal information of patients at risk in 2010, stated "[w]ho
would have thought about cyber insurance? It's such a new coverage to have
to have."

For cyber insurance coverage, companies should look toward their existing
commercial general liability coverage, crime and fidelity policies and
specialty cyber liability policies.

Traditional CGL Coverage

Commercial general liability (CGL) insurance is the most common type of
coverage found in most insurance programs. Many insurers have contested
that CGL coverage was intended to cover cyber risk and data breaches, and
often deny claims brought under CGL policies. Case law on coverage under
CGL policies has focused on whether there is "property damage" under
coverage part A of the CGL policy or whether there is "personal injury"
under coverage part B of the CGL policy.

For coverage under part A of a CGL policy, the main issue is whether the
data breach or loss constitutes damage to, or loss of, property. Courts
have taken varying approaches to coverage under this part. For example, in
Liberty Corporate Capital v. Sec. Safe Outlet, 937 F.Supp.2d 891 (E.D. Ky.
2013) the court declined to find coverage for losses resulting from the
improper access to a customer database under a CGL policy because the
policy excluded "electronic data" from the definition of property and
because customer information in an electronic database was not "tangible."
However, inRetail Systems v. CNA Insurance, 469 N.W.2d 735, 737 (Minn. Ct.
App. 1991), the court found coverage where the insured had lost its
client's computer tape and data. The court held that the data was tangible
property and compared the data storage tape to a motion picture, where "the
information and the celluloid medium are integrated," holding that "[t]he
data on [a missing computer tape] was of permanent value and was integrated
completely with the physical property of the tape."

Whether data breaches are covered under coverage part B usually depends on
the policy's definition of a "personal and advertising injury." While
"personal and advertising injury" can constitute several different types of
"injury," data breach claims will typically trigger a form of personal and
advertising injury defined as "oral or written publication, in any manner,
of material that violates a person's right of privacy."

The two main issues arising out of this injury for data breach claims are
whether the breach constitutes a "publication" of that data, and whether it
violates a "right of privacy." In a situation where personally identifiable
information is stolen or downloaded from a retailer's network, insurers
will argue that this does not qualify as "publication" of that information,
since it is not disclosed to other third parties. Insurers also have argued
that the "right of privacy" simply means the right to be left alone rather
than the right to keep private information protected.

At least one recent decision has considered the key term "publication." In
Travelers Indemnity v. Portal Healthcare Solutions, 35 F.Supp.3d 765 (E.D.
Va. 2014), the U.S. District Court for the Eastern District of Virginia
held that making medical records accessible triggered the policy coverage,
even though no third party was alleged to have viewed the information,
because, according to the court, "[p]ublication occurs when information is
'placed before the public' not when a member of the public reads the
information placed before it."

By contrast, in Zurich Am. Ins. v. Sony, 2014 N.Y. Misc. LEXIS 5141 (N.Y.
Sup. Ct. Feb. 21, 2014), a New York state court ruled in favor of several
insurers, finding that the insurers had no duty to defend Sony in
connection with numerous underlying putative class action lawsuits relating
to the company's 2011 PlayStation data breach. The policies at issue were
general liability policies, and the coverage dispute surrounded the meaning
of personal and advertising injury. The court found that there was a
publication when the "safe box" where all the information was kept was
opened, but that coverage was only afforded to the extent Sony was
responsible for the publishing and not because of the actions of the
third-party hackers. The case was up on appeal and was just recently
settled.

While it may not affect current CGL policies, insurers are beginning to add
specialized exclusions to CGL policies to preclude coverage for data
breaches. ISO has already filed several data breach exclusionary
endorsements for use with standard-form policies, which are effective May
1, 2014, in most jurisdictions.

Crime and Fidelity Policies

Coverage for a data breach may also be available under other policies, such
as crime and fidelity policies. In Retail Ventures v. Nat'l Union Fire
Ins., 691 F.3d 821 (6th Cir. 2012), the U.S. Court of Appeals for the Sixth
Circuit rejected AIG's denial of insurance coverage under a crime and
fidelity policy for the losses that resulted when a policy holder in 2005
suffered a data breach at the hands of a computer hacker. The policy
holder, a nationwide retailer, was the victim of a data breach after
hackers stole credit card and checking account information for over one
million customer account transactions. This breach resulted in fraudulent
credit card charges, credit monitoring costs, re-establishment of accounts,
call center costs, legal expenses, and class action suits. The court found
that coverage existed under the retailer's crime policy for the losses
suffered for, among other things, reimbursing others for fraudulent credit
card charges and expenses for addressing an FTC inquiry.

Cyber Liability Policies

Policy holders who do not want to risk a dispute over whether a data breach
claim falls within a CGL, property, or other form of insurance coverage can
purchase specialty policies designed specifically to protect against data
breaches. Specialty cyber liability policies will cover reimbursement of
expenses and costs of investigation with respect to the cause of a data
breach, the cost of engaging a public relations firm, the recovery and/or
re-creation of the electronic data, the losses resulting from business
interruption as a result of the breach, and the costs of the defense, loss,
damages and expenses of third-party claims arising out of invasion of
privacy or any theft of personal and confidential data.

Companies should be aware that the cyber-insurance market is a complex
marketplace with a variety of different products available, and because
these policies are still relatively new and untested, courts have not yet
had the opportunity to rule on any new concepts and language they might
introduce. Accordingly, to obtain the appropriate protection, a company may
need to rely on an insurance professional before purchasing coverage.

There are a number of key provisions to look out for in negotiating and
ultimately selecting a policy to cover cyber risks. First, cyber policies
usually provide definitions for the key term "claim," which, depending on
the definition, can be problematic for insureds. Because cyber claims can
arise in a variety of contexts, the policies often have broad definitions
of "claim." One problem with these broad definitions of "claim" is that
they can easily trigger a defense obligation and result in late notice that
forecloses coverage. Moreover, all cyber policies are claims-made
policies—policies that provide coverage in the year in which the insured
receives a claim. In all jurisdictions, the insured forfeits coverage if it
provides notice after the end of the policy period. Further, some policies
contain provisions that require notice within a shorter period of days.
Therefore it is important to understand and, if applicable, negotiate the
meaning of the term "claim" so that notice is provided to the insurer.

Second, choice of law and choice of forum provisions are also prevalent in
cyber policies. The construction of insurance policies differs dramatically
from one state to the other, with New York generally considered an
unfavorable jurisdiction for policy holders. Many new policies contain New
York choice of law provisions and require the insured to submit to
alternative dispute resolution before litigation. Policies can also require
that disputes be arbitrated in, for example, England or Bermuda, pursuant
to the laws of that jurisdiction. Getting stuck with a policy that requires
ADR before litigation in a far-away jurisdiction can lead to an expensive
road to recovery.

All told, the purchase of a "cyber policy" should be treated with the sort
of caution that is warranted for such a new and nuanced insurance product.
Since insurers are seeing a definite uptick in claims activity, more
aggressive claims handling will naturally follow. Doing more work
negotiating your policy up front will ensure that the intended coverage is
actually set forth in the policy.

Conclusion

As companies are now recognizing that it's not a question of if they will
suffer a data breach, but rather, when, being prepared with a strong
security posture and a formal incident response plan in place prior to a
breach will increase your company's odds of surviving a breach. Having the
right insurance and knowing how to best apply your insurance portfolio will
help mitigate the financial consequences of a data breach.

As we've seen in the most recent high-profile data breach cases, the
companies that have proactively sought out insurance coverage for data
breach claims are now starting to benefit from their actions, and their
risk managers have saved their companies, their investors, and their
shareholders millions of dollars by securing the right insurance coverage.
In today's environment, while it may be impossible to build an impenetrable
firewall, you can certainly ensure that if that firewall is breached, there
is insurance to help cover any damages arising out of it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!