BreachExchange mailing list archives
Cyber-liability insurance: Understanding what you have and what you may need
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 9 Apr 2015 19:16:45 -0600
http://www.insidecounsel.com/2015/04/09/cyber-liability-insurance-understanding-what-you-h In the growing technologically interdependent marketplace, any company that stores either its own data or data from customers and business partners in an electronic format is at risk of data breach liability arising from unauthorized access to and use of that data. New federal legislation is being proposed to standardize the reporting and notification framework. The increase in data breach incidents in recent years may only be matched by the increase in media coverage and articles inundating companies with one message: Network and computer security needs to be a priority for any business. While a company’s own cybersecurity regime needs to be the first point of defense against such losses, significant attention should be given to what insurance protections the company has in place. Recent large-scale data breach incidents demonstrate the scope of the exposure a company faces. In 2011, Sony Corporation suffered a hacking attack that resulted in its facing more than 60 class action lawsuits related to unauthorized access to 200 million customers’ data and 12 million credit card numbers. In 2013, Target suffered a data breach that exposed the information of over 110 million customers and included information regarding over 40 million credit and debit card accounts. In 2015, Anthem Inc., the nation’s second-largest health insurer, revealed that personal information of about 80 million customers was compromised as the result of a hacking attack. As a result of these and other data breaches, Congress is poised to act. Any corporate officer confronting the question of how to best protect his or her company from the increasing threat of such losses should ask more than just whether existing security protocol provides appropriate protection. Once a plan for network security and data protection is in place, the next step should be to determine whether the company has insurance in place appropriate for its exposure. Companies typically have two types of exposure: liability to third parties (including the government) resulting from data breaches, and the companies’ own losses resulting from a loss of data and the associated interruption to the business. Addressing this exposure requires an understanding of the scope of the insurance your company currently purchases and an understanding what additional protections may be available in the marketplace based upon the type of business the company does. Your current insurance It is quite likely that your company purchases commercial general liability (CGL) insurance, directors’ and officers’ liability (D&O) insurance and commercial property insurance. Depending upon policy terms, these coverages may offer some protection against data breach-related liability and losses. But, the landscape of the insurance market is changing, and the insurance industry is taking steps to exclude data breach incidents from coverage under these standard policies. Insurers now offer a number of specialized insurance products to fill in the gaps. It is more important now than ever before to have a good understanding of exactly how your insurance program responds to data breach situations and whether a special cyber-liability policy is right for your company. Your company’s current CGL policy may provide some protection against allegations of liability resulting from a data breach, and the fact that the costs of defending claims will not erode the limits of the policy often makes this possibility very attractive to policyholders. CGL policies cover a company’s liability because of “property damage” and often also because of injury caused by violation of a “person’s right of privacy.” Insurers have challenged the applicability of these coverages to data breach situations, arguing that damaged or lost data is not the type of “tangible property” to which CGL coverage applies. Insurers have also successfully argued that a data breach does not result in a necessary “publication” of information resulting in a violation of privacy rights. While the legal wrangling over these issues remains to be resolved, last year, the insurance industry took affirmative steps carve “data-related liability” out of CGL insurance policies via a new exclusion. It remains to be seen how uniformly this exclusion will be adopted across the industry, but it behooves any insurance-purchasing company to be aware of the exclusion and the manner in which it reduces the scope of the company’s CGL protection. Your company’s D&O insurance may also provide some protection against liabilities resulting from a data breach or network security failures. Typical D&O insurance protects individuals from claims of wrongful acts, and to the extent that liability is predicated upon the alleged error of an individual to take appropriate steps to safeguard electronic data, then D&O insurance should respond to the claim. For example, in a putative class action pending against Target arising out of a 2013 data breach, the claimants allege, among other things, liability arising out of “failure to maintain adequate computer systems and data security practices,” and “failure to disclose the material fact that Target’s computer systems and data security practices were inadequate.” But typical D&O insurance only insures the company against its own liability for securities claims, which generally include only claims arising from solicitation of transactions for securities of the company or claims arising from a security holder’s interest in the company. As such, while the D&O policy may give individual directors and officers comfort, the company itself may need to obtain additional protection elsewhere. Commercial property insurance covers loss to the company’s own assets, as opposed to CGL and D&O policies that protect against allegations of liability to a third party. A property program should cover the value of what has been lost, plus the losses resulting from the interruption of business and expenses incurred in getting the business back to normal operations. While property insurance policy language can vary significantly, many insurers exclude coverage for loss of electronic data or underwrite such insurance with sublimits that are much lower than the overall limit on the policy. Purchasing cyber-liability insurance If there are gaps in coverage for your company’s data breach exposure, or you learn that the insurance you are purchasing is covering less than it did in the past, the insurance industry currently markets a number of products designed to cover data breach liability. These products roughly fit into four classifications. Media Liability insurance: These policies address claims arising from the publication of information on the internet (and other media), potentially extending to IP claims as well as privacy claims. Privacy Liability insurance: These policies address the wrongful disclosure of a third party’s confidential information, whether via electronic means or otherwise. Network Security Liability insurance: These policies address liability arising from the failure of a computer system or network to adequately secure protected information. Errors & Omissions insurance: These policies address liability arising out of providing professional services to others. Such coverage could be very important if your company is in the business of providing network or data services, but it could be equally important if part of the services rendered by the company includes the transmission of protected information. These are only general categories of insurance products, and the offerings from various insurers are unique and can include a number of additional benefits. Be active when going into the market to procure insurance. The policy is your company’s contract and protection, so you want to make sure that the policy clearly fits the company’s needs. When evaluating whether to purchase additional data breach coverage, keep the following principles in mind. Understand your exposure: Does your company keep personal information from its customers or business partners? Does your company provide internet or technology services to clients that could be accessed or exploited? How quickly can your company recover lost data and resume normal business operations if its network is breached? Understand your sublimits: Often insurers will sell policies with large overall limits but will include sublimits for particular risks. It is important to understand how these sublimits apply to a loss, and in particular how the sublimits are calculated if more than one sublimited coverage applies to a single loss. Remember business interruption: The disruption to your business caused by a data breach can be just as extensive as one cause by a natural disaster. The company should consider the potential losses arising from that disruption, as well as the losses arising from the lost data and the expenses associated with restoring the computer network. If your company relies on the use of data from some third party, consider whether contingent business interruption insurance will provide coverage for your company’s inability to conduct business if that third party suffers a cyber-attack. Match your cyber-policy to your company’s business: This means not only making sure that the available limits are appropriate, but also making sure that the policy covers the types of network use and data breaches your company may experience. For instance, some cyber liability insurance policies may not cover claims arising from the theft or loss of unencrypted devices that contain confidential information. Make sure your policy covers regulatory investigations: Government agencies are increasingly involved in investigating data breaches and cybersecurity concerns. Any cyber-liability policies should cover costs associated with such investigations and not be limited only to situations where a claimant sues the company. Monitor territorial requirements: If your current insurance is underwritten on anything other than a “worldwide” basis, consider whether employee travel or external hosting of data creates potential liabilities beyond the geographic limits of your policies. Address credit card requirements: Will your insurance respond to any fines or costs associated with non-compliance with guidelines governing the use and processing of credit cards (such as the Payment Card Industry Data Security Standard)? In large data breach cases, such costs can be substantial. Cyber-liability coverage cannot be addressed in a one-size-fits-all fashion. Being informed about your company’s risk exposure and aware of the available insurance products is the only way to make sure you purchase the type of coverage your company needs.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cyber-liability insurance: Understanding what you have and what you may need Audrey McNeil (Apr 17)