The Inevitable Cyber Break In: Are You Protected?

[Jeffrey Walton <noloader () gmail com>]

http://www.jdsupra.com/legalnews/the-inevitable-cyber-break-in-are-you-p-26111/

The prevalence of cyber data breach over the years has not only grown
in number, but has also grown in size.  Perhaps the most well-known
example of a large-scale data breach is that suffered by Target Corp.
occurring at the end of 2013.  The effects of the breach on Target
Corp. have been profound. Indeed, within days of the announcement of
the breach, class action lawsuits were filed against Target around the
country, including in California, Massachusetts, Minnesota, Ohio, and
Utah. These class actions fall into three general categories: (1)
those brought by consumers whose information was compromised; (2)
those brought by financial institutions such as banks and credit
unions that service these consumers; and (3) derivative actions
brought by Target shareholders.

For a single data breach, the Ponemon Institute reports that the
average U.S. organizational cost is $5,403,644 — with $565,020 spent
on post-breach notification alone.[1] Importantly, the numbers do not
include “data breaches in excess of 100,000 [records] because they …
would skew the results.”

There is potential coverage for cybersecurity data breaches under
standard CGL policies. In particular, the ISO’s form CGL policy states
that the insurer “will pay those sums that the insured becomes legally
obligated to pay as damages because of ‘personal and advertising
injury.’”[2]  “Personal and advertising injury” is defined to include
“[o]ral or written publication, in any manner, of material that
violates a person’s right of privacy.”[3]

But just when insureds need coverage for damages caused by cyber data
breaches the most, the Insurance Services Office Inc. (“ISO”), which
sets guidelines for pricing and creates insurance forms for insurers
to use across the country, has come up with a number of data breach
exclusionary endorsements or standard exclusions for use with its
standard-form primary, excess and umbrella commercial general
liability (“CGL”) policies to lock out any potential coverage.  For
example, the ISO filed endorsement form number CG 21 06 05 14
entitled, “Exclusion – Access Or Disclosure Of Confidential Or
Personal Information And Data-related Liability – With Limited Body
Injury Exception,” which modifies the CGL coverage part.  This
endorsement excludes coverage for damages arising out of:

    (1) Any access to or disclosure of any person’s or organization’s
confidential or personal information, including patents, trade
secrets, processing methods, customer lists, financial information,
credit card information, health information or any other type of
nonpublic information; or

    (2) The loss of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate electronic data.

The endorsement goes one step further and clarifies that:

    This exclusion applies even if damages are claimed for
notification costs, credit monitoring expenses, forensic expenses,
public relations expenses or any other loss, cost or expense incurred
by you or others arising out of that which is described in Paragraph
(1) or (2) above.

Naturally the insurers snapped up these exclusions, incorporated them
into their policy forms and submitted them for approval to the state
insurance departments where they do business. The majority if not all
U.S. states and territories have approved these new exclusions.  It is
not surprising that the insurance industry has promulgated these new
air-tight exclusions for cyber related losses while also at the same
time they have begun to roll out in earnest specialized cybersecurity
insurance products to fill the gap they are creating. The
cybersecurity insurance products available are both pricy and limited.

With ISO’s new data breach exclusions rolling out, organizations
should assess potential threats to its company and private customer
information, and identify which insurance products will best fit their
needs including, careful review of their insurance and at renewal
negotiation of the broadest possible coverage including wherever
possible, older versions of the ISO CGL forms, and no special
endorsements reducing coverage even more.  If data breach is a serious
concern, and any company of any size should be concerned, perhaps
careful consideration of cyber insurance is in order, as limited and
expensive as it may be.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.