Cyber-liability insurance: Understanding what you have and what you may need

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/04/09/cyber-liability-insurance-understanding-what-you-h

In the growing technologically interdependent marketplace, any company that
stores either its own data or data from customers and business partners in
an electronic format is at risk of data breach liability arising from
unauthorized access to and use of that data. New federal legislation is
being proposed to standardize the reporting and notification framework.

The increase in data breach incidents in recent years may only be matched
by the increase in media coverage and articles inundating companies with
one message: Network and computer security needs to be a priority for any
business. While a company’s own cybersecurity regime needs to be the first
point of defense against such losses, significant attention should be given
to what insurance protections the company has in place.

Recent large-scale data breach incidents demonstrate the scope of the
exposure a company faces. In 2011, Sony Corporation suffered a hacking
attack that resulted in its facing more than 60 class action lawsuits
related to unauthorized access to 200 million customers’ data and 12
million credit card numbers. In 2013, Target suffered a data breach that
exposed the information of over 110 million customers and included
information regarding over 40 million credit and debit card accounts. In
2015, Anthem Inc., the nation’s second-largest health insurer, revealed
that personal information of about 80 million customers was compromised as
the result of a hacking attack. As a result of these and other data
breaches, Congress is poised to act.

Any corporate officer confronting the question of how to best protect his
or her company from the increasing threat of such losses should ask more
than just whether existing security protocol provides appropriate
protection. Once a plan for network security and data protection is in
place, the next step should be to determine whether the company has
insurance in place appropriate for its exposure.

Companies typically have two types of exposure: liability to third parties
(including the government) resulting from data breaches, and the companies’
own losses resulting from a loss of data and the associated interruption to
the business. Addressing this exposure requires an understanding of the
scope of the insurance your company currently purchases and an
understanding what additional protections may be available in the
marketplace based upon the type of business the company does.

Your current insurance

It is quite likely that your company purchases commercial general liability
(CGL) insurance, directors’ and officers’ liability (D&O) insurance and
commercial property insurance. Depending upon policy terms, these coverages
may offer some protection against data breach-related liability and losses.
But, the landscape of the insurance market is changing, and the insurance
industry is taking steps to exclude data breach incidents from coverage
under these standard policies. Insurers now offer a number of specialized
insurance products to fill in the gaps. It is more important now than ever
before to have a good understanding of exactly how your insurance program
responds to data breach situations and whether a special cyber-liability
policy is right for your company.

Your company’s current CGL policy may provide some protection against
allegations of liability resulting from a data breach, and the fact that
the costs of defending claims will not erode the limits of the policy often
makes this possibility very attractive to policyholders. CGL policies cover
a company’s liability because of “property damage” and often also because
of injury caused by violation of a “person’s right of privacy.” Insurers
have challenged the applicability of these coverages to data breach
situations, arguing that damaged or lost data is not the type of “tangible
property” to which CGL coverage applies. Insurers have also successfully
argued that a data breach does not result in a necessary “publication” of
information resulting in a violation of privacy rights.

While the legal wrangling over these issues remains to be resolved, last
year, the insurance industry took affirmative steps carve “data-related
liability” out of CGL insurance policies via a new exclusion. It remains to
be seen how uniformly this exclusion will be adopted across the industry,
but it behooves any insurance-purchasing company to be aware of the
exclusion and the manner in which it reduces the scope of the company’s CGL
protection.

Your company’s D&O insurance may also provide some protection against
liabilities resulting from a data breach or network security failures.
Typical D&O insurance protects individuals from claims of wrongful acts,
and to the extent that liability is predicated upon the alleged error of an
individual to take appropriate steps to safeguard electronic data, then D&O
insurance should respond to the claim. For example, in a putative class
action pending against Target arising out of a 2013 data breach, the
claimants allege, among other things, liability arising out of “failure to
maintain adequate computer systems and data security practices,” and
“failure to disclose the material fact that Target’s computer systems and
data security practices were inadequate.”

But typical D&O insurance only insures the company against its own
liability for securities claims, which generally include only claims
arising from solicitation of transactions for securities of the company or
claims arising from a security holder’s interest in the company. As such,
while the D&O policy may give individual directors and officers comfort,
the company itself may need to obtain additional protection elsewhere.

Commercial property insurance covers loss to the company’s own assets, as
opposed to CGL and D&O policies that protect against allegations of
liability to a third party. A property program should cover the value of
what has been lost, plus the losses resulting from the interruption of
business and expenses incurred in getting the business back to normal
operations. While property insurance policy language can vary
significantly, many insurers exclude coverage for loss of electronic data
or underwrite such insurance with sublimits that are much lower than the
overall limit on the policy.

Purchasing cyber-liability insurance

If there are gaps in coverage for your company’s data breach exposure, or
you learn that the insurance you are purchasing is covering less than it
did in the past, the insurance industry currently markets a number of
products designed to cover data breach liability. These products roughly
fit into four classifications.

Media Liability insurance: These policies address claims arising from the
publication of information on the internet (and other media), potentially
extending to IP claims as well as privacy claims.

Privacy Liability insurance: These policies address the wrongful disclosure
of a third party’s confidential information, whether via electronic means
or otherwise.

Network Security Liability insurance: These policies address liability
arising from the failure of a computer system or network to adequately
secure protected information.

Errors & Omissions insurance: These policies address liability arising out
of providing professional services to others. Such coverage could be very
important if your company is in the business of providing network or data
services, but it could be equally important if part of the services
rendered by the company includes the transmission of protected information.

These are only general categories of insurance products, and the offerings
from various insurers are unique and can include a number of additional
benefits. Be active when going into the market to procure insurance. The
policy is your company’s contract and protection, so you want to make sure
that the policy clearly fits the company’s needs.

When evaluating whether to purchase additional data breach coverage, keep
the following principles in mind.

Understand your exposure: Does your company keep personal information from
its customers or business partners? Does your company provide internet or
technology services to clients that could be accessed or exploited? How
quickly can your company recover lost data and resume normal business
operations if its network is breached?

Understand your sublimits: Often insurers will sell policies with large
overall limits but will include sublimits for particular risks. It is
important to understand how these sublimits apply to a loss, and in
particular how the sublimits are calculated if more than one sublimited
coverage applies to a single loss.

Remember business interruption: The disruption to your business caused by a
data breach can be just as extensive as one cause by a natural disaster.
The company should consider the potential losses arising from that
disruption, as well as the losses arising from the lost data and the
expenses associated with restoring the computer network. If your company
relies on the use of data from some third party, consider whether
contingent business interruption insurance will provide coverage for your
company’s inability to conduct business if that third party suffers a
cyber-attack.

Match your cyber-policy to your company’s business: This means not only
making sure that the available limits are appropriate, but also making sure
that the policy covers the types of network use and data breaches your
company may experience. For instance, some cyber liability insurance
policies may not cover claims arising from the theft or loss of unencrypted
devices that contain confidential information.

Make sure your policy covers regulatory investigations: Government agencies
are increasingly involved in investigating data breaches and cybersecurity
concerns. Any cyber-liability policies should cover costs associated with
such investigations and not be limited only to situations where a claimant
sues the company.

Monitor territorial requirements: If your current insurance is underwritten
on anything other than a “worldwide” basis, consider whether employee
travel or external hosting of data creates potential liabilities beyond the
geographic limits of your policies.

Address credit card requirements: Will your insurance respond to any fines
or costs associated with non-compliance with guidelines governing the use
and processing of credit cards (such as the Payment Card Industry Data
Security Standard)? In large data breach cases, such costs can be
substantial.

Cyber-liability coverage cannot be addressed in a one-size-fits-all
fashion. Being informed about your company’s risk exposure and aware of the
available insurance products is the only way to make sure you purchase the
type of coverage your company needs.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!