How to protect your company’s bottom line against data breach losses through insurance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=ca965dd0-5135-48f8-8025-91fdb69631b2

In the wake of what seems to be daily announcements of new data security
breaches and increased regulatory oversight over company information
security and privacy practices, companies are looking for ways to minimize
risks associated with the seemingly inevitable data security breach. In the
current environment where the issue is when, not if, a company will be
breached, maintaining adequate insurance to protect against the risk of
data security breaches is now more important than ever. Cyber insurance is
often the “last line of defense,” in the event of a breach, and regulators
increasingly deem cyber insurance an essential component of a sound risk
management strategy. SEC Guidance that was released in 2011 provides that
companies should fully and accurately disclose cybersecurity risk factors,
including a “description of relevant insurance coverage.” Further,
traditional commercial general liability (“CGL”), Directors & Officers
(“D&O”), Errors & Omissions (“E&O”), Crime, and other policies also may be
valuable assets in the event of a data security breach.

This client alert briefly outlines issues companies should consider when
purchasing cyber insurance, and also explains why traditional policies
should not be left on the table in the event of a data security breach.

I. Key Considerations When Purchasing Cyber Insurance

The demand for cyber insurance has grown as a result of the increasing
number of data security breaches and the increased sophistication of
hackers’ methods. This coverage can prove extremely valuable, as indicated
by Target’s recent SEC filings, which reflect that while Target has
incurred $256 million in cumulative expenses arising out of its 2013 data
breach, it ultimately expects to recover $90 million in coverage to offset
some of those losses.1

A wide variety of insurers offer hybrid policies providing cyber coverage
for both first-party and third-party losses, but coverage can vary widely
from insurer to insurer. Therefore, it is imperative that companies
carefully review their cyber coverage to ensure they are adequately
protected from the ever-increasing risk of a data security breach.

Cyber insurance typically provides first party coverage for a broad range
of costs that a company can incur as a result of the breach, including
costs associated with, among other things: (i) forensic examinations; (ii)
outside counsel to handle breach response; (iii) public relations to handle
media

communications regarding the breach; (iv) mailing notifications to
consumers and regulators; (v) offering credit monitoring to affected
consumers; (vi) setting up a call center to handle consumer calls; (vii)
paying extortion payments; (viii) PCI-related fines or penalties; (ix)
business interruption costs, especially following a denial of service
attack; (x) restoration of systems; and (xi) remediation costs. It is
important to work with your IT department and outside counsel to fully
understand the costs your company may incur as a result of a data breach to
ensure your cyber insurance policy provides sufficient coverage.

In addition, most cyber insurance policies offer third party coverage.
Following an announcement of a breach that involves consumer information,
it is now virtually inevitable that the company will be subject to a
regulatory investigation by at least one, if not several, state and federal
agencies. In addition, class action lawsuits are now often filed within
hours of a breach announcement. A company should ensure that its cyber
liability policy covers costs associated with regulatory investigations and
litigation, including costs associated with regulatory settlements that
often impose not only a monetary penalty but also the costs of implementing
security enhancements and continued monitoring programs, which can be
costly to implement.

As a first step in the process when considering cyber coverage, a company
should analyze its own potential exposure and shore up any information
security gaps before engaging in the underwriting process. Roadblocks to
coverage often include inadequate network security, inadequate information
security policies and procedures, poor records management, and inadequate
employee training. If possible, fix any gaps prior to undergoing an
insurer’s underwriting review to prevent a rejection of coverage or higher
premium.

Purchasing cyber insurance also requires careful consideration and
negotiation of the policy language to ensure that your company is
purchasing best in class coverage. As with other insurance policies, cyber
policies contain a host of exclusions and limitations to coverage. Many of
these exclusions are similar to exclusions and conditions commonly found in
D&O and E&O policies, and in our experience, policyholders can obtain
enhancements eliminating or limiting the scope of certain exclusions for
little or no additional premium. Specific policy terms and conditions to
consider in evaluating a cyber insurance policy include the following:

- Pay careful attention to Retroactive Dates. Cyber policies often restrict
coverage to breaches or losses that occur after a specific date and in some
forms it is the inception date of the policy. Because breaches may go
undetected for some period of time, it is important to purchase coverage
with the earliest possible retroactive date.
- Broaden Regulatory Investigation Coverage. State and federal agencies
have become increasingly active in regulating privacy issues, and it is
important to ensure that a cyber policy covers all potential regulatory
investigations following a breach, rather than a narrow enumerated list of
agencies.
- Obtain Coverage for Unencrypted Devices. Ensure unencrypted devices are
covered even if a device is employee-owned. Some cyber policies attempt to
exclude coverage for unencrypted devices, which often affects companies
that allow employees to use their own devices.
- Ensure Coverage for Data in the Cloud. Companies should make sure that
data stored with third parties or “in the cloud” is covered even if the
third party experiences the data security breach.
- Avoid Terrorism Exclusions. Cyber policies often exclude coverage for
terrorism, hostilities, and claims arising from “acts of foreign enemies.”
Given that many data security breaches originate abroad and may be
perpetrated by groups that could be considered “foreign enemies,” companies
should be sure to eliminate or limit the scope of these types of exclusions.
- Pay attention to sublimits. Sublimits can greatly reduce coverage. Most
cyber insurance policies impose sublimits on some coverages, such as
notification costs and regulatory investigations. These sublimits are often
inadequate.

II. Potential Coverage Under Other Insurance Policies

CGL policies are another potentially valuable, yet often overlooked,
insurance asset in the event of a data security breach. For example, data
security breaches that result in consumer class action lawsuits alleging
privacy violations may trigger coverage under the CGL policy’s “advertising
injury” coverage for claims arising from the oral or written publication of
material that violates a person’s right to privacy. Further, depending on
the nature of the breach, a data security breach that compromises credit
card data can result in follow-on lawsuits by payment card issuers, who may
be forced to cancel and reissue compromised debit and credit cards in the
aftermath of a data security breach and data breach. These types of
lawsuits may be covered under the CGL policy’s broad coverage for property
damage claims for the loss of use of tangible property that is not
physically injured, because the damages associated with cancelling and
reissuing compromised payment cards arises out of a loss of use of tangible
property.

Many commentators have argued in the wake of recent decisions by courts in
New York and Connecticut that CGL coverage is simply unavailable for cyber
breaches, but these decisions hardly preclude CGL coverage for data
security breaches. In 2014, a trial court decision in New York held in
Zurich American Insurance Co. v. Sony Corporation of America, et al.2 that
CGL coverage was unavailable for certain consumer class actions arising out
of a hacking of Sony’s PlayStation gaming system’s online services. There,
the trial court reasoned that Zurich owed Sony no coverage, because Sony
did not “publish” the material that violated a person’s right to privacy,
and therefore “publication” by the third-party hackers did not trigger
coverage.3 The trial court held that Sony, as the policyholder, must have
published the material to trigger coverage; publication by the “hackers”
was not sufficient to trigger coverage.4 Sony appealed on the grounds that
under the plain language of the Policy, publication “in any manner”
included publication by a party other than Sony, such as the “hacker.”
After this argument and others were fully briefed in the appellate court,
the Sony case settled before the appellate court could reach a decision,
demonstrating that there is value under CGL policies for data security
breaches.

The only appellate decision regarding CGL coverage for a data breach is
Recall Total Information Management, Inc. v. Federal Insurance Company,5 a
decision issued by the Supreme Court of Connecticut in May 2015. The court
held that there was no coverage for a data breach under a CGL policy’s
advertising injury insuring agreement, but its application to future cases
is dubious because of its unique facts. Indeed, Recall did not even involve
a data security breach; tapes containing private information fell out of
the back of a truck, rather than being “hacked” or “pirated”
electronically, and therefore the court found no “publication” of the
information stored on the tapes necessary to trigger CGL coverage for
advertising injury.6 With the current dearth of court decisions regarding
data security breaches and data breach insurance coverage, insurers may
cite this case when seeking to limit CGL coverage for a data breach, but as
illustrated above, the case is readily distinguishable.

Because the possibility for coverage for data breach losses remains under
CGL policies, insurers, in an effort to limit their exposure to cyber
claims, increasingly attempt to insert electronic data exclusions or
exclusions to the definition of “advertising injury.” Watch for these types
of exclusions during policy renewal, and work with your broker and coverage
counsel to remove these exclusions if possible.

D&O and E&O insurance policies also potentially provide valuable sources of
recovery in the event of a data security breach, depending on the claims
brought against your company. D&O policies protect the companies’ Boards of
Directors and certain officers, and also protect companies themselves
against securities claims and shareholder derivative lawsuits. D&O policies
typically do not have cyber exclusions, but carefully review your policy at
renewal to make sure that there are not provisions that would limit your
ability to seek coverage in the event of a data security breach.

E&O insurance policies can provide coverage for companies against data
security breaches arising out of the provision of professional services.
For instance, if a healthcare company suffers a data breach while rendering
professional services and compromises its clients’ confidential information
(or the confidential information of the patients of its clients), E&O
coverage may help cover the resulting losses. Case law has not yet
developed regarding insurance coverage under E&O

policies for data security breaches, but coverage should be available for
data security breaches or data breaches that arise from the rendering of
professional services in the absence of an electronic data or privacy
exclusion in the policy.

Finally, crime insurance policies can provide a valuable source of
insurance for a data security breach, but may have limited applicability
against third-party data security breaches. However, if an employee (acting
alone or with other non-employees) engages in or assists in a data security
breach that results in first-party loss or an investigation, crime
insurance policies may provide coverage to help defray such costs.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!