Cyber insurance can be an extremely valuable asset in an organization’s strategy to address and mitigate cyber security, data privacy and other risks. But selecting and negotiating the right insurance product can present a significant challenge, given, among other things, the lack of standardized policy language and the fact that many “off the shelf” policies do not adequately match the organization’s risk profile. The following five tips will help to facilitate a successful cyber policy placement.
#1. Get a Grasp on Risk Profile and Tolerance
A successful cyber placement is facilitated by having a thorough understanding of an organization’s risk profile, including the scope and type of personally identifiable information and confidential corporate data maintained by the company and the manner in which (and by whom) such data is used, transmitted and stored. A complete understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data breach or network security incident. When an organization has a grasp on its risk profile, potential exposure and risk tolerance, it is well-positioned to consider the type and amount of insurance coverage that it needs to adequately respond to identified risks and exposure.
#2. Look at Existing Coverage
The California federal district court’s recent decision in Hartford Casualty Insurance Company v. Corcino & Associates et al. 1 — upholding coverage under a commercial general liability (CGL) policy for a data breach that compromised the confidential medical records of nearly 20,000 patients — underscores that there may be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for data breach and network security liability and network security failures under an organization’s commercial property, D&O, E&O, professional liability, fiduciary, crime and other coverages.
#3. Purchase Cyber Insurance As Needed
As recently described in Law360, 2 in response to decisions upholding coverage for data breach, privacy, network security and other cyber risks, the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines of coverage. By way of example, Insurance Services Office, Inc. (ISO) 3 recently filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage B:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Information
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information. 4
Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.
As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information. By way of example, the AIG Specialty Risk Protector® specimen policy 5 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” 6 “Privacy Event” includes:
- any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
- failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
- violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.7
“Confidential Information” is defined as follows:
“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:
- information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
- information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
- information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
- information used for authenticating customers for normal business transactions;
- any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.]
A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:
- costs associated with post-data breach notification
- credit monitoring services
- forensic investigation to determine cause and scope of a breach
- public relations efforts and other “crisis management” expenses
- legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.
The sublimits typically associated with remediation coverage warrant careful attention. Cyber insurance policies often offer other types of coverages, including:
- network security coverage (often in the same coverage grant as the “privacy” coverage discussed above), which generally covers liability arising out of security threats to networks, including, for example, transmission of malicious code and DDoS attacks;
- media liability coverage, which generally covers liability arising out of, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content;
- information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing the insured’s own data or computer systems;
- network interruption coverage, which generally covers an insured for its lost revenue due to network interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to networks; and
- extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to prevent a threatened cyber attack.
In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.
#4. Spotlight the “Cloud”
Cyber risk is intensified by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March 2012, found that more than 41% of U.S. data breaches are caused by third-party errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” 8 Many “off the shelf” cyber policies, however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of third parties) and to network security threats to the insured’s own network or computer system — not the networks / computer systems of third parties. This may result in illusory coverage. As recently described in Law360, 9 the recent high-profile attack on the New York Times homepage, during which users who tried to access www.nytimes.com were directed to a website apparently maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies because the attack was not on the New York Times “system” as defined in many policies, but rather on the system of a third-party domain name registrar.
#5. Remember the Cyber Misnomer
Keep in mind that many data breaches are not electronic — they often result from non-electronic sources. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Neither should a cyber insurance policy. A solid policy will cover non-electronic data, such as paper records. 10 Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop or loss of a USB drive.
There are many other considerations and points to focus on. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.
This article first appeared in FC&S Legal, The National Underwriter Company on October 17, 2013.
1 No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013). The two underlying class action lawsuits alleged that Stanford Hospital and Clinics and the insured, medical consulting firm Corcino & Associates, violated the privacy rights of numerous patients by providing confidential personally identifiable medical information to an individual who posted the information on a public website. In particular, the claimants alleged that “the private, confidential, and sensitive medical and/or psychiatric information of almost 20,000 patients of Stanford’s Emergency Department appeared on a public website and remained publicly available online for almost one full year.” Id. at 2 (quoting the Second Amended Class Action Complaint in Springer, et al. v. Stanford Hosp. and Clinics, et al., No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)). The underlying complaints contained causes of action for violations of the claimants’ constitutional right of privacy, common law privacy rights, the California Confidentiality of Medical Information Act (CMIA) and the California Lanterman Petris Short (LPS) Act. The suits sought, among other things, statutory damages of $1000 per person under CMIA and statutory damages of up to $10,000 per person under LPS.
2See Roberta D. Anderson, ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber” Insurance, Law360 (Sept. 23, 2013).
3ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.
4CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled
5See AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage Section.
6Id. Section 1.
7 Id. Section 2.(d). “Security Breach Notice Law” includes “any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or potential unauthorized access by others to Confidential Information stored on such Computer System, including but not limited to, the statute known as California SB 1386 (§1798.82, et. al. of the California Civil Code).” Id. Section 2.(m).
82011 Global Cost Of Data Breach Study, Ponemon Institute LLC, at 6 (Mar. 2012).
9See Lon Berk, Takeaways From Recent Cyberattack On New York Times, Law360 (Sept. 17, 2013)
10 See Richard S. Betterley, The Betterley Report, Cyber/Privacy Insurance Market Survey, at 18 (June 2013).