[BreachExchange] Cyber-Insurance: Is It Right for Your Business?

[Audrey McNeil]

http://www.baselinemag.com/security/cyber-insurance-is-it-right-for-your-business.html

As we rapidly evolve through the information age, businesses rush to keep
pace. Unfortunately, hackers have not only kept pace, but are now outpacing
their victims as they find more creative ways to breach the security
measures erected to keep them out.

While retailers and merchants are obvious targets of a data breach, any
business that maintains personal information is a potential target. Data
breaches result in a virtual goldmine of stolen information, and the use of
stolen credit card numbers is just the beginning. Email addresses enable
thieves to create phony email designed to obtain sensitive personal
information by making an email appear to originate from a legitimate
source, such as a bank.

The greatest data breach occurred at Target during the 2013 holiday season.
After a staggering 40 million credit and debit cards were stolen in a few
weeks, the company incurred an estimated $400 million in administrative
costs, an estimated $236 million in expenses and a 46 percent drop in
profits.

Target was sued on two fronts—by compromised consumers and by the issuing
banks that bore the costs of replacing credit and debit cards and paying
the fraudulent charges.

Target filed a motion to dismiss the issuing banks’ suit, arguing that it
did not owe a duty to the banks to protect them from the hackers’ wrongful
acts. The court denied Target’s motion, stating that Target played a key
role in allowing the harm to occur.

As for allegations that Target purposefully disabled a security feature
that would have prevented the harm, the court concluded that Target’s own
conduct could have created a risk of injury to a foreseeable plaintiff.
(For purposes of a motion to dismiss, the plaintiffs’ allegations were
presumed to be true, as the court was determining whether the issuing banks
had a cause of action to proceed against Target, not whether their claims
were true. In re Target Corp. Data Sec. Breach Litigation, 66 F. Supp. 3d
1154 (D. Minn. 2014).

A class action suit was filed by the individuals whose data was compromised
pursuant to 38 state data breach statutes. The suit asserted that Target
failed to provide timely and adequate notice of the breach.

The court recognized that some state statutes were ambiguous, but allowed
the class action to proceed under 26 state data breach statutes. Other
states have taken notice, and many have enacted breach disclosure statutes
that provide a private right of action.

The Role of Cyber-insurance: The Market Responds

As a result of actual and threatened events, the insurance market has
responded with a new product to protect businesses from data breaches:
cyber-insurance. Traditionally, businesses sought coverage for losses of
data breaches under commercial property, commercial general liability, and
business interruption policies for first-party losses, and under commercial
liability and directors and officers liability policies for third-party
losses.

However, in the late 1990s, insurers began offering cyber-insurance in the
form of standalone policies. Yet, despite recent data breaches, only 20 to
30 percent of American firms purchase cyber-insurance.

The case law interpreting these policies is scarce, as courts struggle to
define the parameters of cyber-liability. Courts are increasingly allowing
plaintiffs to file creative claims against businesses in the wake of data
breaches.

There are two types of cyber-insurance coverage available—first-party
coverage and third-party coverage.

First-party coverage handles direct costs incurred when responding to a
data breach or security failure. Common first-party costs include forensic
investigations; legal counsel to advise a company regarding its
notification and regulatory obligations; notification costs; credit
monitoring; security liability to prevent the entrance or spread of a
cyber-attack; cyber-extortion; public relations expenses; plus lost profits
and extra expenses incurred while the victim’s network is down.

Third-party coverage applies to costs incurred when a business is sued,
when claims are made against the business or when regulators demand
information. Common third-party costs include legal defense charges;
liability for the loss of customer and/or employee information;
settlements, damages and judgments related to the breach; liability to
issuing banks for new card expenses; cost of responding to regulatory
inquiries; and regulatory fines and penalties.

t the time this article was written, 47 states had adopted data breach
notification laws, creating a confusing legal patchwork. This landscape
makes it difficult for multistate companies to comply in the wake of a
large-scale breach.

While the state laws share some common threads—such as requiring companies
to notify all individuals if any personal information is lost, stolen or
compromised—many state laws differ on various provisions. These include the
following:

· The time limit to notify individuals of a breach (laws range from “most
expedient time possible” to “no later than 45 days”);

· When notification is triggered, i.e., whether there is a “risk” or
“actual harm”;

· How personal information is defined;

· Whether individuals in various states possess a private right of action,
or whether only a state attorney general or other state agency can seek
relief on their behalf; and

· The type and manner of notification.

In response, federal lawmakers have attempted, without success, to
introduce federal legislation to replace this patchwork of inconsistent
state laws.

In early 2015, President Barack Obama announced the “Personal Data
Notification and Protection Act of 2014” (S. 1976 113th Cong. 2014). Under
the proposed legislation, businesses that store “sensitive personally
identifiable information” of more than 10,000 people would be required to
provide notification of security breaches without “unreasonable delay,”
which is currently defined as less than 30 days.

Additional notice would have to be provided to the Department of Homeland
Security for breaches involving 5,000 or more. However, there are
exemptions to the notification requirement, as well as options to obtain
additional time for notification.

There are two main criticisms of the bill. First, the 30-day notice period,
which is shorter than that of most states, would restrict the time
businesses would have to investigate a data breach.  Second, the law would
supersede all existing state data breach laws, which does not sit well with
many states. Previous attempts to enact federal legislation to streamline
notification procedures have repeatedly failed in Congress.

Due to the extensive costs posed by a data breach, cyber-insurance is a
viable alternative. Keep in mind that the policies are expensive, and
purchasing such a policy will require an extensive analysis of the size of
your business and potential risks when considering coverage limits.

Since ancillary costs can quickly erode aggregate policy limits in the
event of a large-scale breach, ensuring adequate coverage in the event of a
data breach is vital.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160316/b87903af/attachment-0001.html>