[BreachExchange] Cyber Insurance: Make Sure You Understand Your Coverage

[Audrey McNeil]

http://www.jdsupra.com/legalnews/cyber-insurance-make-sure-you-75691/

Today, businesses are increasingly purchasing cyber-specific insurance in
an effort to mitigate the financial impact of a breach or other
cybercrime.  In terms of what might be covered in a cyber insurance policy,
there are basically two types of coverage – “first party” coverage and
“third-party” coverage.  First party coverage covers the types of losses
that your company might suffer directly in the event of a data incident.
That may include losses, some of which may be covered and some not, such as
data destruction, denial of service attacks, incident response, crisis
management, public relations, forensic investigation, remediation, breach
notifications, credit monitoring, data restoration, business interruption,
lost intellectual property, theft and extortion, or damage to reputation.
Third party coverage refers to coverage for claims that may be made by
third parties against your company arising out of a data incident, such as
data breach lawsuits, for example.

The cyber insurance market is set to triple, from 2014 annual sales of
around $2.5 billion to $7.5 billion by 2020.  In some sense that news is
not very surprising and the number not so high: news of large-scale hacking
incidents involving the theft of millions of records seems alarmingly
regular.  Given what is at stake for companies that possess and could lose
large amounts of valuable data, buying insurance makes sense.
Cyber-related crime already costs the global economy $400 billion per year,
and that number is expected to rise.

But key questions remain.  Are cyber risks covered by more general policies
that are not cyber-specific?  If not, what should cyber insurance look
like?  Looking at some recent cases involving the still nascent cyber
insurance market is revealing.

Perhaps the most prominent example of trying to fit the square peg of a
hacking incident into the round hole of a non-cyber-specific insurance
policy stems from the 2011 Sony PlayStation data breach.  Late in 2011,
Sony’s insurer filed an action against a dozen or so defendants in the
Supreme Court of New York seeking a declaratory judgment that would reduce
or eliminate its responsibility for coverage.  The insurance company argued
its policy “was never intended to cover cyber losses.”

The issue in the case, as is often the situation in insurance litigation,
turned on the meaning of certain key words and phrases in the policy.  Most
critical was the definition of “personal and advertising injury,” which
included “oral or written publication in any manner of the material that
violates a person’s right of privacy.”  The judge indicated that “just
merely opening up that safeguard or that safe box where all of the
information was, in my mind, my finding is that is a publication.”  He then
had to determine whether that language provided coverage to Sony, the
victim of the publication, or whether it was merely intended to cover Sony
if it perpetrated the publication.  He held that “the policyholder has to
act,” and continued, stating that the policy “cannot be expanded to include
3rd party acts.”  Thus, the court found no duty to defend.  The court
refused to credit Sony’s argument that the language of a then-forthcoming
data breach exclusion in future policies of the insurer was evidence that
the policy at issue was intended to cover the data breach at issue.

The judge ruled from the bench, noting the issue “needs . . . [a]ppellate
review as quickly as possible.”  The case was appealed and argued to the
appellate court, then settled before a decision was reached.  After this
case, insurers began to attempt to more clearly exclude certain cyber risks
from more general policies.

Even if you purchase a cyber-specific insurance policy, disputes over
coverage may still arise.  In a case involving an insured named Federal
Recovery Services, the insured, who had carried a cyber policy, allegedly
mishandled data from a company that operated fitness centers in several
states.  Nonetheless, the United States District Court in Utah found no
duty to defend for the insurance company under the policy.  This case
illustrates two conflicting issues floating around in the world of cyber
insurance:  first, that whether an insured is actually covered is not
always so clear; and, second, that courts may be requiring a heightened
standard of care for insurers to diligently investigate a cyber-related
claim.

A separate suit in Louisiana further illustrates that there are nuances
when it comes to cyber coverage.  In a case involving New Hotel Monteleone,
LLC, a hotel, which had purchased cyber insurance after a data breach, was
breached again during the policy period.  The total limit on the policy was
$3 million, but the insurer claims a sublimit of $200,000 in the policy
applies.  The issue there largely boils down to whether the sublimit, which
applies to demands from “a credit card association,” is applicable when the
demand came from a payment card processor.  The case, originally filed in
state court, has been transferred to federal court and stayed.

There is a lot to consider regarding cyber insurance, starting with the
basics: do you need it, what risks should be covered (first party
remediation, third party claims, or both), and how much is enough.  There
are also numerous issues to consider that insureds may not have thought
about previously when purchasing other types of policies: Will the carrier
choose the forensics expert in the event of a breach or do you get to
choose?  Will the carrier impose underwriting conditions like data
encryption and periodic audits or penetration tests?  What key data are you
trying to protect, how it is currently secured, and what is the risk of
third party claims or litigation if it is compromised?

For now, perhaps the most important thing to do is make sure you do not
fall into the category of someone who thinks they are covered when they are
not.  Many companies think their GCL or E&O policies cover certain cyber
risks, when in reality those risks may be specifically excluded.  And many
companies that have already purchased cyber insurance wrongly think it
covers all first party costs in the event of an incident – like
investigation, notification and credit monitoring – when it actually only
covers third party claims.  The fact is that, of the nearly 5,000
publicly-known data breaches over the past dozen or so years, less than 5%
have resulted in litigation.  If your cyber coverage only kicks in when a
third party makes a claim, then practically speaking you may not have any
coverage at all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160324/42dc5047/attachment.html>