Insurance in the Digital Age: New Risks May Require New Coverage

Businesses have always collected and held valuable personal information belonging to their customers and employees, but that information is rapidly approaching the end of a near-universal migration from stuffed filing cabinets to networked hard drives. In its new electronic space, it becomes no more valuable, but far more vulnerable to mischief-makers worldwide. So-called “cyber attackers,” who President Obama has called “one of the most serious economic and national security threats our nation faces,” have generated an entire mini-industry devoted entirely to protecting businesses and consumers from their malevolence. In fact, October is National Cyber Security Awareness Month -- so named by Presidential proclamation for the last seven years. There are cybersecurity companies, think tanks, government agencies, and, of course, insurance – the subject of this article.

It should be no surprise that the consequences of a data breach can be disastrous. Sony Corporation currently faces 55 putative class action lawsuits stemming from the widely-publicized data breaches that shut down its PlayStation Network for weeks. Hundreds of similar lawsuits are winding their way through state and federal courts across the country. A single data breach can result in massive defense costs, huge jury verdicts, crippling publicity, and governmental civil and criminal proceedings.

Data breach litigation is on the rise, due in part to laws in most states (including North Carolina) requiring disclosure of data breaches. Earlier this year, the Obama Administration called for federal legislation that standardizes these laws. While intended to improve consumer awareness, these laws also provide opportunities for plaintiffs’ attorneys to bring lawsuits on behalf of huge classes of consumers. In short, as hackers get smarter and laws get tighter, the risk of a costly data breach rises – particularly for businesses without the resources to centralize IT departments and invest in cutting-edge security measures. Businesses are increasingly turning to insurance to manage this risk, where they find themselves surprised by the limitations of their existing coverage.

Whether data breach losses are covered by traditional Commercial General Liability (“CGL”) policies is an open question, although the weight of judicial authority is trending against coverage. The U.S. Court of Appeals that covers both North and South Carolina has ruled that insurance covering losses associated with “tangible property” -- a common form of commercial liability coverage -- does not apply to electronically-stored data. Although other courts have reached different conclusions, this ruling is binding precedent for federal litigation in North and South Carolina (as well as Virginia, West Virginia and Maryland). Therefore, businesses holding only traditional CGL policies should presume they currently have no coverage for losses caused by data breaches.

For businesses looking to mitigate these risks, several insurers now offer stand-alone cyber liability policies, including AIG (netAdvantage) and Chubb (Safety Net and Cyber Security). The scope of coverage varies, but cyber liability policies generally cover defense costs, settlements, judgments and sometimes governmental penalties resulting from theft and unauthorized dissemination of electronic data; virus transmission; security failures causing network unavailability to third parties; and intellectual property infringement, libel, slander and defamation caused by data breaches or activities on the policyholder’s web site. Coverage can also be obtained for lost profits and crisis management costs. Although premiums vary significantly depending on the scope of desired coverage and the insured’s business, a typical annual premium might be $5,000 for coverage of $1 million, with a $25,000 deductible. Businesses that store especially large amounts of personal data, such as financial institutions and healthcare providers, can expect to pay substantially higher premiums.

A business considering cyber liability insurance can take the following steps to help ensure it procures the right type and amount of coverage, at the lowest possible cost:

• Determine the extent to which your current policies cover electronic data liability. This may require consultation with your broker or attorney.
• Obtain an assessment of your cyber-risk exposure before going to the market to purchase coverage. This will allow you to answer questions concerning your cyber-security measures, data systems, processes, and the nature and scale of private data your business stores. A number of insurance companies tout their assessments as part of the quotation process, but an independent assessment may yield a more objective analysis of your exposure.
• Review existing contracts with vendors and customers to determine whether your business has contractually assumed any data breach liabilities. This information should be disclosed to prospective insurers because most polices exclude coverage for undisclosed contractual liabilities.
• Consider requiring your vendors and others with whom confidential information may be shared to provide proof of their own cyber liability coverage, and to add your business as an additional insured.
• Depending on the capabilities of your current IT personnel, consider hiring a full- or part-time information security officer (or equivalent title). This person’s sole focus will be cyber security, rather than more traditional functions performed by IT personnel.
• Create and enforce internal policies governing your employees’ use of social networking sites.
• Create a data retention policy tailored to your specific needs. This will help ensure that confidential data is purged when it is no longer needed.
• If your business decides to purchase cyber liability insurance, make sure the scope and monetary limits or coverage are adequate. Coverage with a $50,000 per incident limit, or that excludes protection for breaches caused by the policyholder’s employees or third-party contractors is of little value in the context of many data breaches.
• You should also consider losses other than liability-related expenses. For example, electronically stored data may expose a business to the following costs:
  • Customer relations cleanup following an attack
  • Security system restoration expenses
  • Lost income due to network business interruption
  • Reward offerings for information leading to arrest of the hacker
  • Costs associated with investigating and resolving an electronic data extortion attempt

The business world is becoming ever more dependent upon electronic collection and storage of sensitive customer data, and breaches of that data are easier than ever to identify and exploit through the legal system. The cost of a security breach can be far-reaching and long-lasting. When combined with appropriate security measures and disclaimers, wisely-selected insurance can be an essential backstop to an overall risk-management program.