How to Purchase “Cyber” Insurance

The Insurance Coverage Law Information Center
How to Purchase “Cyber” Insurance
By Roberta D. Anderson
Roberta D. Anderson, a partner in the Pittsburgh office of K&L Gates LLP, concentrates her
practice in insurance coverage litigation and counseling. She has represented policyholders in
connection with a wide range of insurance issues and disputes arising under almost every kind
of insurance coverage, including general liability, commercial property and business interruption,
“cyber”-liability, directors and officers, errors and omissions (“E&O”), technology E&O,
professional liability, employment practices liability, political risk, environmental, fidelity, fiduciary,
crime, terrorism, residual value, nuclear, and other insurance coverages, and in broker liability
disputes. She can be reached at [email protected].
“Cyber” insurance can be an extremely valuable asset in an organization’s strategy to address and
mitigate cyber security, data privacy, and other risks. But selecting and negotiating the right insurance
product can present a significant challenge given, among other things, the lack of standardized policy
language and the fact that many “off the shelf” policies do not adequately match the organization’s
risk profile. The following five tips will help to facilitate a successful cyber policy placement.
#1. Get a Grasp on Risk Profile and Tolerance
A successful cyber placement is facilitated by having a thorough understanding of an organization’s risk profile,
including the scope and type of personally identifiable information and confidential corporate data maintained
by the company and the manner in which (and by whom) such data is used, transmitted, and stored. A complete
understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and
assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also
consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other
factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data
breach or network security incident. When an organization has a grasp on its risk profile, potential exposure, and risk
tolerance, it is well positioned to consider the type and amount of insurance coverage that it needs in order to adequately
respond to identified risks and exposure.
#2. Look at Existing Coverage
The California federal district court’s recent October 7th decision in Hartford Casualty Insurance Company v.
Corcino & Associates et al.[i] – upholding coverage under a commercial general liability (“CGL”) policy for a data
breach that compromised the confidential medical records of nearly 20,000 patients – underscores that there may
be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal
And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for
data breach and network security liability and network security failures under an organization’s commercial property,
directors and officers (“D&O”), errors and omissions (“E&O”), professional liability, fiduciary, crime, and other
coverages.
#3. Purchase “Cyber” Insurance As Needed
In response to decisions upholding coverage for data breach, privacy, network security, and other “cyber” risks,
the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines
of coverage. By way of example, Insurance Services Office, Inc. (“ISO”)[ii] recently filed a number of data breach
exclusionary endorsements for use with its standard-form primary, excess, and umbrella CGL policies. These are
to become effective in May 2014. By way of example, one of the endorsements, entitled “Exclusion - Access Or
Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited Bodily Injury Exception
Not Included,” adds the following exclusion to Coverage B:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Information
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s
confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial
information, credit card information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic
expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any
access to or disclosure of any person’s or organization’s confidential or personal information.[iii]
Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some
time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for
companies to carefully consider specialty “cyber” insurance products. Even where insurance policies do not contain the
newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.
As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This
coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or
potentially compromises confidential personally identifiable information. By way of example, the AIG Specialty Risk
Protector® specimen policy[iv] states that the insurer will:
pay … all Loss
that the:
Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.[v]
“Privacy Event” includes:
(1) any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or
otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of
the identity of an individual or corporation;
(2) failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice
Law; or
(3) violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for
compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Subparagraphs (1) or (2) above.[vi]
“Confidential Information” is defined as follows:
“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and
control or for which a Company or Information Holder is legally responsible:
(1) information from which an individual may be uniquely and reliably identified or contacted, including, without
limitation, an individual’s name, address, telephone number, social security number, account relationships,
account numbers, account balances, account histories and passwords;
(2) information concerning an individual that would be considered “nonpublic personal information” within
the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as
amended) and its implementing regulations;
(3) information concerning an individual that would be considered “protected health information” within Health
Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
(4) information used for authenticating customers for normal business transactions;
(5) any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices,
processes, records, reports or other item of information that is not available to the general public[.]
A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations,
fines, and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis
management” or “notification” coverage) to address costs associated with a security breach, including:
•
costs associated with post-data breach notification
•
credit monitoring services
•
forensic investigation to determine cause and scope of a breach
•
public relations efforts and other “crisis management” expenses
•
legal services to determine an insured’s indemnification rights where a third party’s error or omission has
caused the problem.
The sublimits typically associated with remediation coverage warrant careful attention.
Cyber insurance policies often offer other types of coverages, including:
•
network security coverage (often in the same coverage grant as the “privacy” coverage discussed above),
which generally covers liability arising out of security threats to networks, including, for example,
transmission of malicious code and DDoS attacks;
•
media liability coverage, which generally covers liability arising out, for example, infringement of copyright
and other intellectual property rights and misappropriation of ideas or media content;
•
information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing
the insured’s own data or computer systems;
•
network interruption coverage, which generally covers an insured for its lost revenue due to network
interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to
networks; and
•
extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to
prevent a threatened cyber attack.
•
In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk
management services, which can be valuable in preventing as well as mitigating attacks.
#4. Spotlight The “Cloud”
Cyber risk is intensified by the trend in outsourcing of data handling, processing and/or storage to third party
vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March
2012, found that over 41 percent of U.S. data breaches are caused by third party errors, including “when protected
data is in the hands of outsourcers, cloud providers and business partners.”[vii] Many “off the shelf” cyber policies,
however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of
third parties) and/or to network security threats to the insured’s own network or computer system – not the networks
/ computer systems of third parties. This may result in illusory coverage. The recent high profile attack on the New
York Times homepage, during which users that tried to access www.nytimes.com were directed to a website apparently
maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies
because the attack was not on the New York Times “system” as defined in many policies, but rather on the system of
a third party domain name registrar.
#5. Remember the “Cyber”Misnomer
Keep in mind that many data breaches are not electronic – they often result from non-electronic sources. Data
privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account
of stolen paper records from a closet. Neither should a “cyber” insurance policy. Although this type of coverage is
commonly referred to as “cyber” insurance, a solid policy will cover non-electronic data, such as paper records.[viii]
Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop
or loss of a USB drive.
There are many other considerations and points to focus on. There is a dizzying array of cyber products on the
marketplace, each with its own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer
– even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it
is intended to cover, successful placement requires the involvement and input, not only of a capable risk management
department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources,
and compliance personnel – and experienced insurance coverage counsel.
[i] No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013). The two
underlying class action lawsuits alleged that Stanford Hospital and Clinics and the insured, medical consulting
firm Corcino & Associates, violated the privacy rights of numerous patients by providing confidential personally
identifiable medical information to an individual who posted the information on a public website. In particular,
the claimants alleged that “the private, confidential, and sensitive medical and/or psychiatric information
of almost 20,000 patients of Stanford’s Emergency Department appeared on a public website and remained
publicly available online for almost one full year.” Id. at 2 (quoting the Second Amended Class Action Complaint
in Springer, et al. v. Stanford Hosp. and Clinics, et al., No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)).
The underlying complaints contained causes of action for violations of the claimants’ constitutional right of
privacy, common law privacy rights, the California Confidentiality of Medical Information Act (“CMIA”) and
the California Lanterman Petris Short (“LPS”) Act. The suits sought, among other things, statutory damages of
$1000 per person under CMIA and statutory damages of up to $10,000 per person under LPS.
[ii] ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to
have those forms approved by state insurance commissioners.
[iii] CG 21 07 05 14 (2013). “Electronic data” is defined as:
information, facts or programs stored as or on, created or used on, or transmitted to or from computer software,
including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing
devices or any other media which are used with electronically controlled equipment.
Id.
[iv] See AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage
Section.
[v] Id. Section 1.
[vi] Id. Section 2.(d). “Security Breach Notice Law” includes:
any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any
entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or
potential unauthorized access by others to Confidential Information stored on such Computer System, including
but not limited to, the statute known as California SB 1386 (§1798.82, et. al. of the California Civil Code).
Id. Section 2.(m).
[vii] 2011 Global Cost Of Data Breach Study, Ponemon Institute LLC, at 6 (Mar. 2012).
[viii] See Richard S. Betterley, The Betterley Report, Cyber/Privacy Insurance Market Survey, at 18 (June 2013).
Reprinted with permission from FC&S Legal: The Insurance Coverage Law Information Center
(www.fcandslegal.com). All rights reserved. For information about becoming a subscriber, call
800-543-0874.