Today, businesses are increasingly purchasing cyber-specific insurance in an effort to mitigate the financial impact of a breach or other cybercrime. In terms of what might be covered in a cyber insurance policy, there are basically two types of coverage – “first party” coverage and “third-party” coverage. First party coverage covers the types of losses that your company might suffer directly in the event of a data incident. That may include losses, some of which may be covered and some not, such as data destruction, denial of service attacks, incident response, crisis management, public relations, forensic investigation, remediation, breach notifications, credit monitoring, data restoration, business interruption, lost intellectual property, theft and extortion, or damage to reputation. Third party coverage refers to coverage for claims that may be made by third parties against your company arising out of a data incident, such as data breach lawsuits, for example.
The cyber insurance market is set to triple, from 2014 annual sales of around $2.5 billion to $7.5 billion by 2020. In some sense that news is not very surprising and the number not so high: news of large-scale hacking incidents involving the theft of millions of records seems alarmingly regular. Given what is at stake for companies that possess and could lose large amounts of valuable data, buying insurance makes sense. Cyber-related crime already costs the global economy $400 billion per year, and that number is expected to rise.
But key questions remain. Are cyber risks covered by more general policies that are not cyber-specific? If not, what should cyber insurance look like? Looking at some recent cases involving the still nascent cyber insurance market is revealing.
Perhaps the most prominent example of trying to fit the square peg of a hacking incident into the round hole of a non-cyber-specific insurance policy stems from the 2011 Sony PlayStation data breach. Late in 2011, Sony’s insurer filed an action against a dozen or so defendants in the Supreme Court of New York seeking a declaratory judgment that would reduce or eliminate its responsibility for coverage. The insurance company argued its policy “was never intended to cover cyber losses.”
The issue in the case, as is often the situation in insurance litigation, turned on the meaning of certain key words and phrases in the policy. Most critical was the definition of “personal and advertising injury,” which included “oral or written publication in any manner of the material that violates a person’s right of privacy.” The judge indicated that “just merely opening up that safeguard or that safe box where all of the information was, in my mind, my finding is that is a publication.” He then had to determine whether that language provided coverage to Sony, the victim of the publication, or whether it was merely intended to cover Sony if it perpetrated the publication. He held that “the policyholder has to act,” and continued, stating that the policy “cannot be expanded to include 3rd party acts.” Thus, the court found no duty to defend. The court refused to credit Sony’s argument that the language of a then-forthcoming data breach exclusion in future policies of the insurer was evidence that the policy at issue was intended to cover the data breach at issue.
The judge ruled from the bench, noting the issue “needs . . . [a]ppellate review as quickly as possible.” The case was appealed and argued to the appellate court, then settled before a decision was reached. After this case, insurers began to attempt to more clearly exclude certain cyber risks from more general policies.
Even if you purchase a cyber-specific insurance policy, disputes over coverage may still arise. In a case involving an insured named Federal Recovery Services, the insured, who had carried a cyber policy, allegedly mishandled data from a company that operated fitness centers in several states. Nonetheless, the United States District Court in Utah found no duty to defend for the insurance company under the policy. This case illustrates two conflicting issues floating around in the world of cyber insurance: first, that whether an insured is actually covered is not always so clear; and, second, that courts may be requiring a heightened standard of care for insurers to diligently investigate a cyber-related claim.
A separate suit in Louisiana further illustrates that there are nuances when it comes to cyber coverage. In a case involving New Hotel Monteleone, LLC, a hotel, which had purchased cyber insurance after a data breach, was breached again during the policy period. The total limit on the policy was $3 million, but the insurer claims a sublimit of $200,000 in the policy applies. The issue there largely boils down to whether the sublimit, which applies to demands from “a credit card association,” is applicable when the demand came from a payment card processor. The case, originally filed in state court, has been transferred to federal court and stayed.
There is a lot to consider regarding cyber insurance, starting with the basics: do you need it, what risks should be covered (first party remediation, third party claims, or both), and how much is enough. There are also numerous issues to consider that insureds may not have thought about previously when purchasing other types of policies: Will the carrier choose the forensics expert in the event of a breach or do you get to choose? Will the carrier impose underwriting conditions like data encryption and periodic audits or penetration tests? What key data are you trying to protect, how it is currently secured, and what is the risk of third party claims or litigation if it is compromised?
For now, perhaps the most important thing to do is make sure you do not fall into the category of someone who thinks they are covered when they are not. Many companies think their GCL or E&O policies cover certain cyber risks, when in reality those risks may be specifically excluded. And many companies that have already purchased cyber insurance wrongly think it covers all first party costs in the event of an incident – like investigation, notification and credit monitoring – when it actually only covers third party claims. The fact is that, of the nearly 5,000 publicly-known data breaches over the past dozen or so years, less than 5% have resulted in litigation. If your cyber coverage only kicks in when a third party makes a claim, then practically speaking you may not have any coverage at all.