Understanding Cyber Liability (Part 2)
Cyber insurance is broken into two primary areas; first-party and third-party coverage.
Within the third party coverage provided by the insurance carriers, third party claims fall into four specific areas:
Privacy Liability Network Security
Contractual Liability Media Liability
Privacy Liability: Privacy liability arises from an organization’s failure or negligence in preventing unauthorized access, unintentional disclosure, or loss of personally identifiable information (PII) or patient healthcare information (PHI) of employees or customers in violation of a federal, foreign, or state privacy law.
Typical examples include:
PII accidentally posted on a website or sent to the wrong party via email, fax, or regular mail
Lost or discarded non-electronic records, such as paper files thrown into a dumpster without prior shredding
Lost or stolen electronic records stored on laptops, thumb drives, backup tapes, or other mobile devices
Privacy liability may result in third-party claims brought by regulatory authorities or affected customers or patients. Regulatory claims typically arise from the policyholder’s violation of a specific privacy law requiring prompt notification and may result in significant fines or penalties. As the laws differ across the 47 states (alongside federal laws such as the HITECH ACT), policyholders need to be aware that they must comply with each applicable law. For example, a policyholder who experiences a breach and has clients residing in multiple states must determine whether they have a duty to notify each client under the privacy law in the state where the client lives rather than where the organization is located. This can be a confusing process that requires the assistance of an attorney who is well-versed in each state's specific privacy laws. Not all cyber risk policies provide coverage for regulatory defense and or fines or penalties and may only provide such coverage on a sub-limit basis.
Most privacy laws make a distinction between a data owner and a data owner. For example, under the HITECH ACT, a data owner is a “Covered Entity,” defined as any medical provider or organization that collects PHI directly from a patient. As a data owner, the “Covered Entity” has a duty to provide notification to each patient within 60 days of learning that the PHI has been lost, stolen, or compromised. However, if a “Covered Entity” has transferred the PHI to a third party (Business Associate) for storage or processing (such as a TPA or medical billing firm) and the third party is responsible for a breach of the PHI, it must notify the “Covered Entity” immediately. The third party is considered a data holder and only has a duty to notify the “Covered Entity” under the HITECH Act.
It should be noted that under most state and federal privacy laws, notification is generally not required if the data is in an encrypted format, and the device storing the data is lost or stolen.
Contractual Liability: Many policyholders assume contractual liability for the loss or unauthorized disclosure of PII, PHI, or the corporate confidential information of their customers. Cyber risk policies typically do not provide any coverage for hold harmless or indemnification agreements. However, some insurance companies may agree to name clients as additional insureds for any liability a client may be exposed to if their business partner is responsible for a breach of data in their care. Still, other carriers may agree to amend their first-party coverage to provide direct indemnification to a policyholder’s customers if a contract requires the policyholder to indemnify the customer for notification or credit monitoring expenses policyholder is responsible for a data breach. Each contract, including a hold harmless or indemnification agreement, should be reviewed by the broker and carrier to clarify coverage.
Another aspect of contractual liability arises from the Payment Card Industry –Data Security Standards (PCI-DSS). Policyholders who accept credit card payments must sign a Merchant Services Agreement with a Merchant Bank or Card Processor. Such agreements are unilateral, and if a policyholder is found to be PCI-DSS non-compliant at the time of a data breach, the policyholder may be contractually liable for the following:
Costs of a Payment Forensic Investigation to determine if the policyholder was non-compliant at the time of the breach (this can cost thousands of dollars a day)
Cost to reissue credit cards affected by the breach
Reimburse the Merchant Bank or Card Processor for fraudulent charges on affected cards
Payment of fines or penalties levied by the Merchant Bank or Card Processor
Network Security: This involves the theft or loss of PII, PHI, or corporate confidential information on a policyholder’s computer system or by a third party storing, hosting, or processing such information on the insured’s behalf (such as a vendor, cloud provider). Network security also includes losses arising from a denial of service attack, hacking attack, unauthorized introduction by an unauthorized party, or a rogue employee of malware or spyware. Specific examples include:
Skimming at point of service terminals by card skimming devices
Malware that captures credit cards at the point of sale terminals
Phishing attacks to trick employees into unknowingly downloading software, which launches viruses or malware throughout the policyholder’s computer network, exposing records to the outside attackers.
Theft of data while in transit (once it leaves server in route to its destination)
Denial of service attack launched against the policyholder’s network which overwhelms the system and shuts it down, denying use of the network
Media Liability: Media liability coverage may be provided to policyholders to protect them from claims arising from their websites' content. It is intended to protect them from allegations such as copyright and trademark infringement, plagiarism, product disparagement, as well as some personal injury allegations such a libel/ slander, emotional distress, or disclosure of private facts. Some policy forms will cover any content posted on any social media sites or blogs by an insured or posted by third parties on an insured’s site(s). While this coverage may overlap the Personal Injury and Advertising Liability found in Coverage B in a General Liability policy, a GL policy’s coverage may be more limited. Some forms may exclude content disseminated over the internet, content created for others, or content posted to social media sites. The media coverage provided by insurance providers varies and may extend to cover non-electronic media (print, public speaking, and other forms of dissemination). Coverage does not include patent infringement coverage or theft of trade secrets. Some policy forms may include content negligence, which allows coverage to respond for damages arising from a reliance on content that may have been inaccurately or negligently posted onto a website.
FIRST-PARTY COVERAGE: Breach Response Expense: Cyber risk policies provide coverage to pay on behalf of or reimburse the policyholder for various expenses they incur to respond to a data breach. This coverage includes:
Forensic investigation Expense: Costs to hire a forensic investigator to determine the cause and scope of a data breach
Legal Expense: Costs to hire attorney’s to determine if a breach requires notification under state or federal law and to draft the notification letter, when applicable
Notification Expense: Costs to mail notification letters, set up call centers, and handle unreturned mail
Credit Monitoring Expense: Although not required by law, coverage is provided to provide credit monitoring for affected individuals
Crisis Management/Public Relations Expense: Costs for hiring public relations professionals to handle the communications if the breach becomes public knowledge
The breadth and scope of the breach response expenses provided by the insurance carriers vary. Some carriers provide a sub-limit for each of the above expenses as part of an overall aggregate policy limit. Other carriers provide a sub-limit outside the policy aggregate limit. Some carriers provide coverage for the above expenses on a “per affected individual’ basis, therefore providing all notification and credit monitoring expenses up to a specific number of affected individuals, outside the general policy aggregate limit.
Data Restoration Expense: Policyholders may have electronic data or records that are damaged, destroyed, corrupted, or lost due to a cyber-attack or actions of a malicious employee. This coverage will reimburse the policyholder for the expense to recreate or repair the destroyed or damaged data. For example:
An employee downloads a virus through a fraudulent email destroys the company’s accounting records. The data restoration expense would reimburse the company for the costs to recreate its account files.
Cyber Business Interruption: As a result of a network security event, such as a denial of service attack or corruption of the network by malware, the policyholder’s computer network or point of sale system may have to be shut down until the system’s integrity is restored. During the network or point of sale system shut down, the policyholder may incur the loss of significant profits had such an event not incurred. Cyber business interruption coverage will reimburse the policyholder for its lost profits until the system is restored. It may also pay for the operating expenses incurred to restore the network and forensic expenses to determine the attack source. Also, some policy forms provide limited coverage for contingent business income losses. Such coverage applies if there is a covered cause of loss, which shuts down a vendor’s computer network, leading to lost profits for the policyholder. An example would be if a policyholder depends on a third party to host their eCommerce site and malware shuts it down, resulting in sales loss.
Cyber Extortion: Computer systems may be a target of criminals who either threaten to shut down a policyholder’s computer network (for example, through a denial of service attack) or who have stolen confidential records and threaten to release them to the public if a ransom is not paid. Even more insidious have been “ransomware” attacks, which encrypt a policyholder’s entire network unless a ransom is paid. Cyber extortion coverage will pay the ransom and the associated costs in effecting its payment.
Reputational Harm Coverage: Data breach events can cause significant harm to an organization’s reputation. Many organizations see a significant decline in income following the public’s awareness of a data breach. For example, Target suffered a large drop in revenue the quarter immediately after the announcement of its breach. Some insurance carriers are now offering reputational harm coverage. This coverage begins once the policyholder’s computer network has been restored and provides for reimbursement of income loss for a particular number of months following the data breach and the network’s restoration.
Other Coverage Issues: Cyber liability policies can be customized to meet the specific needs of various organizations. Some of these customizations may include:
Full prior acts for first-time buyers
Automatic additional insured coverage
Amendment of other insurance clauses
Data restoration expense coverage which response to accidental damage or destruction of data
Separate towers of insurance for specific coverages
Negotiation of vendors for breach response services
In general, cyber risk policies are rapidly evolving to reflect the new cyber risks that organizations are constantly facing. Carriers are continually updating and revising their policy forms to meet the new reality of a digital world. Policyholders, who understand the value of cyber insurance, need to know the scope of their coverage, when and how to report a claim, and who their vendors will be to assist them in navigating the perils of a data breach. They also need to closely review all contractual cyber liability requirements with their brokers before signing any contracts to meet the best contractual requirements and how their policy will respond to any acquisitions or divestitures.