Understanding Cyber Liability (Part 2)
Cyber insurance is broken into two primary areas; first party and third party coverage.
THIRD PARTY COVERAGE:
Within the third party coverage provided by the insurance carriers, third party claims fall into four specific areas:
Privacy Liability Network Security
Contractual Liability Media Liability
Privacy Liability: Privacy liability arises out an organization’s failure or negligence in preventing unauthorized access, unintentional disclosure or loss of personal identifiable information (PII) or patient healthcare information (PHI) of employees or customers in violation of a federal, foreign or state privacy law.
Typical examples include:
PII accidently posted on a website or sent to the wrong party via email, fax or regular mail
Lost or discarded non-electronic records, such as paper files thrown into a dumpster without prior shredding
Lost or stolen electronic records stored on laptops, thumb drives, backup tapes or other mobile devices
Privacy liability may result in third party claims brought by regulatory authorities or affected customers or patients. Regulatory claims typically arise from the policyholder’s violation of a specific privacy law requiring prompt notification and may result in significant fines or penalties. As the laws differ across the 47 states (alongside federal laws such as the HITECH ACT) policyholders need to be aware that they must be in compliance with each applicable law. For example, a policyholder who experiences a breach and has clients residing in multiple states must determine whether they have a duty to notify each client under the privacy law in the state in which the client lives rather than where the organization is located. This can be a confusing process that requires the assistant of an attorney who is well versed in the specific privacy laws of each state. Not all cyber risk policies provide coverage for regulatory defense and or fines or penalties, and may only provide such coverage on a sub-limit basis.
Most privacy laws make a distinction between a data owner and a data owner. For example, under the HITECH ACT, a data owner is a “Covered Entity” which is defined as any medical provider or organization that collects PHI directly from a patient. As a data owner, the “Covered Entity” has a duty to provide notification to each patient within 60 days of learning that the PHI has been lost, stolen or compromised. However, in the event that a “Covered Entity” has transferred the PHI to a third party (Business Associate) for storage or processing (such as a TPA, or medical billing firm) and the third party is responsible for a breach of the PHI, it must notify the “Covered Entity” immediately. The third party is considered a data holder and only has a duty to notify the “Covered Entity” under the HITECH Act.
It should be noted that under most state and federal privacy laws, notification is generally not required if the data is in an encrypted format and the device storing the data is lost or stolen
Contractual Liability: Many policyholders assume contractual liability for the loss or unauthorized disclosure of PII, PHI or the corporate confidential information of their customers. Cyber risk policies typically do not provide any coverage for hold harmless or indemnification agreements. However, some insurance companies may agree to name clients as additional insureds for any liability a client may be exposed to if their business partner is responsible for a breach of data in their care. Still other carriers may agree to amend their first party coverage to provide direct indemnification to a policyholder’s customers if a contract requires the policyholder to indemnify the customer for notification or credit monitoring expenses in the event that the policyholder is responsible for a data breach. Each contract including a hold harmless or indemnification agreement should be reviewed by the broker and carrier to provide clarity of coverage.
Another aspect of contractual liability arises out of Payment Card Industry –Data Security Standards (PCI-DSS). Policyholders who accept credit card payments must sign a Merchant Services Agreement with a Merchant Bank or Card Processor. Such agreements are unilateral and if a policyholder is found to be PCI-DSS non-compliant at the time of a data breach, the policyholder may be contractually liable for the following:
Costs of a Payment Forensic Investigation to determine if the policyholder was non-compliant at the time of the breach (this can cost thousands of dollars a day)
Cost to reissue credit cards affected by the breach
Reimburse the Merchant Bank or Card Processor for fraudulent charges on affected cards
Payment of fines or penalties levied by the Merchant Bank or Card Processor
Network Security: This involves the theft or loss of PII, PHI or corporate confidential information on a policyholder’s computer system or by a third party who is storing, hosting or processing such information on the insured’s behalf (such as a vendor, cloud provider). Network security also includes losses arising from a denial of service attack, hacking attack, or the unauthorized introduction by an unauthorized party or a rogue employee of malware or spyware. Specific examples include:
Skimming at point of service terminals by card skimming devices
Malware which captures credit cards at point of sale terminals
Phishing attacks which trick employees into unknowingly downloading software, which launch viruses or malware throughout the policyholder’s computer network, exposing records to the outside attackers
Theft of data while in transit (once it leaves server in route to its destination)
Denial of service attack launched against the policyholder’s network which overwhelms the system and shuts it down, denying use of the network
Media Liability: Media liability coverage may be provided to policyholders to protect them from claims arising from the content on their websites. It is intended to protect them from allegations such as copyright and trademark infringement, plagiarism, product disparagement, as well as some personal injury allegations such a libel/ slander, emotional distress or disclosure of private facts. Some policy forms will cover any content posted on any social media sites or blogs by an insured or posted by third parties on an insured’s site(s). While this coverage may overlap the Personal Injury and Advertising Liability found in Coverage B in a General Liability policy, a GL policy’s coverage may be more limited in that some forms may exclude content disseminated over the internet, content created for others or content posted to social media sites.The media coverage provided by insurance providers varies, and may extend to cover non-electronic media as well (print, public speaking and other forms of dissemination). Coverage does not include patent infringement coverage or theft of trade secrets. Some policy forms may include content negligence, which allows coverage to respond for damages arising from reliance of content which may have been inaccurately or negligently posted onto a website.
FIRST PARTY COVERAGE: Breach Response Expense: Cyber risk policies provide coverage to pay on behalf or reimburse the policyholder for various expenses they incur to respond to a data breach. This coverage includes:
Forensic investigation Expense: Costs to hire a forensic investigator to determine the cause and scope of a data breach
Legal Expense: Costs to hire attorney’s to determine if a breach requires notification under state or federal law and to draft the notification letter, when applicable
Notification Expense: Costs to mail notification letters, set up call centers and handle unreturned mail
Credit Monitoring Expense: Although not required by law, coverage is provided to provide credit monitoring for affected individuals
Crisis Management/Public Relations Expense: Costs for hiring public relations professionals to handle the communications if the breach becomes public knowledge
The breadth and scope of the reach response expenses provided by the insurance carriers vary. Some carriers provide a sublimit for each of the above expenses as part of an overall aggregate policy limit. Other carriers provide a sublimit outside the policy aggregate limit. Some carriers provide coverage for the above expenses on a “per affected individual’ basis, therefore providing for all notification and credit monitoring expenses up to a specific number of affected individuals, outside the general policy aggregate limit.
Data Restoration Expense: Policyholders may have electronic data or records that are damaged, destroyed, corrupted or lost as a result of a cyber-attack or actions of malicious employee. This coverage will reimburse the policyholder for the expense to recreate or repair the destroyed or damaged data. For example:
A virus is downloaded by an employed through a fraudulent email destroys the company’s accounting records. The data restoration expense would reimburse the company for the costs to recreate its account files
Cyber Business Interruption: As a result of a network security event, such as a denial of service attack or corruption of the network by malware, the policyholder’s computer network or point of sale system may have to be shut down until the system’s integrity is restored. During the network or point of sale system shut down, the policyholder may incur the loss of significant profits had such an event not incurred. Cyber business interruption coverage will reimburse the policyholder for its lost profits until the system is restored. It may also pay for the operating expenses incurred to restore the network and forensic expenses to determine the source of the attack. In addition, some policy forms provide limited coverage for contingent business income losses. Such coverage applies if there is a covered cause of loss which shuts down a vendor’s computer network which in turn leads to lost profits of the policyholder. An example would be if a policyholder depends on a third party to host their ecommerce site and malware shuts it down, resulting in loss of sales on the site.
Cyber Extortion: Computer systems may be a target of criminals who either threaten to shut down a policyholder’s computer network (for example through a denial of service attack) or who have stolen confidential records and threaten to release them to the public if a ransom is not paid. Even more insidious have been “ransomware” attacks, which encrypt a policyholder’s entire network unless a ransom is paid. Cyber extortion coverage will pay the ransom and the associated costs in effecting its payment.
Reputational Harm Coverage: Data breach events can cause significant harm to an organization’s reputation. Many organizations see a significant decline in income following the public’s awareness of a data breach. For example, Target suffered a large drop in revenue the quarter immediately after the announcement of its breach. Some insurance carriers are now offering reputational harm coverage. This coverage begins once the policyholder’s computer network has been restored and provides for reimbursement of the loss of income for a particular number of months following the data breach and the network’s restoration.
Other Coverage Issues: Cyber liability policies can be customized to meet specific needs of various organizations. Some of these customizations may include:
Full prior acts for first time buyers
Automatic additional insured coverage
Amendment of other insurance clauses
Data restoration expense coverage which responds to accidental damage or destruction of data
Separate towers of insurance for specific coverages
Negotiation of vendors for breach response services
In general, cyber risk policies are rapidly evolving to reflect the new cyber risks that organizations are constantly facing. Carriers are in a continuous process of updating and revising their policy forms to meet the new reality of a digital world. Policyholders, who understand the value of cyber insurance, need to know the scope of their coverage, when and how to report a claim and who their vendors will be that will assist them navigate the perils of a data breach. They also need to closely review all contractual cyber liability requirements with their brokers prior to signing any contracts to best meet contractual requirements as well as how their policy will respond to any acquisitions or divestitures.