Understanding Cyber Liability (Part 1)
Beginning with the passage of the very first data privacy law in California in 2003, over 47 states and the federal government have passed data privacy laws throughout the United States. These laws require all organizations to take seriously the issue of securing their customer data from unauthorized disclosure or theft or suffer significant potential fines or penalties. No organization is immune from a data breach and the state and federal laws do not make a distinction between non-profits, public entities, schools, universities and private or publicly held corporations nor do the laws consider the size of the organization.
As more customer and patient information is being stored electronically within an organization or on its behalf by third parties, organizations of all sizes are now victimized with alarming frequency by the loss or disclosure of data stemming from errant emails, lost or stolen laptops, malware, hacking or any number of other cyber- attacks. As a result, organizations must react quickly to comply with the privacy law notification requirements (at great financial and reputational cost) and respond to potential litigation from customers or patients. This is in addition to the threat to the organization of business interruption from these attacks, potentially resulting in lost profits and/or the damage or destruction of electronic records which must be restored or recreated.
To meet the financial impacts of ever growing risks faced by any organization which collects, processes, transmits or stores customer data (or data on behalf of others), cyber insurance was created to respond for such loss as traditional insurance policies do not provide the necessary protection to protect the corporate balance sheet.
Traditional Insurance policies fall short in the following areas:
General Liability: GL coverage provides coverage for bodily injury and property damage to a third party. In a data breach, there is no direct bodily injury or property damage, as the data is either stolen or disclosed in an unauthorized manner. However, GL policies include Coverage B, Personal and Advertising Injury which offers protection if there is “oral and written publication, of any matter, of material that violates a person’s right to privacy”. Some carriers may respond to a third party claim this coverage if there is a private rights allegation, but this coverage is very limited and often contested by the carrier. Increasingly, carries are adding express data breach exclusions to their policies
Property: Property coverage may respond if an electronic data endorsement is included but such an endorsement only covers the replacement of destroyed or corrupted data
Commercial Crime: Commercial crime policies exclude loss directly or indirectly from theft of confidential information
Directors and Officers Liability: A D&O policy may respond to third party claims arising out of a data breach. Much depends on the exact nature of the allegation and whether or not it is excluded by policy exclusions. Typical emotional distress allegations are excluded
Errors or Omissions Liability: E&O policies provide protection for wrongful acts committed in the conduct of the Insured’s “professional services” for others for a fee. In general, if the protection of an insured’s data is part of the service, the policy may respond, absent a specific exclusion
For each of the traditional coverages noted above, there is no coverage for the first party expenses (such as notification, credit monitoring) a policyholder may incur arising out of a data breach except for the property endorsement noted above. Because of the limitations of these policies, insurance carriers have created “cyber risk” coverage to fully protect policyholders from third party claims and first party expenses arising out of a data breach. The actual term “cyber insurance” is often confused with “privacy coverage”, the former historically focused on services related to technology and or media exposures, while the latter addressed violations of privacy laws as it relates to personal sensitive information. Today’s insurance policies now use these two terms interchangeably.