Learning from Target: Insurance Coverage for Data Breaches
Privacy and Information Security Alert
Cyber liability is a clear and present danger. Target Corp. recently reported at least $235 million as gross expenses related to its 2013 data breach. Fortunately, Target was able to recover $90 million of that loss under insurance coverage dedicated to cyber liability.
Target’s experience is the most recent wake-up call on this front, and business executives should be evaluating what protection they have against this potentially enormous risk, one that can rear its head in many forms (e.g., laptop loss, hacking, and employee theft). A significant piece of that risk analysis should include consideration of available insurance coverage.
Insurance protection for cyber risks may be available in one of two forms. First, cyber liability policies are becoming available on the market and can offer a tailored layer of protection. Second, coverage may be available under more traditional insurance products (e.g., Commercial General Liability (“CGL”), Directors & Officers (“D&O"), or crime/fidelity policies).
Now is the time to start considering cyber coverage if your business does not already have it. There are numerous forms available in an ever-changing market, and the industry is designing these products to address the unique risks that arise in this context. For example, one of the largest risks related to cyber liability is exposure to regulatory investigations and inquiries. Insurers on traditional policies may argue that the costs of a regulatory investigation are not covered, and a cyber liability policy should provide more certainty on that issue. Insurance professionals can provide access to the various markets and advice on the differences between certain products.
If evaluating cyber coverage, keep in mind that care in the application process may be critical. Most cyber insurers will ask a series of detailed questions about the current status of your data protection system, and it is important to read and answer these questions with caution. Many of the cyber policies will include harsh exclusions related to any perceived misrepresentation in the application process, and most experts anticipate the industry may rely heavily upon these exclusions in the face of future claims. The cyber policy you pay for may prove worthless if questions later emerge about the veracity of the underwriting process, so make sure all questions are understood and answered correctly.
There should also be room for negotiation on these policies. As always, reading the policy form before agreeing to it is critical, and any questions should be raised up front. The offering insurers or their agents should provide clarification relative to any ambiguities, and clarifying endorsements may be particularly helpful on these new products.
There will certainly be coverage fights as cyber policies start responding to claims, and the courts will need to provide direction and clarification. That said, any company with concerns about data breach exposure should explore these products.
Coverage Under Traditional Policies
Many businesses will face a data breach loss without cyber coverage and may wonder whether all is lost. Fortunately, some more traditional insurance may provide coverage for data breaches, and there is a developing body of case law that provides some guidance. For example, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals held that an insured’s loss of a computer tape containing third-party data constituted “property damage” under the standard CGL definition. As another example, CGL policies typically provide coverage for invasion of privacy, and the Ninth Circuit, in Netscape v. Federal Insurance Company, applied that language to find coverage for Netscape related to allegations that it was employing software that improperly collected user information. Other courts have examined similar issues and have denied coverage based on interpretations of the relevant policy language.
Most importantly, your business’s current insurance portfolio should be carefully considered in the event of a loss. Even policies that you might not expect to provide coverage could be responsive to the claim. Notice should be provided to any potentially applicable policies, and any coverage denials should be given scrutiny by someone with coverage experience on your side of the issue.
Finally, be aware of the recent endorsements being offered by the Insurance Services Office (“ISO”). The industry is unlikely to admit that prior traditional policy forms are unclear in any way, but ISO has obtained approval in almost every state for a series of endorsements that seek to expressly exclude any coverage for cyber liability under traditional policy forms. Courts will need to interpret these endorsements over time, but policyholders should be given an opportunity to have a complete understanding of their impact before agreeing to add them to their policies. If presented with anything that looks like an exclusionary endorsement, ask questions of your insurance professional.
The takeaway here is that cyber liability can no longer be ignored. Insurance coverage for this threat is an important part of any risk management plan. If your business has not yet suffered a loss, consider protection for the future. If you have suffered a loss, determine what protection you may already have and consider strengthening your cyber coverage.
Alex Purvis is a member of the Firm’s Policyholder Insurance Coverage Team and lends his insurance knowledge to BABC’s Privacy and Information Security Team, which helps clients minimize the risk for data breach and comply with the myriad of laws in force for all such organizations, large or small. The team advises clients on prospective risk avoidance through review and analysis of privacy programs, data policies, and drafting and negotiating third-party service provider contracts. Upon the occurrence of a data breach or attack, the team guides clients and protects them through the resulting investigatory, reporting, and disclosure stages, as well as anypublic relations and liability exposure.