Too often when we have been retained post-breach to respond to a cyber breach emergency, we discover that our client has not purchased appropriate and/or adequate coverage for what should have been, at least in hindsight, readily identifiable cyber risks. Unfortunately, some otherwise sophisticated clients are under the usually mistaken impression that a standard Commercial General Liability ("CGL") policy or a Commercial Crime policy will provide meaningful coverage if a data breach occurs. While in the past arguments for third-party coverage were available under, for example, the advertising injury provisions of older versions of the standard Insurance Services Organization ("ISO") CGL policy forms widely used by insurers, new exclusions added to these policies in 2014 make it much more difficult to obtain coverage for data breach claims made under them. . As a general rule, adequate data breach coverage requires the purchase of a separate data breach policy or a data breach endorsement or rider to an existing policy.
When considering data breach insurance coverage, it is important to distinguish between first party and third-party claims. Pre-2014 CGL policies might cover some third-party data breach claims, e.g., defense costs and indemnification if you are sued by a customer for exposing their data. This is to be contrasted with first party claims by the insured for reimbursement of the high costs of responding to a data breach—such as hiring data breach counsel, computer forensic experts, a PR firm to provide crisis management services, an administrator for sending legally sufficient notice to those persons and businesses whose data has been compromised, and potentially providing credit monitoring services to the victims. Claims made by an insured for expenses it has incurred in responding to and mitigating liability for a data breach are considered first-party claims, and are not typically covered by most standard CGL policies, which primarily cover third-party claims.
Several of my data breach clients thought they were covered with so called "cyber breach" policies, but after reading the fine print, the policies provided little if any coverage to reimburse the insureds for the expenses they incurred in rapidly responding to a breach or their potential exposure for third-party damages claims related to a breach. In short, the policies generally covered risks the companies were unlikely to incur, while excluding or omitting coverages for the likely risks, given the nature of the businesses and the data they held.
While we do our best to "find" some coverage for clients who come to us after a breach has occurred, it states the obvious that the much better practice is to evaluate the adequacy of existing coverage pre-breach. To do this requires a through understanding of the nature of the business, identification of data at risk/likely threats, and an assessment of the adequacy of the company's data security practices.
One of the services our firm offers is a review of a client's insurance portfolio to assess whether they have reasonably adequate cyber breach insurance coverage considering the nature/size of their business and their financial/legal exposure. While not a substitute for such a review, the following list provides a flavor for some questions that would need to be addressed regarding existing coverage when conducting such a review:
Examples of Data Breach Insurance Coverage Considerations
- Identify data maintained and likely risk areas given the nature and extent of the business.
- Gather and inventory all active insurance policies.
- Look for obvious gaps in coverage
- Assess data breach coverage, if any, provided by standard policies.
- Do you have a specific "Data Breach," "Cyber Security," "Cyber Risk" or similarly titled Policy or Endorsement to another Policy (such as CGL).
- What are the Data Breach Limits of Coverage? Are they per incident or per claim?
- Amount of deductible/retention for data breach claims?
- What sublimits apply? (This could be the ball game).
- Are defense costs unlimited or included in the limits of liability?
- Does your policy provide for third-party (liability) and first-party coverage – i.e., the policy provides protection to the insured for liability to others and reimbursement for expenses incurred responding to the breach?
- Does your policy apply to claims made or events occurring anywhere in the world?
- Does your policy provide an option to choose your own defense counsel – i.e., option to select duty to defend or reimbursement coverage at policy inception?
- Does your policy provide first-party coverage for computer program and electronic data restoration expenses?
- Does your policy include cyber extortion coverage – applies to expenses to deal with the threatened compromise of your network or data?
- Does your policy include business interruption coverage – applies to expenses and lost revenue due to a computer virus or denial of service attack that impairs your computer system?
- Does your policy provide coverage for security breach remediation and notification expenses including:
- Management of breach response by counsel?
- Legally sufficient notification to impacted persons?
- Purchase of an identity fraud insurance policy?
- Credit monitoring services?
- Computer forensics?
- Does the policy provide option to choose your own forensics expert or provide a preapproved list? [important to allow rapid reaction]?
- Does the policy provide coverage for regulatory fines and penalties?
- Does the policy provide for reimbursement of crisis management and public relations services?
- Does the Policy contain exclusions barring coverage in the event breach is a result of:
- Mechanical failure?
- Failure to maintain a computer network or system?
- Failure to maintain risk controls?
- Lack of performance in software?
- Spyware, cookies or other information collection?
- Lack of encryption?
This checklist list is not exhaustive and the requirement for a particular coverage will vary depending upon the nature and extent of the business. The important take away, do not wait for a breach to occur before you have the adequacy of your insurance coverage assessed by experienced data breach coverage counsel.