Much already has been written about the August 24, 2015 ruling by the Third Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide Corp. et al.  No. 14-3514, slip op. at 47 (3rd Cir. Aug. 24, 2015).  This ruling has numerous implications for companies’CIOs, compliance officers, and information security professionals.  However, there are also important insurance coverage implications of the Wyndham ruling.  There is no such thing as “standard” cyber-insurance, and companies should ask a lot of questions about their coverage in any event.  The Wyndham case prompts another – to what extent are you insured for cyber-related regulatory actions?

In the Wyndham ruling, the Third Circuit affirmed the authority of the Federal Trade Commission to pursue an enforcement action against Wyndham for unfair or deceptive trade practices under 15 U.S.C. § 45(a), for Wyndham’s alleged failure to make reasonable efforts to protect consumers’ private information.  The ruling was in the context of a motion to dismiss, so it is not clear that Wyndham’s actions/inactions actually will be deemed an unfair or deceptive trade practice by the courts.  FTC enforcement of alleged cybersecurity failures that lead to breaches of consumers’ personal information is not new.  The FTC has been pursuing these enforcement actions for years, having obtained consent orders against target organizations in all but two cases..  However, the Court has now laid out a potential standard for the FTC to follow when bringing these actions, holding that “a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes unsuspecting customers to substantial financial injury, and retains profits of their business.”  Wyndham, slip op. at 17.  Such a broad standard invites a review of a company’s information security processes any time there has been a substantial breach and quite possibly when there has been no breach at all.

In addition, the FTC’s power traditionally has been asserted aggressively when individual consumer actions do not provide sufficient disincentives.  As many have written, consumer data breach class actions often are hamstrung by an inability to articulate any substantial damages arising from the breach.  In this landscape, as Alison Frankel notes, “[b]usinesses might well conclude under cost-benefit analysis that it’s less expensive to settle consumer class actions than to spend the money to protect consumers’ personal information.”  Therefore, the Wyndham ruling, as well as the consumer class action landscape, likely will lead to bolder and more expansive FTC investigations of companies’ data breaches and security programs.  Indeed, the FTC responded to the ruling by issuing a press release stating that “it is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”  Many expect the FTC to expand its enforcement efforts substantially in the wake of the Wyndham ruling.

In this risk landscape, do companies have sufficient insurance to cover regulatory actions?  Most cyber-insurance products are marketed and underwritten, and procurement decisions often are made, based on the aggregate limits the carrier is willing to offer the policyholder.  However, we recommend that C-suite leaders dig deeper into their coverage and focus on more than the aggregate or overall policy limit, because most cyber products we have seen provide much more limited coverage for regulatory actions..

First, some of the early cyber-policies and traditional liability policies, contained no apparent coverage for regulatory actions at all.  Even now, some cyber-policies offer regulatory coverage only through an add-on endorsement that must be purchased on top of a standard-form policy that contains a regulatory exclusion.  When coverage is added by endorsement, there often are ambiguities and mistakes because the endorsement, which may be manuscripted rather than standard-form, may not line up perfectly with the underlying policy form.  For example, endorsements may replace entire provisions when they should have been amended, or vice versa.  In the D&O insurance context, such endorsements were a common way to provide regulatory coverage when the amount of regulatory risk differs substantially by company and industry.  In the cyber context after Wyndham, however, all companies should anticipate increased  regulatory risk, and should beware of such policies that treat regulatory coverage as an add-on.

Second, watch out for exclusions that specifically apply to certain alleged violations of statutes or regulations.  For example, it is not uncommon for policies to exclude violations of the Telephone Consumer Protection Act.  If such exclusions broadly are written to include “other deceptive trade practices” or “similar consumer protection laws,” and are interpreted by the carrier to apply to 15 U.S.C. § 45(a), carriers might argue that FTC actions against the company are excluded.

Third, take a close look at the policy’s definition of “claim.”  Cyber-insurance liability coverage usually is triggered by a “claim” made against the policyholder.  Even when the “claim” definition encompasses a regulatory “proceeding,” it may be limited to “formal” proceedings and actions “commenced by the filing of a notice of charges, formal investigative order or similar document.”  When the definition does not explicitly include informal regulatory investigations and actions, insurance carriers often deny claims for the costs to defend informal inquiries or conduct internal investigations, even when there is no regulatory exclusion in the policies.  In the D&O context, courts have reached different results when such a denial is litigated.  Compare MBIA, Inc. v. Federal Insurance Co., et al., 652 F. 3d 152 (2d Cir. 2011) (holding that regulatory investigation was covered) with Office Depot, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 734 F. Supp. 2d 1304, 1310 (S.D. Fla. 2010) (holding that regulatory investigation was not covered).

Fourth, regulatory coverage may be limited to defense costs, as opposed to also covering fines and penalties.  Traditionally, fines and penalties often were not covered under liability insurance policies.  Insurance policies usually cover “Loss,” which would be defined to include judgments, settlements, and defense costs, but not taxes, fines, and penalties.  This trend is changing slowly, with many policies now providing coverage “to the extent insurable under the applicable law.”  However, not all cyber policies provide this coverage.

Fifth, in addition to, or rather than, fines and penalties, the FTC often seeks injunctive remedies, such as requiring companies to submit to security audits for a period of twenty years.  Such remedies obviously cause companies to incur significant costs, yet the “Loss” definition of many cyber policies is also written to exclude such relief.  For example, one policy on the market excludes from the “Loss” definition “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured” and “any costs incurred by any Insured to comply with any order for injunctive or other non-monetary relief, or to comply with an agreement to provide such relief.

Finally, and perhaps most overlooked, cyber policies often limit regulatory coverage by imposing “sublimits” that drastically reduce the amount of coverage for regulatory claims as opposed to coverage available for private civil actions.  In some policies, the regulatory sublimits may be a quarter, or even a tenth, of the aggregate limits.  These sublimits could apply equally to defense costs and to fines/penalties, or there could be a separate sublimit for each.  Compounding this phenomenon, many excess cyber policies provide that they do not drop down to cover liability that has been sublimited.  Therefore, the company could have, for example, $20 million of cyber “limits” in the aggregate, but only $1 million to cover the defense of a regulatory action/investigation.

Therefore, there is a substantial regulatory risk facing companies these days on the cyber-security front, the scope of which is not yet entirely defined.  The cost-benefit analysis of this risk should consider the amount of regulatory coverage actually provided by the company’s cyber-insurance policies.  Companies should carefully review their policies to make sure they have adequate coverage for what appears to be growing regulatory cyber risk.