This post is the second in a series that will discuss discrete issues that arise in cyber insurance. For the first installment, click here: http://www.insurancepolicyholderadvocate.com/?p=818
A wide variety of regulatory authorities, both public and private, assert jurisdiction over some aspect of data privacy, data security, and network vulnerability. Here, we address some of the common issues that arise in the context of fines and penalties imposed by governmental authorities as a consequence of a data breach. (In a separate post, we will address “fines” imposed on member banks and/or merchants with respect to violations of Payment Card Industry Council security standards.)
This post is confined to a situation in which the policyholder is, itself, assessed with a fine or penalty, or is forced to undergo a governmental investigation. A policyholder also could cause another entity to be assessed with a fine or penalty. For example, if a network design firm negligently designs security controls, leading to an incident in which its customer is fined, then the design firm might be sued, and the fine is likely to be part of the damages claimed against the design firm. In such a case, the fine would be treated as “compensatory damages” sought against the design firm, and the limitations on fines and penalties coverage would not apply.
A variety of governmental agencies have the ability to investigate data security breaches and to issue fines and penalties. Here are a few examples:
- The Federal Trade Commission has used its power under the FTC Act, 15 U.S.C. § 45(a), and other statutes to regulate unfair or deceptive acts relating to data security and, in January 2014, the FTC concluded its 50th data security settlement. The FTC is actively lobbying Congress for more authority to impose civil penalties for data breaches.
- The U.S. Department of Health and Human Services and state attorneys general enforce the penalty provisions of HIPAA, 42 U.S.C. § 1320d-5, under which penalties can be millions of dollars for data breaches relating to protected health information.
- The Federal Communications Commission recently fined telecommunications providers millions of dollars for violating the privacy requirements of the Communications Act of 1934, as amended, 47 U.S.C. § 222.
- State insurance commissioners (often working together) actively investigate data breaches involving insurance companies.
Example Policy Terms
Insurance coverage is available for fines and penalties. A popular form of cyber insurance includes, as an item of covered loss:
[C]ivil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty imposed is uninsurable under the law of the jurisdiction imposing such fine or penalty.
Another popular policy form provides coverage for “Penalties,” defined as:
[A]ny civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission, Federal Communications Commission, or any other federal, state, local or foreign governmental entity, in such entity’s regulatory or official capacity; the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.
Based on these definitions (which are typical), several features are prominent:
- The fines or penalties must be “imposed by” a governmental agency.
- The fines or penalties must be insurable under the applicable law.
- The fines or penalties must be paid to a governmental entity or to a consumer redress fund.
A looming question in the case of insurance for fines and penalties is whether such items can be insured despite policy language expressly providing for such coverage. As with the insurability of punitive damages, there is no uniform view. However, one can make several general observations:
- Fines or penalties that are based on intentional or willful conduct are likely to be challenged by the insurer based upon public policy arguments.
- Fines or penalties that are “punitive” in nature are more likely to be challenged by the insurer than those that are “compensatory” in nature.
- Penalties that are assessed vicariously against a policyholder (such as when a corporation is held liable for an unauthorized act of its employee) are less likely to be challenged.
Case law exists under a variety of statutes, and in a variety of state and federal jurisdictions, that assesses whether particular fines or penalties are punitive or compensatory, or are insurable. Cyber policies address insurability through choice of law and choice of venue. As can be seen from the example language quoted above, there are two basic approaches:
- One version permits coverage except to the extent that the law of the jurisdiction imposing the penalty forbids such coverage;
- The other version permits coverage so long as the most favorable applicable venue permits such coverage.
Under conventional choice of law procedures, an “applicable venue” is likely to be one that has some sort of relationship to the parties or to the underlying facts. A standard provision for punitive damages directs that the applicable law is “the law of the jurisdiction most favorable to the insurability of such [punitive] damages, provided such jurisdiction has a substantial relationship to the relevant Insured, to the Company, or to the Claim giving rise to the damages.” This type of formulation appears to provide more flexibility for coverage of such penalties than one in which the penalty-imposing jurisdiction is selected.
Defense Costs and Investigative Expenses
It is important to note that policies that provide cyber insurance for fines and penalties typically will also provide coverage for certain costs incurred in connection with a governmental investigation and pursuit of a claimed violation. A typical formulation is that the insurer agrees to pay:
Claims Expenses and Penalties in excess of the Retention, which the Insured shall become legally obligated to pay because of any Claim in the form of a Regulatory Proceeding.
“Claims Expenses” includes “reasonable and necessary” attorneys’ fees, as well as all other legal costs, but excludes the insured’s internal costs, such as salary and overhead. “Regulatory Proceeding” is defined as:
[A] request for information, civil investigative demand, or civil proceeding commenced by service of a complaint or similar proceeding brought by or on behalf of the Federal Trade Commission, Federal Communications Commission, or any federal, state, local or foreign governmental entity in such entity’s regulatory or official capacity in connection with such proceeding.
Defense costs or investigatory expenses can result in a substantial sum, and therefore this coverage can be quite beneficial. It also is important to realize that defense and investigatory costs are not subject to the question of insurability, even if the ultimate fines or penalties must undergo such scrutiny.
Insurance for certain fines and penalties imposed in the context of cyber breaches is widely available and can be a useful part of a risk mitigation plan. Likewise, coverage for the defense and investigative expenses incurred during a regulatory action also can substantially defray the economic impact of such a proceeding. However, such coverage implicates questions of law that are not directly specified in policy terms, and therefore a policyholder may wish to consult knowledgeable personnel in their corporate risk and legal departments, along with their other professional and legal advisors.