What to Know When Pursuing Coverage For A Cyber/Privacy Breach

During an investor conference call on Wednesday, February 26, Target CFO John Mulligan reported that the highest profile data breach of 2013 cost the retailer $61 million in out-of-pocket expenses during the fourth quarter, of which $44 million was covered by insurance.1 While Target has not disclosed additional detail regarding the costs insured under any network/privacy policy, this much is clear - Target was successful in pursuing coverage for a significant portion of its existing breach-related losses. Just as placing cyber coverage involves a series of important considerations, pursuing coverage for a cyber breach also requires understanding of the various rights and duties owed by and to insureds under their policies. In this final installment of our series, A Desk Guide to Data Protection and Breach Response, we outline four key considerations that every company should be aware of in pursuing coverage for claims and losses arising out of a cyber/privacy breach.

Notice to the Insurer

In the event of a cyber-attack, and particularly one involving the disclosure of “personal information,” notice to regulators, law enforcement and affected individuals may be mandated by statute. For companies responding to a network/privacy breach, compliance with contractual notice obligations - including those in applicable insurance policies - is also mandatory. Each network security or privacy liability policy contains a section describing the insured’s duties in the event of a claim or loss. Because network and privacy liability policies contain attributes of both first-party and third-party insurance, the insured’s duty to give notice may depend on the type of exposure at issue.

With respect to liability, or third-party coverage, inevitably, the insured must give written notice to the insurer “as soon as practicable” after a defined individual or set of individuals becomes aware of a claim or suit. In any event, notice under “claims made” policies must be given during the policy period or an extended reporting period (usually 30-90 days after policy expiration), if applicable. So long as the notice is given within the applicable policy/reporting period, the insurer may have to show prejudice to deny coverage on the basis of notice that is otherwise not given “as soon as practicable.”

Most policies will also allow the insured to give notice of a potential claim or circumstances likely to give rise to a claim, with the understanding that a future claim will be deemed to have occurred at the time the original notice was given, even if the potential claim is made after the expiration of the noticed “claims made” policy. Because future policies may not insure claims about which the insured was or should have been aware at the time the future policy is placed, companies should also carefully determine whether circumstances exist that are likely to give rise to a claim and report appropriately before existing coverage and notification periods expire. This decision should be made in consultation with counsel to the extent that notification of a potential claim could have implications for the insured’s liability in a future claim.

Depending on how broadly the term “claim” is defined in a given policy, policyholders must be careful to provide notice of “claims” that may not intuitively merit reporting to the insurer, including regulatory actions and any demand for monetary or other relief. Policyholders should also consider which individuals’ knowledge will trigger reporting obligations under an applicable network security or privacy liability policy and plan accordingly to ensure that information flows appropriately from those with critical knowledge to those with responsibility for giving notice to the insurer.

With respect to first-party coverage, a policyholder’s notice obligations may be triggered by one or more individuals’ awareness (or reasonable belief) that an event, injury or wrongful act, as opposed to a claim or suit, has occurred. Notice requirements for first-party coverage may also include the obligation to alert law enforcement and to document the insured’s loss in a “sworn proof of loss.” As with third-party coverage, policyholders seeking coverage for first party exposure should know which persons’ awareness and which events require notice to the insurer.

Timely compliance with a network and privacy liability policy’s notice provisions is important and should be part of the company’s breach response plan (to read more about breach response plans, see our prior installment here). If a company is reliant on third-party contractors to facilitate network security, policyholders should demand or otherwise ensure that appropriate notice is given under policies that cover the company as an additional insured or may provide a source of redress for damages sustained in a cyber-attack.

Selection of Counsel & Forensic Investigators

When a data breach occurs, the benefits afforded under a network security or privacy liability policy may include the retention of legal counsel as well as forensic investigators to identify and respond to the cause of first-party and third-party loss. In connection with these benefits, disputes may arise regarding the choice of the counsel or consultant to be retained. With respect to counsel, in most cases, the insurer assumes no duty to defend under a network and privacy liability policy. The insured typically retains the right to select counsel. Although, textually, the insurer may also retain the right to consent to defense costs incurred by the insured. In other cases, depending on the policy terms, the insurer may in fact have a “duty to defend,” and a concomitant right to select counsel, or have designated pre-approved panel counsel from among whom the insured is contractually required to choose for its defense.

After receiving notice from an insured of a third-party claim, the insurer generally has three options: (1) accept coverage without qualification; (2) deny coverage outright; or (3) issue a reservation of rights identifying potential issues that may affect coverage for indemnity while agreeing to pay for the insured’s defense. Many jurisdictions have long recognized that when an insurer has asserted coverage defenses that overlap with the facts that are to be adjudicated in an underlying claim or suit, defense counsel selected by the insurer has a conflict of interest that justifies the insured in retaining independent counsel to be paid for by the insurer. If and when disputes arise regarding the right to select counsel, policyholders should review the insurer’s “reservation of rights” carefully to determine whether a disqualifying conflict of interest exists, entitling the insured to select the lawyer of its choosing to defend the claim or suit.

With respect to experts and consultants, policyholders may be obligated by contract to undergo a forensic investigation upon discovery of a data breach. Particularly, if the breach involves unauthorized access to payment card information, the major payment card brands may contractually require an investigation by a forensic investigator pre-approved by PCI Security Council, which consists of representatives from the card brands. The insured may elect to perform its own investigation, and may seek coverage for the cost of that investigation from a network security or privacy liability carrier. The insurer responding to notice of a breach under a cyber/network security or privacy policy may insist upon the retention of a select group of forensic consultants with whom the insurer has negotiated reduced rates. If there are unresolved coverage issues, the policyholder should again consider whether a disqualifying conflict exists that would enable the insured to select its own independent consultant to be paid for by the insurer. Alternatively, if the insurer does not identify any coverage issues before pursuing an investigation using its own “panel” consultant, the question becomes whether the insurer waived coverage defenses if the results of the investigation would otherwise prejudice the insured.

Protecting Privileged Communications

Communications made in responding to a network or privacy breach are important. Characterizations, whether well-founded or speculative, of events and circumstances relating to the breach, including whether personal information has been compromised, when the breach occurred, and when it was discovered, may have significant implications for the policyholder’s liability to third parties and its insurance coverage. Ideally, the insured’s data breach plan will include some procedure to control the flow of external communications regarding the breach. When appropriate, counsel should be engaged early to ensure that specific communications, including those made in anticipation of litigation or otherwise entitled to privilege, are controlled.

As a general proposition, materials prepared and communications made in anticipation of litigation, including communications with an “insurer,” may be protected from disclosure as “work product.” In some jurisdictions, communications between an insured and its liability insurer regarding a matter of common interest between them are deemed privileged. In other jurisdictions, this “common interest privilege” does not extend to communications with an insurer that is not a party in pending litigation. Moreover, given the dual nature of network security and privacy liability policies in insuring both third-party and first-party claims, some communications between the insured and its cyber insurer may not qualify as being made in anticipation of litigation. Policyholders and their counsel should be aware that communications with a network and privacy insurer may not be protected from disclosure to third-party claimants or regulators and should act accordingly (particularly when unresolved coverage issues remain between the insurer and its insured).

Do Not Overlook Traditional Insurance Coverage

Even for those policyholders benefitting from a dedicated network or privacy liability policy, pursuit of coverage for a data breach should include consideration of the recovery potentially available under more traditional policies, including general/E&O/D&O liability insurance, commercial property insurance, and crime/fidelity insurance.

Commercial general liability (“CGL”) insurance typically contains two principal coverage parts, A & B. Coverage A insures sums that the insureds become legally obligated to pay as damages because of “bodily injury” or “property damage” caused by an “occurrence” during the policy period. Coverage B typically insures sums that the insureds become legally obligated to pay as damages because of “personal and advertising injury” caused by various enumerated “offenses” committed during the policy period, including false arrest or imprisonment, malicious prosecution, wrongful eviction, slander, libel, business disparagement, publication that violates a person’s right of privacy, use of another’s advertising idea in an advertisement, or infringing on another’s copyright, trade dress or slogan.

In some circumstances, “property damage” may arise out of a cyber breach. Moreover, Part B’s specific coverage for “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” may apply to a data breach that results in the “publication” or disclosure of customers’, employees’, or other parties’ private, personally identifiable information.

Commercial property insurance generally provides coverage for all risks of direct physical loss or damage to real and personal property, subject to exclusions. The loss of use of computer hardware and even data caused by a cyber-attack may qualify as direct physical loss, and the resulting damage, including business interruption, may be covered by a traditional commercial property policy, subject to the particular terms and exclusions that may be found in any given policy form. Likewise, the loss of an insured’s product, the theft of trade secrets or other personal property in a cyber attack may also result in physical loss or damage triggering coverage under a commercial property policy. Physical damage to property, such as the damage reported to a water pump from a cyber penetration at an Illinois utility in 2011,2 would also fit within the coverage traditionally afforded by a commercial property policy.

While crime and fidelity insurance usually excludes coverage for the loss of intellectual property and there may not be coverage for the theft of personal information or other intangible data from a cyber-attack, policyholders faced with a data breach should not overlook the potential for recovery under such policies. Even some quasi third-party liabilities directly resulting from the theft of customer information may be insured under a crime policy under recent authority.