On October 12, 2015, Nossaman and UC Irvine hosted a Cyber Symposium at the City Club in Los Angeles. The event included four panels of Nossaman lawyers, UCI professors, and private professionals who are experts in the areas of privacy and data security. I served on an insurance panelthat discussed concerns when securing insurance in this area. My panel also included Jeff Schermerhorn from Lockton, who described the evolving policy forms and markets, and Tim Thornton of Gray Duffy, who spoke about the scope of cyber insurance coverage. UCI insurance law Professor Shauhin Talesh moderated.
The panel covered evolving coverage forms, pitfalls to avoid in applying for coverage, and a recent California court decision that addressed an insurer’s efforts to recoup the funds it spent defending and settling a class action filed against a health care provider when its computer system was hacked and patients’ private medical information was exposed, Columbia Casualty Co. v. Cottage Health Systemcase no 2:15-cv-03432 (C.D. Cal). Columbia Casualty demonstrated how an insurer is likely to respond to a claim – with an abject denial based on the insured’s purportedly erroneous insurance application.
One important takeaway from Columbia Casualty is that cyber policies are negotiable and often include a variety of services that may be needed in the event of a cyber breach. Specifically, provisions to consider when obtaining cyber insurance:
First Party Loss
Privacy event expenses. This covers the cost of investigating a data breach, notifying the affected customers, and providing credit monitoring.
Cyber Extortion. Coverage to respond to an extortionist’s demand for money in exchange for not damaging a company’s data or network.
Data Recovery. Coverage for experts to restore or recover data lost after an attack.
Network Interruption & Extra Expense. Reimbursing lost income or expenses associated with restoring operations when your business goes down.
Third Party Liability
Technology & Professional Liability. Coverage to defend and indemnify lawsuits for negligence related to cyber breach.
Media. Defending and indemnifying policyholers when sued for media related torts (libel, slander) in corporate “speech.”
Privacy Injury. Defending and indemnifying lawsuits by parties claiming a breach of privacy because of a data breach.
Network Damage. Coverage for lawsuits by a party for damaging its network when hacked.
Privacy Regulation Proceeding. Coverage for regulatory actions arising out of a data breach or hacking event.
Although standard CGL, E&O, and D&O policies may already provide some of these coverages, you can bet insurers will insert cyber-breach exclusions into those policies or find ways to contest coverage. Because of that, and the evolving forms of coverage, any business considering the purchase of cyber policies should consult knowledgeable coverage counsel to negotiate the most favorable terms.