As Written For InsideCounsel
Experiencing a security breach is a bit like being on the titanic and feeling the tremble from hitting an iceberg. The impact sparks immediate panic - you know something very bad has just happened but are unsure whether the damage is superficial or if the c-suite needs to begin prepping the lifeboats. Among the many factors that can determine the difference between manageable repair and crisis control is the potential for regulatory action – that potential has grown significantly. What began with the FTC and more basic security standards has since grown to a long list of regulators with expanding security requirements and regularly issued risk alerts. As a result of the increased enforcement, the “regulatory defense and penalties” insuring agreement among cyber policies is poised to become a coverage of much discussion and careful critique. As is always the case with professional and management liability policies, coverage terms vary significantly requiring careful review. We pulled approximately 15 policy specimens from the top cyber insurers and analyzed their scope of regulatory coverage to determine the range of differentiation and compile a list of recommendations based on standard marketplace language.
A typical regulatory insuring agreement provides coverage for:
“….Claim expenses and regulatory damages that an insured incurs responding to any regulatory proceeding first made against the insured and reported during the policy period resulting from a privacy or security wrongful act…”.
Our analysis began with an assessment of the insuring clauses and definitions.
- Claims Expenses, Regulatory Damages and Duty: Surprisingly, approximately half of the policy specimens we reviewed contained “non-duty” to defend and reimbursement language. As such, insureds and their advisors should ensure that policies are carefully reviewed and written on a” duty to defend” basis with “pay on behalf of” agreements. In addition, policies should also affirmatively provide coverage for contributions to any consumer redress funds established for harmed consumers.
- Fines and Penalties: Cyber policies should affirmatively provide coverage for regulatory fines and penalties with “most favorable jurisdiction” wording. Regulatory fines should also include fines and penalties imposed by equivalent foreign governments. Due to the fact that coverage for fines and penalties is readily available in the cyber marketplace, brokers and their insureds avoid placement of any policies that: 1) specifically exclude coverage for fines/penalties, 2) are silent on such coverage, or 3) restrict fines/penalties solely to PCI fines. Some carriers contain additional language that specifically preclude coverage for PCI fines, fines and penalties that are “assessed by self-regulatory organizations”, and/or those that are “compensatory in nature” – such language should also be avoided.
- Insured: While more of a best practice recommendation for tailoring professional and management liability policies, insureds should perform a careful organizational review to ensure that definitions appropriately include the entity, any foreign or domestic subsidiaries for whom coverage is intended, and any current, past or future CSO’s, CIO’s, CCO’s, etc. The inclusion of named principals/executives in cyber regulatory actions further emphasizes the importance of performing a careful review.
- Regulatory Proceeding: In order to ensure that coverage can be triggered as early in the claim process as possible, any definition of “regulatory proceeding” should be inclusive of: requests to produce documents, investigative demands, and regulatory proceedings. Cyber policies that require receipt of a formal suit to trigger coverage should be avoided. Insureds and their brokers should pay close attention to the term formal and its context within the definition – for example, is coverage only provided for investigations at the formal stage?
- Privacy Incident & Network/Security Wrongful Acts: When defining insurable acts, many cyber insurance policies separate wrongful acts into 2 categories, “Network Security Wrongful Act” and “Privacy Wrongful Act”. Purchasers should seek broad definitions of both, and ensure that the definitions are not limited solely to privacy events/breaches which expose PII or “failure to disclose” privacy incidents – these are just a few of many acts that should be included. In addition to the standard schedule of wrongful acts which include “violation of privacy regulations” and “unauthorized disclosure of information” (among others), companies should seek cyber policies that also extended to include more broadly defined acts, such as:
- Unauthorized access or use of insured’s computer system
- Unintentional violation of insured’s documented privacy procedures or policy
- Failure to reasonably implement privacy or security policies as required by law or regulations
Policies should also affirmatively provide coverage for wrongful acts related to the exposure/protection of PHI (personal health information) and CCI (corporate confidential info). Lastly, due to the increased frequency of outsourcing and the potential for bad actors, “wrongful acts” should also include acts committed by service providers and rogue employees.
- Computer Systems: Some policies define “computer systems” as those owned, leased by, or in the direct control of the insured – such language may restrict or limit the ability of coverage to respond to privacy events/breaches that affect data in the possession of a business service provider. Due to the fact that many companies today employ some form of outsourcing for data processing/storage, definitions of “computer systems” should be inclusive of those owned, rented or controlled by service providers or outside vendors. On a side note, organizations should also have established, documented vendor qualification cyber policies in place both to minimize the likelihood of an event and to comply with regulators’ increasing cyber requirements.
- Unfair Or Deceptive Trade Practices: The “deceptive trade practices exclusion” is a common exclusion, contained in just about all cyber policies. In short, among other wrongful acts, it excludes coverage for; any actual or alleged deceptive or unfair trade practices, and violations of the FTC Act. In order to ensure that coverage will be available for FTC cyber enforcement actions asserting privacy violations and/or deceptive acts, companies should ensure that any such exclusion contains exceptions for:
- Claims covered under the regulatory insuring agreement
- Claims resulting from privacy events or unauthorized disclosure of information.
It should be noted that one insurer maintained a very specific carve back for identity theft red flags issued by FACTA. In addition to this particular exclusion, many policies contain governmental or privacy-violation related exclusions which also have the potential of compromising coverage for regulatory actions. Any such exclusions should be carefully read and assessed to ensure that they contain proper “exceptions” for the items mentioned above, when necessary.
- Failure To Disclose: As mentioned in our above review of the wrongful act definition, policies should provide coverage for claims resulting from the failure to disclose a breach in accordance with breach notification laws. Policies that either 1) do not include such an act in their definition of wrongful acts, or 2) contain an explicit exclusion for such acts, should be avoided. Of the roughly 12 policies we reviewed, only 2 contained explicit exclusions for the “actual or alleged intentional failure to disclose the loss of personal information”.
- Unauthorized Collection Of Consumer Information: The collection (and use) of consumer information continues to be a topic of much interest to the FTC. The “unauthorized collection of information” exclusion is a fairly common exclusion among cyber policies, however it should be noted that some policies contained no such clause. When capable, insureds should avoid policies containing this exclusion. In situations where exclusion avoidance is not possible, insureds and their brokers should review the language carefully, paying attention to how the definitions differentiate the below:
- Type of Information: Is the exclusion restricted only to the collection (or use) of PII (personally identifiable information) or is the exclusion inclusive of a broader range of information such as PHI (personal health information) and CCI (corporate confidential information)?
- Unauthorized Definition: How does the policy define “unauthorized collection”? Is it limited to unlawful collection or does it include harder to define terms, which should be avoided, such as surreptitious collection?
- Unauthorized Acts: How does the policy define the unauthorized acts? Some policies preclude coverage solely for the unauthorized use of such information while others preclude coverage for the acquisition, collection, use of, and sharing of information. Broader definitions may also include “failure to provide timely notice that such information is being collected” and improper practices regarding “opt-in” and “opt-out” agreements.
Lastly, exclusions should contain appropriate severability language, preserving coverage for innocent insureds, with only the CFO/CEO’s knowledge being imputed to the entity. Carve backs should also be included for acts committed by rogue employees and service providers alike. Language such as “collection of information…..by others on your behalf” may have the potential of precluding coverage for wrongful acts committed by service providers or rogue employees. Companies looking for more information on cyber liability insurance should visit our guide here.