Overview With the proliferation of regulations governing data security and privacy, and near-daily news reports of computer hacking and privacy breaches, it has become imperative for companies that handle sensitive information to insure themselves against data security and privacy claims and investigations. In recent years, a large market has evolved for insurance that is specifically designed to cover these risks – marketed under names like “privacy breach insurance,” “network security insurance,” and “cyber-liability insurance.” Financial institutions, health care companies, retailers and wholesalers, professional service and data management firms, media and technology companies, and others that handle legally protected information increasingly view this new kind of insurance as a cornerstone of their risk management programs.

Despite the increasing demand for data security and privacy insurance, every insurance company has its own unique policy forms, terms, and exclusions. The result is a bewildering variety of insurance products that may contain some or all of the following coverages, to mention only a few:

  • Defense and indemnity against lawsuits arising out of data security and privacy breaches;
  • Costs of responding to regulatory investigations;
  • Crisis management expenses, such as costs of conducting a forensic investigation to determine the cause and extent of a breach, and costs of notifying and providing credit monitoring for affected customers;
  • Costs of restoring damaged data;
  • Loss of revenue while your business operations are interrupted by a data security breach.

Due to the lack of standardization, policyholders often end up buying coverages they do not need. More importantly, policies often contain unexpected exclusions for the very risks you are trying to insure. For example, many policy forms cover losses resulting from the “theft” of data, but not from the mere “loss” of a laptop or hard drive, even though your liability for one may be as great as for the other.

The good news is that in this highly competitive insurance market, the terms of data security and privacy insurance policies are highly negotiable. An “off the shelf” policy can often be customized to respond to your unique circumstances – for instance, by being amended to provide coverage for data losses even in the absence of a theft, for breaches by vendors that handle your data, for liabilities to business partners in the event of a breach, for costs of pursuing indemnity claims against third parties, or to eliminate duplicative coverage by dovetailing your insurance with your indemnity rights against vendors and your potential rights as an additional insured under their policies. Policies can even be amended to provide coverage for certain “content based” liabilities such as libel and copyright or patent infringement.

Companies that do not have specialized data security and privacy insurance policies are also often surprised to find out that they already, in fact, have coverage for certain kinds of breaches under their existing property, general liability, errors and omissions, crime, and directors and officers liability policies – even though the insurers may wrongly deny coverage.