A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act (“PIPEDA”) has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.
As data breach incidents continue to rise, and legislative regimes provide more and more stringent regulation of data breaches, including the proliferation of mandatory breach notification provisions, the expense associated with data breaches also rises. Estimated costs of dealing with a data breach, even to resolve a potential attack, or an attempted breach, have been as high as $600 000. Costs can be incurred as a result of forensic and investigative activities, assessment and audit services, crisis team management, and the necessary internal and external communications. As these incidents increase in number, scope, and impact, organizations are looking to transfer the risk associated with informational security breaches.
The most common way of transferring risk is by obtaining insurance policies: if the risk is insurable, the risk is transferable. Cyber and privacy insurance has been available on the market for the last decade, covering organizations’ liability for a data breach in which the organization’s or customers’ information is lost or stolen. Marsh Inc., a global insurance broker, said that the number of organizations that purchased cyber insurance in the US increased by 33% from 2011 to 2012, and that cyber insurance is currently the fastest growing area of commercial insurance in the world. Policies vary, with cyber insurance offered as an add-on or included in more generally policies, or sold as a distinct product. Marsh Inc. also noted that the lesser growth of cyber insurance in Canada compared to the US is likely due to the higher number of mandatory breach reporting regimes in the US.
An important preliminary note on cyber insurance is that cyber insurance is often confused with technology errors and omissions insurance (commonly called “Tech E&O” insurance). Tech E&O insurance protectsproviders of technology services or products, such as software designers and manufacturers, whereas cyber insurance protects consumers of those products and services.
- Generally, cyber insurance is divided into first party coverage protecting the policyholder, and third party coverage protecting from third party claims against the policyholder. First party policies may cover:
- The costs associated with determining the scope of the breach and taking steps to stop the breach;
- The costs of providing notice to individuals whose identifying information was compromised;
- Public relations services to counteract the negative publicity that can be associated with a data investigation;
- The costs of responding to government investigations;
- The costs of replacing damaged hardware or software;
- The costs of responding to parties vandalizing the company’s electronic data; and
- Business interruption costs.
Third party policies may cover:
- Liability for permitting access to identifying information of customers;
- Transmitting a computer virus or malware to a third-party customer or business partner;
- Failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and
- Potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.
Cyber insurance can also cover specifically the crisis stage of a data breach. This could include any expenses related to the management of the incident, such as investigation, remedial steps, required notifications, call and public relations management, credit checks for the subjects of the data, and any legal costs including fines or the costs of running a suit.
Limitations of Coverage: Relevant Considerations
It is important to determine the extent to which your organization’s cyber insurance policy will protect against liability for breaches. Because all insurance policy coverage is dependent on the particular terms and conditions in the policy at issue, organizations looking to obtain cyber insurance should consider a number of questions, including those detailed below. In general, organizations should ensure that their response plan to a potential or actual breach is consistent with their insurance policy. Organizations should consider:
- What security controls can you put into place that will reduce the premium?
- Will you have to undertake a security risk review of some sort?
- What is expected of you to reduce or limit the risks?
- Will you get a reduction for each year you do not claim?
- What assistance is provided to improve information governance and information security?
- What and how big a difference to your future premiums will a claim make?
- What support if any will be provided to assist in making the right security decisions for the industry / business you are in?
- The security / protection industry is very fast changing, how can the insurance ensure that your policy is current?
- Do all portable media/computing devices need to be encrypted?
- What about unencrypted media in the care or control of your third-party processors?
- Are malicious acts by employees covered?
- Will you have to provide evidence of compliance to existing Data Protection Principles, in relation to your actual processing, to prove you were not acting disproportionately?
- Although ignorance of the law is no excuse, we are just not able to keep up with all the compliance issues that may affect all the territories our company works in, would you refuse a claim if you were processing data that may contravene laws in one country but not another – because insurance policies often stipulate that you must not be breaking the law?
- What if there is uncertainty around whether the incident took place a day before the cover was in place or on the day?
- Are the limits for expenses grouped together in a way that the maximum limit that is covered is likely to be achieved very quickly, unless you increase the cover?
- Are all and any court attendances to defend claims from others covered?
- Could you claim if you were not able to detect an intrusion until several months or years have elapsed, so you are outside the period of the cover? 
Every organization faces different challenges with regard to data breaches. The size, industry, type of data, potential exposures, business model, and many other considerations will affect the scope and detail of the ideal cyber insurance policy. Organizations should ensure that they have a detailed system tailored to the specific liabilities and risks to which they are exposed in the event of a data breach.