On August 6, 2014, the New York Times – and other media outlets – reported that a Russian crime ring had amassed the largest known collection of stolen Internet data – a cache of at least 1.2 billion user name and password combinations, as well as more than 500 million email addresses. The sheer volume of this stolen information underscores the fact that staying ahead of hackers has become an increasingly losing battle. Despite the publicity and increasing urgency in addressing this concern, data security breaches are becoming more frequent, more severe, and more costly, and have increasingly greater consequences for the company and its management. For example, the New York Times report comes on the heels of Target’s recent announcement that its losses related to its data breach during the 2013 holiday season were expected to top $148 million, resulting in a “hold” rating on its stock and lowering its earnings forecast.
A string of high-profile data breaches at well-recognized companies, hospitals, professional firms and restaurants make clear that no business is immune from this risk. This, along with increased regulatory scrutiny and reporting requirements and well-publicized lawsuits against company boards and management by shareholders and financial institutions, has elevated cybersecurity to the single most important issue to board members and management, according to a recent survey by EisnerAmper.
One thing is clear: companies must be proactive and get out in front of the problem by including an assessment of their coverage needs, and any existing coverage they may have, as part of a comprehensive breach protection and response strategy and security plan. Waiting until a breach occurs may be too late.
The landscape for insurance covering these types of risks is evolving and changing rapidly. Historically, policyholders have looked to commercial general liability (CGL) policies for defense and indemnification of third-party claims. Alternatively, coverage for losses related to a policyholder’s property may exist under a first-party property policy. Liability for these losses has also spawned shareholder lawsuits, resulting in claims for coverage under D&O policies. But the insurance industry is contesting coverage of cyber risks under these types of policies, and is making every effort to exclude coverage from most new CGL and property policy forms. At the same time, the market has seen an influx of cyber-specific policies, but coverage under these policies can vary widely from policy-to-policy and from industry-to-industry, and the forms themselves differ greatly in their terminology and structure. Moreover, because these are relatively new insurance products, it will be some time before policyholders have definitive guidance from the courts on how coverage under these new policies will be interpreted.
With coverage being increasingly limited under traditional policies, and with the breadth and uncertainty of coverage offered under cyber-specific policies, companies should seek guidance from experienced coverage counsel to maximize their potential coverage under both cyber-specific and other insurance coverage – well before they face a cyber crisis.