The Federal Trade Commission recently released new recommendations for businesses in the event of a data breach. The guide covers three critical areas of data breach response: securing operations, fixing vulnerabilities, and notifying the appropriate parties. This last section is particularly detailed, addressing best practices for notifying law enforcement, other affected businesses like credit card and bank institutions, as well as any potentially compromised individuals, and even includes a model breach notification letter. However, companies in the midst of juggling a multi-faceted breach response can easily forget to notify another necessary group: its insurers.
Timely written notice of a claim or loss is a near universal condition in insurance policies. Failing to strictly adhere to the notice requirements—whether by tendering too late or by sending the notice to the incorrect address—can jeopardize coverage. In the event of an actual or potential data breach, review your policies immediately and calendar any hard deadlines for providing notice (such as the end of the policy period). This means reviewing all potentially responsive policies, not just those most likely to insure such an incident like a standalone cyber policy, or an Errors and Omissions policy with added Network Security and Privacy Liability coverages. Commercial general liability, property, and fidelity bond policies might also cover data breaches and network security failures. Providing notice to all insurers potentially on the risk may avoid leaving good money on the table.
TIP: Many cyber policies not only cover liability for third-party claims, but also your direct costs in responding to a data or privacy breach. These might include the cost of investigating the cause and scope of the breach, notifying parties impacted by the breach, and hiring a public relations firm. In such cases, your obligation to notify the insurer may be triggered as early as your “first knowledge or awareness” of the breach—not when someone first makes a “claim” against you.