Every day seems to bring a new story about a significant data breach. Just within the last few weeks we have learned of the following cyber attacks:
- Hackers accessed the payment systems at three Dairy Queens in Ohio, gaining access to customer credit card information and expiration dates. This revelation came just a month after Dairy Queen announced a similar data breach for nearly 400 of its stores nationwide.
- J.P. Morgan announced that in June and July hackers accessed the contact information of 76 million households and 7 million small businesses. Although this data breach did not include the disclosure of financial information, the volume of information disclosed, and the type of business, a financial institution, has concerned many people.
- AT&T announced that an employee accessed the personal information of over 1,600 customers, including social security numbers.
What is becoming clear is that no company is completely safe from hackers. Retailers such as Target and Home Depot have been the victims of the highest-profile attacks, but similar privacy breaches have happened to hospitals, schools, and professional service firms.
Insurance companies have capitalized on these events by releasing new cyber insurance products. At the same time, they are adding data breach exclusions to their standard CGL and employment policies. If you are not knowledgeable about these cyber insurance products, you should catch up to speed because they are quickly becoming an indispensable part of every company’s insurance portfolio. It will soon be as ubiquitous as commercial general liability or worker’s compensation insurance.
A current case in the Eleventh Circuit illustrates the important role these cyber policies can play in a company’s insurance portfolio. Red Coats Inc. d/b/a Admiral Security Services Inc. v. Carolina Casulaty Ins. Co., case no. 14-12002 (11th Cir.) involved the theft of company laptops that contained personal information protected by HIPAA by a security officer of the plaintiff. The insurance company denied coverage on the grounds that the employment practices liability policy covered only wrongful acts committed by the insured as an employer, and that data breaches did not fit that definition. The trial court granted summary judgment for the carrier. The case remains on appeal.
Of course, the lawsuit would have been entirely unnecessary if the plaintiff had cyber insurance. Cyber insurance policies are expressly designed to cover the exact types of harm complained of in the Red Coats lawsuit: the theft of private information (in this case health information). Cyber insurance policies can also expressly cover the types of damages sought in the Red Coats lawsuit: the millions of dollars that were incurred to notify medical patients about the theft of their confidential health information. As an example, a Travelers Cyberrisk sample policy may include first-party “Security Breach Remediation and Notification Expenses.”
There are certainly courts that will read CGL and EPL policies broadly enough to grant coverage for data breaches. But in this day and age, with increasingly clever cyber criminals, the proliferation of data breach exclusions, and the body of case law related to data breaches somewhat evolving against policyholders, cyber insurance is becoming a necessary tool. Don’t be caught unprepared. Nossaman attorneys can assist in evaluating your company’s existing coverage and potential needs to make sure your company is not exposed.