PRACTICAL POLICYHOLDER ADVICE
Having the right insurance coverage can mitigate risks and liabilities associated with data losses and other cybersecurity breaches. Although some of these risks may be covered by traditional insurance policies, such as CGL, D&O and property policies, insurance companies are increasingly trying to narrow or eliminate cybersecurity-related coverage in traditional policies. In light of this development and the growing pervasiveness of cyber-threats, companies in all industries should assess their existing coverage and strongly consider obtaining cybersecurity-specific insurance.
High-profile examples of cybersecurity-related liability have proliferated in headlines and courtrooms in just the past year alone. Target Corporation’s board of directors is now facing shareholder derivative lawsuits related to the company’s massive data breach last year. Wyndham Worldwide Corporation is the target of a Federal Trade Commission enforcement action and a recent derivative lawsuit against its directors and officers in connection with several data breaches the company sustained. And, since 2011 when it issued guidance on cybersecurity disclosures, the Securities and Exchange Commission has continued to heighten its review of such disclosures for public companies from all industries.
The risks and exposures companies face in the aftermath of a cybersecurity breach can be both complicated and costly. A serious data breach can result in not only damage to the company’s own property and loss of income due to business interruption, but also liability to a host of third-parties, often in the form of lawsuits against corporate boards, regulatory enforcement actions, and consumer class actions. Potential liability exposures may turn not only on the risks associated with the breach itself, but also on the risks associated with the company’s efforts to prevent, and resulting reaction and management of, the breach.
Insurance can play a vital role in mitigating and addressing liability associated with these risks. The best way to know if you are covered and prepared to deal with cybersecurity-related liability is to consult with parties with whom you do business, as well as experienced coverage counsel, to determine (1) whether your current policies protect your company against cybersecurity-related exposure and (2) whether additional coverage, including cybersecurity-specific policies, may be right for you.
Assess your traditional insurance policies.
Some cybersecurity-related risks may be covered by traditional commercial general liability (CGL) and directors and officers’ (D&O) policies. Although insurance coverage for any particular risk will depend on the facts and circumstances surrounding the loss, occurrence or claim, as well as the language of the policy itself, these traditional types of liability policies can apply to cybersecurity-related exposure based on claims by shareholders, consumers and other third-parties, in certain circumstances.
For instance, many standard CGL policies provide coverage for “personal and advertising injury.” Some courts have found that definitions of personal and advertising injury are broad enough to provide coverage for liabilities arising out of data breaches and other claims involving third-parties’ privacy rights. See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013).
Additionally, property insurance policies often provide protection in case of a data breach or other cybersecurity issue. Because property insurance policies are not liability policies, however, they do not cover liabilities to third-parties for cybersecurity-related risks. Nevertheless, they can afford coverage for damage to a company’s own property or for business interruption a company suffers due to cybersecurity attacks, depending on the terms of the policy and the facts at issue.
Strongly consider obtaining cybersecurity-specific insurance.
Increasingly, insurance companies are attempting to narrow the cybersecurity-related coverage provided by traditional liability and property policies. In court, insurers have fought aggressively to avoid coverage for data breaches pursuant to traditional liability policies, and they have sometimes prevailed. See, e.g., Zurich Am. Ins. Co. v. Sony Corp. of Am., Case No. 651982-2011 (N.Y. Sup. Ct. 2013) (currently on appeal). Some insurers also have begun to explicitly alter the terms of CGL and other policies to limit the scope of coverage. For instance, the Insurance Services Office, Inc. (ISO) – an industry organization that develops standard insurance policy language – recently created several exclusionary endorsements designed to eliminate data breach coverage when used with its standard-form CGL policies. As of May 2014, ISO requires standard form CGL policy language issued after that date to contain a data breach liability exclusion.
In light of these developments and the pervasiveness of cyber-threats, companies in all industries should consider expanding their coverage for data breaches and cybersecurity-related exposure. This can be done by adding a cyber-liability endorsement to existing insurance policies or by obtaining standalone cybersecurity policies (or both). Many cybersecurity policies afford both first and third-party liability coverage, and also afford coverage for the costs of complying with certain regulatory actions. No matter how a company seeks to expand its protection against cyber-losses, it should be sure that its cybersecurity policies include third-party liability coverage, including liability associated with the reliance upon outside vendors, and for risks involving its own property, business interruption or data loss; and it should consult with experienced coverage counsel, because, unlike CGL policies, cybersecurity policy language is not standardized. Coverage varies significantly depending on the insurer involved.