Cyber Liability Insurance: Consider—But Be Careful As Insurance Company May Deny A Claim

All professionals such as engineers, contractors, and architects use technology for their projects. Employees have computers, tablets, and smart phones that contain client email addresses/information, often times payment information and sensitive client information such as contact data, addresses, sometimes financial information and credit card or bank account numbers.

Cyber liability insurance is a new type of insurance designed to help protect a company in the event of data theft or information mismanagement.

What is contained in the smart device is valuable information to hackers that can be used in a number of illegal ways. Once hackers gain access to a network, the information is available for their use. This in turn raises the possibility of lawsuits with high costs, both for one's business matters and reputation.

Here are just a few of the risks of a data breach:

  • Legal fees; costs to defend in court.
  • Possible economic settlements.
  • The expense of notifying customers.
  • Credit-monitoring services. As a gesture of good faith, one may want to offer such services to your clients so that they may keep an eye on compromised accounts.
  • Public relations; one of the most important campaigns after a data breach is damage control.

The expenses that come with a data breach quickly become a serious problem. A Cyber Risk Insurance plan "could" provide your company with the kind of protection it needs to deal with this data breach exposure.

What You Need to Know About Cyber Liability Insurance

Because cyber liability coverage is still a relatively new product in the insurance world, policies between insurance providers can vary greatly as can deductibles and monthly premiums. Consequently, there may be room for negotiation. But make sure you have reviewed the application with your IT folks and have an understanding of any exclusion of coverage issues in the actual policy. As noted below, a business could have insurance but no coverage for a claim made under the policy.

Generally, there are two types of coverage — first-party coverage and third-party defense and liability coverage — but your business likely only requires first-party coverage. As you choose a cyber liability policy to add to your business insurance plan, keep these questions in mind:

  • What do your resources look like? In addition to helping you pay for the cost of a data breach, insurance providers will often give you suggestions to help mitigate your cyber liability risk. Larger corporations have whole departments dedicated to this, but insurers understand that you may not have those resources. When you are better protected, they are also better protected.
  • Do you store information in the cloud? Many businesses do, whether it's their primary means of storage or their backup. Don't assume that your data is protected by your cloud provider's insurance policy because often it is not. Be sure to review your contracts to determine whether or not you are still legally responsible for the security of the information you store in the cloud.
  • Is cyber liability covered under your general liability policy? Usually the answer is no. It is important for business owners to be reminded that while their general liability insurance policy covers a lot, it does not automatically cover cyber liability. It may be possible for your insurer to integrate this policy to provide seamless coverage between your existing policies, but you will have to specifically ask for such coverage.

Look for an endorsement to your business owners' policy for data breach coverage. This new coverage can cover your business against losses resulting from:

  • Defense expenses and liabilities;
  • Costs to notify customers and employees affected by a data breach;
  • Most forms of data breach, including "skimming" or the stealing of credit card numbers and social security numbers;
  • Advertising and communication costs associated with repairing your reputation.

Cyber security and cyber insurance have dominated the industry headlines for several years now, but even as companies, brokers, and insurers work to develop these products, there has been very little case law interpreting key provisions. This is beginning to change as disputes arise and make their way through the judicial system.

One such recent suit is where CNA filed a declaratory judgment action against its insured, Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage's cyber policy. In January 2014, Cottage was sued in a class action in California state court where it was alleged that the records of more than 30,000 of Cottage's patients had been disclosed to the public via the internet. Allegedly, Cottage stored such records on an internet-accessible system but failed to install encryption or use other safeguards. The California court granted approval of the $4.125 million settlement fund in December 2014. CNA, which had reserved rights, filed this action.

CNA invoked the exclusion for "failure to follow minimum required practices" which precludes coverage if the insured does not "continuously implement the procedures and risk controls identified in the insured's application for this insurance." In its application, Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats among other more specific data-protection procedures. CNA asserts that this representation in the application was false.

The exclusion invoked was broadly worded and left room for CNA to deny coverage; so Cottage had insurance but no coverage. No doubt the case will be appealed. Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies.