The rapid and continuing evolution of electronic information systems, and the proliferation of devices that are connected to such systems, have brought with them a host of new privacy and security risks for virtually any entity that maintains electronically stored information. Federal laws, as well as laws in nearly every state, impose requirements for protecting personal information, and penalties for failing to do so. The risks of data and security breaches have raised many questions about insurance coverage for the variety of costs than can result from such a breach. Those costs may not be covered by traditional insurance policies—whether CGL, E&O, or first-party property policies—but there are new coverages being offered by many carriers that are specific to losses resulting from a data breach.
As more corporations have collected and stored more personal information about more people, data breaches have become more common. Many have made the news—Anthem, Sony, Target, to name a few. Many more have been less newsworthy, but nonetheless very expensive for those affected. A study issued in 2014 by the Ponemon Institute, a research group that focuses on privacy and data security, found that the cost of a data breach averaged $201 per comprised record, and predicted that, in the two years following the study, 19% of all U.S. companies—nearly one in five—will experience a data breach involving at least 10,000 records. Nearly half of all breaches are attributed to criminal or malicious attacks (44%), and just under a third (31%) are caused by employee negligence.
A data breach imposes a variety of costs on the company that suffers it. Some of these are costs incurred by entity itself, and thus present first-party exposures, while others involve payments to others (and related defense costs), and thus present third-party liability exposures. Costs typically include:
- Forensic investigation to identify the cause of the breach, and the number of individuals affected.
- Notifying the affected individuals and the appropriate regulatory authorities. Identifying the regulatory authorities who must be notified is not necessarily a simple process. Forty-seven states have laws imposing requirements for protection of personally identifiable information, and
those laws are typically triggered by the release of information about some threshold number of residents in that state. Thus, as the individuals affected are identified, part of the cost is determining which state authorities must be notified.
- Defense of regulatory enforcement proceedings, and potential fines and penalties. Depending on what was released and the circumstances of the release, a breach may result in regulatory action by either federal or (multiple) state authorities, and may include fines or penalties.
- Defense and settlement of, or payment of judgments in, civil suits brought by individuals affected against the company suffering the breach.
- Credit and identity monitoring costs. The laws governing data breaches typically do not require that companies provide credit or identity monitoring services to individuals affected by a breach, but many do so as part of their effort to keep their customers.
- Business income loss. Data breaches can disrupt a business, or even cause it to shut down for some time, which can result in lost business income.
- Replacement of lost data or compromised equipment. It may be necessary to rebuild a database in whole or in part, and hardware or software may have to be replaced.
- Lost customers and damaged reputation. As the victims of noteworthy data breaches can certainly confirm, data breaches can bring extensive negative publicity, and cause many customers to leave. Many companies spend considerable amounts on public relations efforts intended to
mitigate those impacts.
- Cyber extortion payments. Criminal data attacks include cyber extortion threats—demands for payment to release data being held hostage.
In some instances, traditional insurance policies may provide coverage for some of these costs. For a variety of reasons, however, there can be uncertainty as to the applicability of that coverage, and many carriers have amended their policies to exclude cyber risks.
For example, some policyholders have sought coverage under provisions in their commercial general liability ("CGL") policies granting coverage for "advertising injury," which is typically defined to include publication of information that violates an individual's right of privacy. Some courts have read this coverage broadly. Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, 35 F.Supp.3d. 765 (E.D.Va. 2014). Others have not.See Recall Total Mgmt. v. Fed. Ins. Co., 147 Conn. App. 450, 83 A.3d 664 (2014). In Recall Total Mgmt., the court held that a loss of data, without proof of "publication," may not be considered an "invasion of privacy" sufficient to trigger coverage. See id. at 464.
Moreover, as noted above, the 2014 Ponemon study found that largest number of data breaches is a result of criminal or malicious attacks. That study also found that the most common forms of these attacks were attacks carried out by criminal insiders—and commercial general liability ("CGL") policies typically exclude coverage for criminal or intentional acts of the insured's employees.
In any event, even if a company's current CGL policy provides coverage for some of the costs of a data breach, next year's policy is less likely to do so. Carriers have been modifying— and can be expected to continue to modify—their CGL policies to exclude cyber risks. For example, in 2014, the Insurance Services Office ("ISO"), which develops policy language that is adopted by many carriers, introduced several endorsements to its standard CGL policies that can be added to those policies to limit or exclude coverage for data breaches and other cyber exposures.
Similarly, there may be no coverage for data breaches under errors and omissions ("E&O") policies, which typically limit coverage to claims arising resulting from negligence in performing specified professional services. Thus, accountants, brokers, lawyers, and others who have E&O policies may find that, if they have a data breach, the costs they incur do not fall within the scope of their coverage. Like CGL policies, E&O policies also frequently exclude coverage for criminal or intentional acts of employees, which, depending on the cause of the breach, may raise a further obstacle to coverage.
There can also be a number of obstacles to coverage under traditional commercial first-party property policies. For example, carriers can be expected to argue that coverage under those policies is limited to physical damage to tangible property, or to damage only at specific locations. In addition, before they will cover business interruption losses, commercial property policies typically require that there first have been damage to physical property covered by the policy. If the data breach consists simply of a release of information held by the insured, with no physical damage to the insured's property, there may be no coverage for business interruption losses.
As with CGL policies, moreover, many first-party policies are now being endorsed or amended to exclude from coverage losses resulting from the corruption, destruction, loss or release of data, or from cyber risks more generally. Thus, while a traditional property policy currently in force might be found to provide coverage, that is less likely to be the case in future policy years.
As traditional policies are being modified to exclude coverage for cyber risks, many carriers have begun offering new coverages that specifically address data breaches and the costs they impose. Insurers have recognized that data breaches and other cyber risks present a new market for them, and policies are being offered by virtually every major carrier, as well as a number of smaller regional carriers. These coverages are typically provided by a separate, stand- alone policy, though the coverage can be added by endorsement to an existing policy.
There does not yet appear to be any standard language for these coverages—the wording varies from carrier to carrier—but the policies typically do take a common approach. In general, they offer a variety of both first-party and third-party coverages, and policyholders can choose, cafeteria-style, which coverages they want to purchase.
Under these new policies, coverage is typically available for all of the first-party remediation costs that can accompany a data breach, including:
- the costs of a forensic investigation of the cause and scope of the breach,
- the cost to retain a public relations firm to help manage negative press, costs of credit and identity monitoring programs,
- the cost to replace or restore lost or corrupted data and other digital assets, and
- payments made to resolve cyber extortion threats.
Coverage typically is also available for business interruption losses resulting from a breach, including lost income and extra expenses incurred in getting the business back on track, without the prerequisite of traditional property policies of physical damage to some insured asset.
Coverage is also available for the third-party liabilities and related defense costs that can result from a data breach, including:
- coverage for civil suits for unauthorized disclosure of personal data, including defense costs, settlements, and judgments.
- coverage for costs incurred in regulatory proceedings. The new policies typically do include defense costs for these proceedings; some policies also include coverage for fines and penalties, while others do not.
In many policies, the payment of defense costs erodes the limits available to pay settlements or judgments, so care must be taken in choosing the amount of coverage to be purchased, and whether umbrella or other excess coverage should also be put in place.
As companies take steps to reduce the chance that they will experience a data breach, and put plans in place to address them, one issue that should not be overlooked is whether they have insurance coverage for the costs that would result from a breach. If a company assumes that its existing policies will provide that coverage, it may, after learning of a data breach, be in for a second, and equally unpleasant, surprise.
Copyright © 2015 DRI's Data and Security Dispatch. Reprint permission granted.