Legal Alert: The Value of Cyber Insurance in Managing the Risk of a Data Breach
The risk of a data breach now tops the list of concerns of many in-house counsel and C-suite executives. Cyber insurance is an important component in managing this risk and mitigating the damages and loss that follow a data breach.
The insurance that is commonly referred to as “cyber insurance” is designed to respond to instances in which a data breach occurs under a variety of circumstances, including hacking, accidental electronic disclosure, theft of information in paper form, and various inadvertent disclosures of personal or protected information, either in electronic or paper form.
Data breach or “cyber” insurance is somewhat unique in that it typically provides coverage for a broad range of losses, costs, and consequences that can occur as a result of a data breach. These policies typically include coverage for both third party damage claims that are asserted against a company resulting from a data breach, as well as coverage for some of the company’s own losses (first party loss). The third party coverage aspect of the insurance usually is written to cover breach of privacy or negligence type claims brought by persons whose data has been compromised and includes coverage for the defense and payment of claims. The first party coverage aspect of the insurance can include various types of protection for the company, including coverage for some or all of the following:
- Notification costs
- Costs of establishing a call center
- Providing credit monitoring to affected individuals or other mitigation services
- Coverage for a forensic investigation to determine the cause of the data breach
- Crisis management coverage
- Extortion coverage
- Data restoration costs
- Business interruption coverage
Most policies also provide coverage for regulatory actions which may be brought against a company as a result of a data breach.
Does my company need cyber insurance?
Probably. At a minimum, all companies should thoughtfully consider whether to purchase cyber insurance. Virtually all companies have data that creates exposure. All companies that have employees have PII (personally identifiable information). Many small and medium-sized companies believe they do not need data breach insurance because they do not consider themselves “targets” for hacking. This is not necessarily true. In fact, sometimes the small and medium-sized companies are considered more attractive targets because their safeguards may be less sophisticated than those of large companies. Moreover, hacking and theft of data are not the only ways that data breaches occur. Even a data breach resulting from the simple negligence of an employee can cause a company potentially devastating problems and costs.
Do my company’s other (traditional) policies provide coverage for these risks?
Some types of traditional insurance may provide limited coverage for certain data breach losses. However, these other policies (such as general liability policies, professional liability policies, and employment practices liability policies) are not going to provide first party protection such as coverage for notification costs and credit monitoring. These costs can be substantial. In addition, even for more traditional third party damage claims (such as breach of privacy or negligence claims), it is becoming more difficult to attempt to utilize traditional types of policies to respond to a data breach loss. Many insurers are amending their traditional policies to explicitly exclude coverage for claims brought by affected parties in the event of a data breach. In short, traditional policies do not provide comprehensive data breach coverage and may not provide any coverage in this circumstance. When adopting a plan to mitigate risk and minimize exposure, most companies will want to purchase cyber insurance that is expressly and specifically designed to cover the variety of consequences that can result from a data breach.
Although most companies will want to purchase cyber insurance, that does not mean that the companies’ traditional insurance policies have no relevance to data breach issues. Even though many cyber insurance policies are designed to provide coverage for a wide range of losses, there are still instances in which related risks will not be covered by most cyber policies. For example, a major data breach can result in a claim being asserted against a company’s directors and officers alleging that they breached their duty to provide adequate safeguards for the company’s data. It will be important that the company’s D&O policy does not contain an exclusion for any cyber-related claims. If a data breach involves disclosure of employee information, a company’s Employment Practices Liability policy may provide some coverage for any claim brought by employees. If a company provides professional services that give rise to data breach risks, it is very important that the company coordinate the coverage in its Professional Liability policy with the coverage provided by the Cyber policy. Several insurers now offer combined Professional Liability/Cyber policies. For some companies, that combined coverage policy is a good option.
Of course, sometimes data breaches occur and a company does not have applicable cyber insurance. In those instances, it is very important to examine the company’s traditional policies to determine if those policies provide any possible coverage.
Obtaining appropriate cyber insurance
In today’s business environment, companies are expected to have evaluated the data breach risks that their company faces and to have developed an appropriate strategy for managing those risks. That risk management strategy typically includes the purchase of cyber insurance coverage. Obtaining appropriate cyber insurance coverage that matches up with a company’s risk is not an easy task because of the vast differences in the various cyber insurance policy forms which can cause substantial differences in what is and is not covered.
As a first step in obtaining this coverage, it is important for a company to understand what its specific data risks are, and then consult with insurance professionals experienced in the area of cyber insurance to identify the specific policy forms that appropriately address those risks. It is important to understand what the proposed cyber insurance covers and what it does not cover before any data breach occurs. Cyber insurance continues to evolve and new cyber insurance forms continue to be introduced. Even companies that have purchased cyber insurance for many years can benefit from a fresh evaluation of the company’s current risks compared with the cyber insurance now available.
To stay current on legal news and opinions, subscribe to KMK Law blogs at kmklaw.com. To subscribe, click the link to blogs in which you have an interest and input your email address in the sidebar of the blog's webpage.
Should you have any questions or need assistance, please contact Pamela Morgan Hodge at (513) 579-6472 or firstname.lastname@example.org.
KMK Legal Alerts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
©2015 Keating Muething & Klekamp PLL. All Rights Reserved.