As data security and privacy risks have evolved, so too has the need for insurance to cover those risks. Yet, many corporations have not matched their evolving risks to the coverage needed. For many years, the conventional wisdom was that a “brick and mortar” company had little or no need for data security/privacy coverage.
Eventually companies learned the hard way—through headline-grabbing data breaches (such as The TJX Cos.)—that data security was a risk faced by virtually all large companies, not just those that rely heavily upon Internet-related activity. The statistics are clear: The average expense of a data security breach event is large and growing—$6.8 million in 2009, up to $7.2 million in 2010 and, in many instances, can be much more. And that expense doesn’t even take into account the cost of litigation and possible settlements or judgments should a case make it past motions to dismiss.
Because so many companies are at risk for a data breach event, unlike any other possible risk facing corporate bottom lines, proactive conduct today could pay off multifold tomorrow. A critical proactive component is an immediate insurance audit to determine the scope of existing coverage and how to fill gaps. For example, insurers have been attempting in recent years to tighten policy forms to reduce within traditional coverages (such as commercial general liability (CGL); property/business interruption; errors & omissions (E&O); crime, directors and officers liability (D&O); and media liability policies) data breach protection.
However, not all of these traditional coverages within a company’s insurance portfolio eliminate that protection. As a result, as a first step in a portfolio audit, companies should review their traditional coverages to determine how those policies would respond to a data breach event. If the existing coverage is potentially adequate, then the need for additional protection may be limited. However, the current policies may include current forms that insurers will argue reduce their exposure to such events. In that circumstance, other specific coverages should be considered.
The next question, however, is what to purchase? Without doubt, a full panoply of data breach protection can be purchased at significant cost. In fact, many companies arguably have paid to over-insure against certain risks—most notably third-party litigation. Other companies have underinsured for the more likely risks confronted in the area of data security, such as data breach notification, credit monitoring, consultants, lawyers, breach mitigation and public relation costs—expenditures that can reach into the multimillions.
It is impossible to know what exposure might result from a data breach event and thus exactly what insurance to purchase. The Sony PlayStation data breach, for example, has resulted in substantial litigation, including multiple class-action lawsuits. Thus, depending upon the nature and size of a data breach event, a company can face substantial litigation exposure. However, although the law presently is evolving on the issue, many courts thus far in the privacy and data breach contexts have not allowed common law litigation claims to go forward given questions regarding whether the plaintiffs have in fact suffered “damages,” and, therefore, whether they have “standing” to sue. It may be that a company’s most significant exposure is “response costs” in the nature mentioned above as opposed to litigation—meaning that it may not be cost effective to purchase substantial data breach litigation coverage.
Again, depending upon the language of the company’s current traditional coverages, litigation expenses might be covered under, for example, the CGL “property damage” or “personal or advertising injury” coverages. The New York court’s decision in the PlayStation coverage litigation may arguably provide some guidance on how those coverages apply in this context. An argument also can be made that “response costs” should be covered under for example CGL, E&O or D&O policies as necessary to mitigate or reduce the chance that the data breach event will lead to litigation—an argument that has yet to be litigated in this context.
What is clear: Until a company has done an adequate policy audit to ascertain the nature of its existing data breach insurance coverage, it cannot make educated decisions about whether and what additional coverage may be necessary. What also is clear: When deciding what additional coverage to purchase, if any, the right company professionals should be involved.
Given the complicated nature of data security issues, it may make sense to involve in the decision-making process, in addition to insurance brokers, internal lawyers or other professionals who have the right understanding of the company’s potential risks in this arena and the law surrounding the relevant issues.
