Exposure to losses from data breaches and loss of personal information continues to rank high on the list of worries for general counsel around the country. GCs have good reason to worry.
Marsh, one of the largest insurance brokers in the world, reports that over 600 million confidential personal records have been breached in the last five years. Verizon’s 2013 Data Breach Investigations Report is even more telling with its opening line that in 2012 “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage.” The Verizon Report’s statistics are even more alarming.
Specifically, 37 percent of data breaches affected financial organizations. The next highest segments vulnerable to cyber-attacks include retail businesses and restaurants, followed by manufacturing, transportation and utilities.
In response to the growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most insurers have excluded cyber risks from more traditional insurance policies such as Commercial General Liability (CGL). Second, insurance companies are racing to the market with new products aimed at providing specialized coverage for such losses.
As companies of all sizes approach the calendar year-end, now is the time to analyze exposure for cyber risks and address insurance needs to close any gaps in coverage. If GCs are as worried about losses as noted in current reports, then they should be leading the charge to address the need for cyber insurance.
Businesses can obtain cyber insurance for first- and third-party losses. It is critical to understand both and ensure there is appropriate coverage for both.
First-party coverage can include within its scope: 1) computer data restoration; 2) re-securing a company’s information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; and 6) extortion. Commentators note that first-party losses are usually the higher costs to a business suffering a cyber-attack, so adequate coverage in this area is vital.
Organizations need third-party coverage as well. Of course, most coverage in this area will provide for a defense to litigation from your customers for their direct losses due to a breach. Insurance may also cover the following: 1) crisis management; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations.
As industry expert Richard Betterley noted in his June 2012 report on cyber insurance, “[t]he market continues to broaden, especially in health care and the small- to mid-sized insureds segments.”
However, this is an area of insurance that the buyer must beware. Cyber insurance is a new form of insurance that does not benefit from long-term placement in the market so that policyholders and insurers have an understanding of the scope of coverage through negotiations and court opinions. All cyber insurance policies are definitely not created alike. Some insurers weave the scope of cyber coverage into more traditional policies, such as CGL, D&O and E&O. The problem with this method is that it is difficult for insureds to understand the scope of coverage and it creates shared limits of insurance that may ultimately prove too little for the exposure.
Companies need to develop a thorough understanding of their risks and also understand the scope of the cyber insurance they are placing.
It is always easier to be convinced by way of example, and the United States Court of Appeals for the 6th Circuit’s latest opinion does just that for insureds. For those not very familiar with these two parties to the litigation, Retail Ventures is DSW Shoe Warehouse and National Union is owned by Chartis (now known again as AIG).
In 2005, hackers breached DSW’s main computer system and downloaded more than 1.4 million customers’ credit cards and checking information profiles. DSW filed a notice of claim with National Union for the losses of approximately $5.3 million related in various forms to the theft. In response to the insurance claim under DSW’s Blanket Crime Policy, which contained an endorsement for Computer & Funds Transfer Fraud Coverage, National Union denied it. This forced DSW to sue its insurer for coverage of the data theft and related costs.
In this particular case, the federal courts were called upon to apply Ohio state law. The courts found the issue, which centered on the interpretation of the simple phrase “resulting directly from,” new to Ohio for this type of claim. For DSW, its recovery of over $5.3 million boiled down to a court interpreting for the first time small phrases in the crime policy’s computer fraud coverage. You can only imagine the risk posed to a smaller business in having a large claim outright denied — it becomes a life or death struggle for the business against its larger insurer.
The district court found in favor of coverage for DSW, and National Union appealed to the federal court of appeals based in Cincinnati. After a thorough analysis of Ohio and other law, it too found in favor of DSW. As the court succinctly noted, “[d]espite defendant’s arguments to the contrary, we find that the phrase ‘resulting directly from’ does not unambiguously limit coverage to loss resulting ‘solely’ or ‘immediately’ from the theft itself. The court also analyzed the insurer’s arguments that various exclusions within the computer fraud endorsement barred coverage. Those attempts to defeat coverage for DSW were also rejected.
A company’s traditional insurance program likely will not cover cyber losses, or contain gaps in such coverage, for cyber/data breaches. The DSW case demonstrates how far a policyholder may have to go to find coverage through a more traditional insurance policy. As a recent announcement from Marsh highlights, “Cyber insurance policies can fill many of the gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organization’s day-to-day operations.”
There is no time like the present for policyholders — large and small — to analyze their insurance programs to determine if their current insurance will cover cyber-risks or identify any gaps that may need to be filled. An ounce of prevention upfront from such an analysis may prevent the type of insurance fight DSW waged to get secure the coverage it purchased from its insurer.