Every in-house counsel dreads the telephone call on a Friday evening that starts with the words “I’m glad I found you.” That’s especially true if that telephone call informs the in-house counsel about the newly terminated IT department employee who was able to access the company’s confidential data systems 30 minutes before his access was deactivated. At that point, in-house counsel knows she is in for a long weekend and weeks or months of investigation, mitigation and possibly recriminations. Of course, there are two more questions that may be forgotten in this moment of crisis but will be asked soon enough: “How much will the investigation and remediation cost?” and “Who pays?”
Add to our example an additional twist: Our in-house counsel breathes a sigh of relief when she is told that the company’s security team has determined that the ex-employee introduced a virus that was intended to damage the company’s systems but that it failed to do any damage. Problem solved, correct? Unfortunately, even if there is no damage, the company could still incur significant costs as a result of the breach. In most circumstances, IT security departments will require a review of all of the major systems to confirm that the virus did not in fact infiltrate any systems and cause latent damage or a cybersecurity breach. Such an investigation can be extremely costly. At least one study has determined that the average cost to resolve an actual or potential cyber-attack is approximately $600,000. These costs can include forensic and investigative activities, assessment and audit services, crisis team management, and communications internally to executive management and board of directors and possibly externally to shareholders or the public.
While in-house counsel and the company’s IT security team are dealing with the immediate impact of a breach and beginning to plan for the longer-term response, a key aspect that should be at the top of the “to-do” list is to contact the company’s internal and external insurance coverage counsel and representatives. In order to maximize coverage, companies need to make sure that not only have they made a claim within the time limits required, but also that they are responding to the breach consistent with the requirements of their insurance policies.
Most companies typically have traditional insurance policies that may cover cyber risks, including commercial general liability (CGL) coverage. CGL policies generally cover the company against liability for claims alleging “bodily injury” and/or “property damage” and also against liability for claims alleging “personal injury” and/or “advertising liability.” Insurers typically argue that “cyber” risks are not intended to be covered under CGL policies, but insureds have had some success in pursuing coverage for cyber risks. Insurers have begun to constrict CGL policy language in an effort to preclude coverage for losses arising from data breaches. In order to specifically cover the risks associated with cyber breaches, and to protect the company’s balance sheet, companies are looking toward cybersecurity insurance.
Insurance companies are currently offering cybersecurity insurance policies that protect businesses from Internet-based risks, and more generally from risk relating to information technology infrastructure and activities. While cyber-insurance coverage is relatively new to the market, the types of coverage are typically divided between first-party coverage, which protects the policyholder itself, and third-party coverage, which protects against the claims of a third party against the policyholder. First-party cybersecurity policies may provide coverage for:
- The costs associated with determining the scope of the breach and taking steps to stop the breach;
- The costs of providing notice to individuals whose identifying information was compromised;
- Public relations services to counteract the negative publicity that can be associated with a data investigation;
- The costs of responding to government investigations;
- The costs of replacing damaged hardware or software;
- The costs of responding to parties vandalizing the company’s electronic data; and
- Business interruption costs.
Third-party cybersecurity policies may provide coverage for:
- Liability for permitting access to identifying information of customers;
- Transmitting a computer virus or malware to a third-party customer or business partner;
- Failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and
- Potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.
There is also specific cyber-insurance for privacy breach incidents. This insurance could pay for the immediate response to the breach to stop the damage, reimburse the costs of replacement of hardware or software, and the costs to investigate the scope of the breach. This insurance could also pay for the costs of providing notice to people whose information was disclosed, and may even have preferred companies that it favors for providing that notice. Business interruption costs may also be covered, as well as reimbursement for the costs of responding to investigations or work to counteract negative publicity.
While our in-house counsel probably can’t save her Friday night plans, proper planning on the part of the company can reduce the monetary harm and other risks of actual or even potential cybersecurity breaches. Companies should seriously consider purchasing cybersecurity insurance and, in so doing should consider first and third-party coverage, data restoration costs and coverage for regulatory actions.