Cyber Risk Insurance May Cost More Than You Think

Insurance Law360 - May 8, 2013

Since 2003, all but four states have enacted laws concerning data breaches and the protection of consumers’ personal information. This regulation of electronic data containing personal information and the protection of such information are not without reason.

Every year, hundreds of cyberattacks and inadvertent disclosures result in the exposure of millions of records containing some sort of personal information.[1] In response to these recurring cyber exposures, states have enacted two types of legislation.

First, the majority of states have put in place requirements and steps that a company or organization must follow in the event of a data breach or other disclosure. These generally include consumer notification requirements and a prescribed manner and method of notification. These statutes are most often enforced by the attorney general of the state, and in some states, the law authorizes private rights of action for a company’s failure to comply with the notification requirements.

The second type of legislation mimics the Federal Trade Commission’s Safeguards Rule. Legislation of this type requires companies and organizations to implement a safeguard plan concerning the protection of customer personal information. Generally, these rules are enforced by the states’ attorneys general. Failure of an entity to comply with the safeguard plan often results in claims of deceptive and/or unfair trade practices under the applicable law.

Depending on the type of entity or area of business, an organization may have to consider multiple other federal and state laws that regulate the storage of personal information and exposure to security breaches. These include but are not limited to:

  • U.S. Securities and Exchange Commission Requirements
  • The Privacy Act (5 U.S.C. § 552a)
  • Health Insurance Portability and Accounting Act of 1996
  • Fair Credit Reporting Act and Fair and Accurate Credit Transactions Act (15 U.S.C. §§ 1681-1681x) 

With companies and individuals steadily floating toward digital storage, the risk of exposure to cyber-related losses will only grow. This type of risk has shifted from being industry-specific to a threat that all businesses, regardless of size, should be aware of. Insurance companies have responded to these new types of exposures by underwriting cyberliability and cyber-loss policies or provisions. As a result, insurance coverage for cyber risk is now more available. 

Nonetheless, the diversity and complexity of the laws protecting digitally stored personal information indicate that both the insurer and insured should consider reviewing their existing protections and policies. The potential expense that could be occasioned by the notification requirements of these laws must be taken into consideration by insurers and insureds alike.

An insurer undertaking a broad form of coverage may not be aware of the full breadth of costs it may be indemnifying. Conversely, an insured who acquires a cyber policy that is more narrowly written may not have the protection it meant to acquire.

Data Breach Notification Laws and Their Requirements

Virtually anyone who possesses personal information of others may be exposed to liability in the event a data breach occurs that results in the loss of such personal information. A “data breach” is often characterized as an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”[2]

And, other than a few outliers, personal information is most often defined to be a person’s first name and/or first initial and last name in combination with any one or more of the following:

  • Social security number
  • Driver’s license number or state identification card
  • Credit or debit card number or bank account information
  • Passwords, security codes, pins and login information
  • Unique biometric data, including the individual’s fingerprint, voice print and retina or iris image 

A recent decision by the California Supreme Court has made California one of these outliers. In Pineda v. Williams-Sonoma Stores Inc.,[3] the court found that ZIP codes constituted personal information under California law. Given that California’s statute supports private rights of action, this has opened the door to multiple class actions that were previously denied under the statute. The expansion of liability under the California statute may be replicated in other states.

Organizations affected by a data breach are required to provide notice to each affected individual. This notice can be written, telephonic or electronic, and, if certain conditions are met (related to total cost or total number of notices required), a substitute general notice may be issued. Failure to notify the affected individuals or third parties will most likely result in a fine and depending on the jurisdiction, in private suits. These fines can be significant:

  • Texas: $100 (per person) to whom notification is due per day, not to exceed $250,000 per breach.[4]
  • Michigan: $250 per failure to notify capped at $750,000.[5]
  • Virginia: Attorney general may impose a civil penalty not to exceed $150,000 per breach.[6]
  • Utah: no more than $2,500 for a violation or series of violations concerning a specific consumer; no more than $100,000 in the aggregate for related violations concerning more than one consumer.[7] 

Even if notification requirements are met, the cost of assessing the breach, determining the affected parties, notifying the parties and providing remedial measures can be extremely costly. Merely determining which laws will apply is likely to result in expensive legal bills.

For these reasons, businesses are increasingly seeking insurance coverage for cyber exposure. While the cost of notification will vary depending on the size of the breach, both the insurer and insured must take into consideration that the potential monetary loss for only the notification aspect of a data breach can be significant.

Cyberliability Insurance

The type of loss that could arise in the event of a data breach that exposes personal information is rarely covered under traditional insurance forms. Insurers have developed specialty provisions that directly address cyberliability and cyber-related losses. The general language of provisions providing coverage for notification related costs may appear as the following:

  • Security Failure Notification Loss: "We will reimburse those reasonable and necessary legal expenses, public relations expenses, postage expenses, and related advertising expenses approved by U.S. and incurred by You in order to comply with state or federal privacy legislation mandating customer notification in the event of a Network Operations Security Failure that results in the compromise or potential compromise of Personal Information maintained or otherwise residing on Your Computer System. The Network Operations Security Failure must occur during the Policy Period."
  • Security Breach Remediation and Notification Expenses: "The Company will pay the Insured Organization for Security Breach Notification Expenses incurred by the Insured Organization within 12 months of, and as a result of, any Network and Information Security Wrongful Act."

Insurers should be aware of the practical and monetary implications of this line of coverage. A study conducted by NetDiligence looks at the average insurance payouts in cyber-related claims. In 2012, the average cost per breach (as paid by the insurer) was $3.7 million. The average cost per record was $3.94. These numbers include legal and crisis service costs, both often covered under the provisions providing coverage for notification-related costs.

Notification costs averaged $180,000 per breach or exposure, and the total average cost for crisis services, including notification, rose to $983,000.[8] One of the breaches was reported as costing as much as $2.5 million in crisis services only.[9] These numbers are significant. It is important for insurers to take this into account and to ensure that specialty coverages clearly delineate the corresponding limits and sublimits.

Lastly, it is important to consider that this area of coverage is still in its infancy, and making an estimation of exposure to possible losses is highly difficult. This new area of coverage does not only pose difficulties and unforeseen risks to insurers but also to the insureds.

The numbers presented above, while significant, do not fully illustrate the scope of losses that a business (insured) could face following a data breach that exposes personal information. A Ponemon Institute study puts the average organizational cost per record at $194 (not including legal costs). This is considerably higher than the number given above since the Ponemon study takes into consideration all costs to the organization rather than only costs covered by applicable insurance.

Similarly, the average overall notification cost per record was $19.81 versus $3.94 total cost per record covered by insurance.[10] The discrepancy between what it costs the organization and what the insurer pays out is significant.

Insureds need to take these factors into consideration when seeking coverage. Failure to do so could expose the organization to financial difficulties that could be hard to overcome without the proper coverage.

As the data breaches continue and the law develops, the risks and potential losses arising out of cyber claims will become clearer. This will be reflected in new specialty provisions and by new businesses seeking this type of coverage. Demand for this type of specialty coverage will most likely continue to grow, and more insurers will be ready to jump into this market.

In the meanwhile, both insurers and insureds should be aware of the implications of their existing insurance policies, the potential cost and losses arising out of data breaches and any changes in state or federal law.

--By Thomas B. Caswell and Hernán N. Cipriotti, Zelle Hofmann Voelbel & Mason LLP

Thomas Caswell is a partner in the firm's Minneapolis office. Hernán Cipriotti is a summer associate with the firm.

The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] A few of the most significant breaches of 2012: Global Payments (1.5 million records), Yahoo! (400 thousand passwords), Wyndham Hotels (600 thousand credit cards), eHarmony (1.5 million passwords), LinkedIn (6.5 million passwords), Zappos (24 million records), Gamigo (3 million records), and the Texas Attorney General’s Office (6.6 million records). Greisiger, M., NetDiligence, Cyber Liability & Data Breach Insurance Claims, October, 2012.

[2] Tex. Bus. & Com. Code §§ 521.002, 521.053

[3] 246 P.3d 612 (Cal. 2011)

[4] Tex. Bus. & Com. Code § 521.151 (2012).

[5] Mich. Comp. Laws § 445.72 (2012).

[6] Va. Code § 18.2-86.6 (2012).

[7] Utah Code § 13-44-301 (2012).

[8] Greisiger, M., NetDiligence, Cyber Liability & Data Breach Insurance Claims, p. 4, October, 2012.

[9] Id. at 9.

[10] Ponemon Institute, 2011 Cost of Data Breach Study: United States, 2-3 (March 2012)

Hernán N. Cipriotti also contributed to the article.