Cyber Risk Is The “New Normal”

by Hodgson Russ LLP
Contact

Introduction

Make no mistake, all companies—big or small—are vulnerable to a privacy breach or a network security incident. Cyber liability is the “new normal.” Cyber liability can be attributable to human error, hackers, digital espionage, data theft, denial-of-service attacks, electronic sabotage, improper employee or contractor access, computer viruses, or programming errors. Although network security incidents receive the most publicity, most insurance claims involve a breach of privacy. “Despite concern over cyber risks, many companies continue to underestimate or not recognize the potentially serious financial impact of a major cyber event.”1   This article highlights the basic nuts and bolts of cyber insurance, including the who, what, where, when and why of cyber insurance.

The standard general insurance policies—Commercial General Liability, Errors & Omissions, Business Owners, Management Liability, Crime, Professional Liability, Employment Practices Liability, Kidnap and Ransom, Internet Media Liability and Property Business Interruption and Data Loss—are not enough to protect against cyber risks. The cost of a cyber liability policy is nominal compared to the risk of uninsured or uncovered loss under a non-cyber policy.

Facts

Chubb Insurance Company’s 2012 Public Company Cyber Risk Survey found: “(1) 2 in 5 companies experienced a significant cyber security issue in a 12-month period; (2) a typical data breach in 2011 resulted in $5.5 million in organizational costs; (3) 46 U.S. states have enacted some type of security breach notification legislation; and (4) 52% of companies are dedicating additional resources toward mitigating their cyber risk.”In 2012, the average cost for: (1) “legal defense was $582,000, while the average legal settlement was $2.1 million”; (2) “Crisis Services, including forensics, notification, call center, credit monitoring and legal guidance, was $983,000”; and (3) Forensics was $341,000.3

The Ponemon Institute found that “negligent insiders and malicious attacks are the main cause of data breach: 39% of incident involved a negligent employee or contractor, 37% concerned a malicious or criminal attack, and 24% involved system glitches.” Malicious attacks are the most costly. The organization’s cost of a data breach was $5.5 million.”An example of a malicious attack, as described by Tenant Risk Services, is when a business is hacked by a local teenager who steals social security numbers and bank account details from customer files. The teenager sells the information to an Internet website, which uses the information to create false identities for criminals to use. The business incurs notification and credit monitoring expenses; and will incur legal expenses and damages from potential lawsuits.

In the 2012 Cyber/Privacy Insurance Market Survey, Betterly Risk Consultants, reported that the “average costs for crisis services (forensics, call center, credit monitoring and legal counsel) was $983,000.” According to a June 2012 study conducted by Symantec, a cybersecurity firm, “Nearly 40% of all targeted cyber-attacks take aim at businesses with fewer than 250 employees.”

Federal Rules & Guidelines

SEC Guidelines. On October 13, 2011, the Securities and Exchange Commission’s Division of Corporation Finance released “CF Disclosure Guidance: Topic No.2 – Cybersecurity.” The SEC guidelines require public traded companies to disclose “material information” regarding cyber- attacks and the costs to shareholders. The SEC guidelines require a company to disclose a “description of relevant insurance coverage.” A director and officer now has an additional layer of a fiduciary duty to exercise an increased level of corporate governance over the company’s cyber security.

FTC “Red Flags Rule.” On December 31, 2010, the FTC “Red Flags Rule” (16 CFR 681) became effective. The Rule applies to financial institutions and “creditors” with “ covered accounts.” The Rule requires the company to adopt Identity Theft Protection Programs that identify “Red Flags” or warning signals that alert a company to the risk of identity theft, and detect, mitigate, and deal with identity thefts when they occur.

Gaps in Coverage

To avoid gaps in coverage, a company should retain coverage counsel to evaluate the insurance program. Traditional insurance programs include—CGL Insurance, Property Insurance, Directors and Officers Insurance, Professional Liability, Employment Liability. Coverage counsel can assist a company determine the risks and dangers of not having the right insurance in place.

A standard business policy typically does not cover liability for loss of customer or employee data. A standard GCL policy typically covers damage to “tangible property” and some types of “personal injury” or “advertising injury.” Tangible property under a CGL policy does not coverage lost computer data and probably excludes damages arising from criminal actions committed by the insured or hackers who engage in intentional wrongdoing. A data breach does not fall under the category of fire and windstorm which often falls under the definition of “property.” The “personal and advertising injury” provision of a CGL policy has limitations as well because a data breach may not be considered a “publication” or private material.

In Eyeblaster, Inc. v. Federal Ins. Co, 613 F.3d 797 (8th Cir. 2010), an action was commenced against the insured Eyeblaster, an online marketing campaign management company, for allegedly infecting an individual’s computer with a spyware program that infected the computer resulting in among other things, data loss. The Eighth Circuit found that the allegation triggered a duty to defend under the E&O policy because the insured’s activity of causing software to be installed on the computer, while intentional, was not a wrongful act.

A Directors & Officers’ liability policy usually provides coverage to a director and officer, but a property exclusion may apply to bar coverage.

A stand-alone cyber liability policy covers the gap in coverage between standard policies. A cyber-liability policy may provide coverage for: liability for permitting access to identifying customer information, transmission of a computer virus or malware to a third-party business or customer or business partner, failure to notify a third-party of their rights under the applicable regulation in the event of a security breach; and “advertising injury” (copyright infringement, libel and slander).

Without cyber liability insurance, carriers are defending their rights and commencing declaratory judgment actions to enforce the uncovered loss under a standard CGL policy.

In April 2011, hackers attacked Sony’s PlayStation Network and 77 million records were exposed. Sony filed a claim with its carrier Zurich American Insurance Company to defend and indemnify the company from class-action lawsuits, miscellaneous claims and regulatory investigation under the primary and excess CGL policies. Sony’s remediation costs for the breach are approximately $170 - $173 million. In July 2011, Zurich filed a declaratory judgment action in New York Supreme Court to maintain its denial of coverage under the CGL policies, thus absolving Zurich of its obligation to defend and indemnify Sony against the data breach claims. Zurich argued that the CGL policy does not cover Sony for damages arising from cyber incidents. The GCL policy covers “bodily injury” and “property damage” caused by occurrences other than cyber-attacks. Zurich American Ins. Co., et al. v. Sony Corp. of American, et al., Index No. 651982/2011, New York County Supreme Court.

In 2012, Arch commenced a coverage litigation action against Michaels Stores, Inc. Michealse Stores allegedly failed to safeguard PIN pad terminals, which allowed criminals to fraudulently access and use customers’ credit cards and debit card information. Arch alleges that the CGL policy excludes electronic data from the definition of “tangible property.” Arch alleges that coverage is further denied under the CGL policy’s exclusion for loss “arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

Overall, traditional policies do not cover all loss. First, a CGL policy only covers “tangible property” and usually has an exclusion for electronic data; and excludes claims arising out of “blogs” a company owns or hosts. Second, a property policy usually covers loss of business income if there is direct physical damage to property, not damage caused by hackers that shut down an operation. Third, crime policies do not cover claims for damage to intangible property and there is usually an exclusion for loss of confidential information. Fourth, a D&O policy typically excludes claims arising out of bodily injury including emotional distress, property damage and personal injury. And finally, other than a cyber insurance policy, traditional policies do not cover notification expenses.

Types of Coverage Provided

  • A cyber liability policy is usually a “claims made” policy. Coverage is triggered if first, the claim arises within the policy period, and two, the insured must report the claim to the insurer within the policy period and any extended reporting period. The policy generally covers:
  • Liability — Coverage defense and settlement costs arising out of the insured’s failure to properly care for private data, business interruption, and software or hardware replacement.
  • Remediation — Coverage for crisis management, public relations, customer notification, and credit monitoring, forensic investigation, and regulatory compliance.
  • Fines and/or Penalties — Coverage for costs to defend a lawsuit, pay judgment and settlement, regulatory investigations.
  • Intellectual Property — Coverage for copyright infringement, trade or service infringement, and patent infringement.
  • Other Coverages — Virus, unauthorized access, security breach, personal injury, and loss of use.

First Party Coverage (Property and Theft)

First-party claims are brought against an insured by those whose private data has been breached. Loss may include: financial loss arising from damage, destruction or corruption of a company’s information assets (e.g., customer lists, privacy information, business strategy, competitor information, product formulas or trade secrets), loss of revenue, operating expenses incurred due to a denial of service, restoring or recreating stolen data. Coverage under a cyber policy includes: liability for privacy and confidentiality breaches; copyright, trademark, and defamation; malicious code and viruses; business interruption, network outages, computer failure; attacks unauthorized access, theft, web site defacement and cyber extortion; and intellectual property infringement.

Third Party Coverage (Privacy and Data Security)

Third-party claims are brought against an insured by customers or other third parties if the alleged loss results from a “wrongdoing” by the insured company in connection with computer system, internet or other information-related matters. These types of claims can range from liability against a company, its directors and officers (e.g., mismanagement or breach of fiduciary duty) or employees (e.g., company’s presence on the web, negligence performance of professional services, transmission of malicious code or denial-of-service attack). Other claims include theft of customer information (e.g., credit card information, financial information, health information or other personal data) trademark, copyright, libel, invasion of privacy, and transmission of malicious code, and customers suits.

Notes

1. www.chubb.com/infographics/chubb3/index.html

2. www.chubb.com/infographics/chubb3/index.html

3. Mark Greisger, President of NetDiligence, “Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payouts for Covered Data Breaches.

4. Ponemon Institute LLC, Report: March 2012 “2011 Cost of Data Breach Study, United States

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hodgson Russ LLP | Attorney Advertising

Written by:

Hodgson Russ LLP
Contact
more
less

Hodgson Russ LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.