Against the backdrop of Target’s massive data breach and the recent Heartbleed headache, the insurance industry’s imminent implementation of a series of new cybersecurity data breach exclusionary endorsements, which were issued for use with standard-form liability insurance policies, should prompt organizations to carefully review their insurance policies for potential data breach coverage and consider purchasing cybersecurity insurance.
The Cost Of Data Breach
For a single data breach, the Ponemon Institute reports that the average U.S. organizational cost is $5,403,644 -- with $565,020 spent on post-breach notification alone. Importantly, the numbers do not include “data breaches in excess of 100,000 [records] because they … would skew the results.” Yet the incidents of large-scale breaches are on the rise -- as illustrated by the Target breach, which has precipitated over 70 putative class actions (yes, you read that right, 70), as well as shareholder derivative litigation alleging a 10%+ drop in share price, regulatory investigations, and, most recently, financial institution suits seeing reimbursement for the costs of issuing replacement cards.
There is no doubt that most organizations suffering a data breach of any consequence will incur significant costs, including for forensic investigation to figure out what happened, breach notification to potentially impacted individuals, and credit monitoring and public relations efforts, among other crisis management activities. Many organizations, like Target, will also face lawsuits, regulatory investigations other negative consequences.
Unfortunately, data breaches are not only costly -- they are inevitable. By now, every organization should appreciate that even the most robust and sophisticated network security will fail. No firewall is unbreachable, no security system is impenetrable. As FBI Director Robert Mueller has fittingly stated, “there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
The Role Of “Traditional” Liability Insurance
Insurance can play a vital role in an organization’s overall efforts to address and mitigate cyber risk. As of now, there could, and there should, be significant potential coverage for cybersecurity data breaches under a company’s commercial general liability (CGL) policies, a type of coverage that the majority of companies already have in place.
In particular, the current industry standard-form CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’” The key definition -- “personal and advertising injury” -- is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” Considering this key definition, courts have appropriately upheld coverage for data breaches and other claims alleging violation of various privacy rights in a variety of settings.
New Data Breach Exclusionary Endorsements
As courts have upheld coverage for data breaches, the insurance industry has made it abundantly clear that it seeks to eliminate data breach coverage from the standard-form CGL policy.
Last Fall, Insurance Services Office, Inc. (ISO) filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These already have been approved by insurance regulators in at least 45 U.S. states and territories to become effective on or after May 1st. By way of example, one of the endorsements, entitled “Exclusion - Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited Bodily Injury Exception Not Included,” adds the following exclusion to the standard-form’s Coverage B:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Information
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.
ISO explained in connection with its filing of the endorsements that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”
Therefore, while acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”
Even before the recent 2014 data breach exclusions were introduced, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, entitled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key definition (i.e., “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”) that is the linchpin for the data breach coverage under CGL Coverage B (found at Paragraph 14.e of the Definitions section of Coverage B). The endorsement states:
With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.
Although this endorsement appears to have quietly flown in under the radar last Spring, it in reality is even more sweeping than the 2014 data breach exclusionary endorsements because it eliminates the key component of the coverage grant.
Although it may take some time for the new (or similar) exclusions to make their way into CGL policies, and although the full reach of the exclusions will remain unclear until judicially tested, they provide another reason for companies to carefully consider specialty cybersecurity insurance policies.
In addition, organizations should be aware that, even when these exclusions are not present, they are likely to find themselves in a fight to secure coverage under “traditional” CGL policies. By way of a high-profile example, Sony’s CGL insurers, Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co., filed a declaratory judgment action against Sony seeking to avoid coverage for Sony’s massive 2011 PlayStation data breach. On cross motions for summary judgment, a New York trial court judge recently let Sony’s insurers off the hook for the breach. With all respect to the New York trial court, this one should have been a clear Sony victory and should be overturned on appeal. In the meantime, however, the Sony decision underscores the issues that insureds face in obtaining coverage under CGL policies -- even where there is a good argument in favor of coverage.
Specialized Cybersecurity Insurance
As the insurance industry has added various limitations and exclusions to “traditional” policies, the industry has developed specialized “cyber” insurance policies, which cover, among other things, liability arising out of data breaches.
Cybersecurity insurance policies do not just cover lawsuits and regulatory actions. Unlike other types of insurance, they commonly provide “first dollar” coverage for breach notification costs and other “crisis management” expenses (forensic investigation, credit monitoring, call centers, and the like) and offer pre- and post-loss risk management services, including privacy training, information portals, and cybersecurity and incident response templates. After a breach, the policies afford companies access to established industry experts, including forensics specialists, public relations consultants and attorneys well-versed in navigating data privacy laws. All of this greatly assists in mitigating ultimate exposure. And the application process itself shines a spotlight on the company’s current cybersecurity risk management practices and is likely to reveal potential cybersecurity weaknesses that should be addressed.
Given the pervasiveness of cybersecurity incidents, the ever-increasing and evolving cyber risk threat, and the insurance industry’s position on coverage under “traditional” policies, companies should consider the potential role of cybersecurity insurance as part of their overall strategy to address and mitigate cyber risk. In addition, careful attention to insurance issues is consistent with the SEC’s Division of Corporation Finance guidance on cybersecurity disclosures under the federal securities laws, which advises that “appropriate disclosures may include,” among other things, a “[d]escription of relevant insurance coverage” for cybersecurity incidents. A review of recent SEC comments reveals that SEC is requesting information regarding both whether a company has obtained relevant insurance coverage, as well as the amount of the company’s cybersecurity insurance.
Cybersecurity insurance can be extremely valuable. However, organizations are advised to keep in mind that selecting and negotiating the right cybersecurity insurance policy presents unique and significant challenges. There is a vast array of cybersecurity products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from policy to policy. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel -- and experienced insurance coverage counsel.
 Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, at 5, 16 (May 2013).
 Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012), available here.
 ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.
 See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013) (upholding coverage in a data breach case for statutory damages of $1000 per person under the CMIA and statutory damages of up to $10,000 per person under the California Lanterman-Petris-Short Act under a policy that covered damages that the insured was “legally obligated to pay as damages because of ... electronic publication of material that violates a person’s right of privacy”).
 ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.
 CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.” Id.
 ISO Commercial Lines Forms Filing CL-2013-0DBFR, at p. 8.
 See CG 24 13 04 13 (2012).
 See Roberta D. Anderson, Five Reasons Why The Sony Data Breach Coverage Decision Is Wrong, K&L Gates LLP Insurance Coverage Alert (Mar. 10, 2014), available here.
 SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011).