Big Or Small, Cos. Need Insurance Against Data Breaches

by Zelle LLP

Insurance Law360
August 22, 2012

By Thomas B. Caswell and Hernán N. Cipriotti
To view this article in PDF format, please click here.

Most businesses, whether small or large, are aware of the risks associated with their enterprise and acquire insurance coverage to aid in managing the financial consequences of those risks. One increasingly common risk for which most businesses have not previously sought insurance coverage is the threat of a data breach.

However, the instances of data breaches have been growing in number, and now impact far more types of businesses than only the large and well-known technology companies usually mentioned in the press. Indeed, we are now in an era where virtually every organization must face the real threat of a data breach, and many have begun to seek insurance for this risk.

In response to the increasing demand for cyber insurance, various insurance companies have introduced policies to respond to losses arising from a data breach. Although no two policy forms are identical, the two most common types of cyber insurance are first- and third-party coverage.

First-party cyber insurance typically covers the cost of restoring the insured’s computer systems and may compensate the insured for revenue lost by an interruption to network systems caused by a data breach.

Third-party coverage generally covers defense expenses and indemnification for claims against the insured company brought by third parties affected by the data breach, and certain response expenses, e.g., notifying the affected parties, investigating the cause of the data breach and responding to governmental investigations.

Regardless of the policy form or the policy language, one thing remains true — the demand for cyber insurance is increasing, and it will continue to grow as insureds, particularly middle-market and smaller companies, come to the realization that data breaches pose a significant risk to not only large technology companies, but also to all business organizations.

So far this year, there have been over 370 reported data breaches where private records were stolen or disclosed. These types of attacks, where confidential and personal data or information has been entrusted to a company and is subsequently stolen and publicly disclosed, have become increasingly more common over the last decade.

While virtually everyone has heard about the data breaches occurring at companies such as PayPal Inc., Yahoo! Inc., LinkedIn Corp., Sony Entertainment Network and Inc., the true magnitude of this threat goes far beyond these well-known incidents.

In 2011 alone, there were over 174 million records breached.[1] Since 2005, there have been over 3,000 reported data breaches exposing over 562 million records. These records often contained personal and account information, credit card and bank account numbers and, in some instances, even U.S. Social Security numbers and medical records.

Just this past July, Yahoo! suffered one of the largest data breaches of the year. Through a simple hacking procedure called SQL injection, a group of hackers seized the information of over 400,000 users, including e-mail addresses and passwords.

While significant media focus is placed on the data breaches suffered by large corporations like Yahoo, for every “big name” breach, there have been hundreds of smaller institutions and businesses affected. These smaller breaches that do not generate the same level of media attention as a breach at Yahoo or PayPal actually account for nearly half of all data breaches occurring since 2005.[2]

The impact of these innumerable breaches is even more dramatic when one considers that the average cost to these companies for each record breached was $194 in 2011.[3] On an organizational level, it has cost companies an average of $5.5 million to respond to a data breach.[4]

While larger companies may have the resources and capability to remediate a data breach, a breach may still result in a large economic set back. This obviously is the case for smaller organizations.

Potential Liability Arising out of a Data Breach

When evaluating the impact and the potential costs and liability an organization may face as a result of a data breach, a number of factors must be considered.

One of the main factors to be considered is the content of the information breached. Most lawsuits filed against companies that have merely exposed usernames and passwords rely in part on state consumer/personal privacy statutes and more heavily on common law causes of actions such as negligence, breach of contract, breach of implied contract and negligence per se. See e.g., Szpyrka v. Linkedin Corp.[5], Stratfor Enterprises LLC v. Sterling[6] and Habashy v. Inc. d/b/a[7]

On the other hand, companies whose records contained an individual’s medical information, Social Security numbers and credit card numbers are faced with numerous allegations based on federal and state statutes specifically tailored to address these issues.

Prevention and Mitigation

Most data breaches are the result of malicious attacks carried out by hackers directly or through malicious software.

One of the biggest challenges in attempting to mitigate the damage caused by a breach is that in 85 percent of all cases it takes weeks or more for the breach to be discovered. Hackers often use the time before the breach is discovered to download entire databases and to explore further vulnerabilities in the affected servers.

The individuals carrying out the attacks normally base their selection of databases on opportunity and not on choice.[8] This is one of the reasons why 96 percent of all breaches in 2011-2012 were considered not to be highly difficult.

These breaches occurred because the opportunity presented itself to hackers. The majority of these breaches were avoidable by implementing simple and inexpensive preventive measures.

Businesses should consider taking the following simple steps to protect their data and to reduce the consequences if a breach were to occur:

  1. Document where the data is stored and how it is accessed.
  2. Identify the level of protection the data needs.
  3. Secure the company’s data.
  4. Create a disaster plan.
  5. Know what to do if a data breach occurs.

With the increased number and severity of cyber threats, every organization should undertake all reasonable efforts to prevent having systems that are vulnerable to cyber attacks. A further layer of risk management for this type of exposure is to purchase cyber insurance.

--By Thomas B. Caswell and Hernán N. Cipriotti, Zelle Hofmann Voelbel & Mason LLP

Thomas Caswell is a partner in Zelle Hofmann's Minneapolis office. Hernán Cipriotti is a summer associate with the firm.

The opinions expressed are those of the authors and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] "2012 Data Breach investigation Report." Verizon. p. 3, 2012: Retrieved Web. 30 Jul. 2012.

[2] "Chronology of Data Breaches." Privacy Rights Clearinghouse. Privacy Rights Clearinghouse, 7/17. Retrieved Web. 17 Jul. 2012.

[3] "2011 Cost of Data Breach Study: United States." Symantec. Ponemon Institute LLC, p. 5-6, Mar. 2012. Retrieved Web. 7 Jul. 2012.

[4] Id.

[5] Szpyrka v. Linkedin Corporation, 2012 WL 2169325 (N.D.Cal.)

[6] Stratfor Enterprises, LLC v. Sterling, 2012 WL 1645156 (W.D.Tex.)

[7] Habashy v. Inc. d/b/a, 2012 WL 299996 (D.Mass.)

[8] "2012 Data Breach investigation Report." Verizon. p. 3, 2012: Retrieved Web. 30 Jul. 2012.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Zelle LLP | Attorney Advertising

Written by:

Zelle  LLP

Zelle LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.