Cyber Risk Insurance May Cost More Than You Think

by Zelle LLP

Insurance Law360 - May 8, 2013

Since 2003, all but four states have enacted laws concerning data breaches and the protection of consumers’ personal information. This regulation of electronic data containing personal information and the protection of such information are not without reason.

Every year, hundreds of cyberattacks and inadvertent disclosures result in the exposure of millions of records containing some sort of personal information.[1] In response to these recurring cyber exposures, states have enacted two types of legislation.

First, the majority of states have put in place requirements and steps that a company or organization must follow in the event of a data breach or other disclosure. These generally include consumer notification requirements and a prescribed manner and method of notification. These statutes are most often enforced by the attorney general of the state, and in some states, the law authorizes private rights of action for a company’s failure to comply with the notification requirements.

The second type of legislation mimics the Federal Trade Commission’s Safeguards Rule. Legislation of this type requires companies and organizations to implement a safeguard plan concerning the protection of customer personal information. Generally, these rules are enforced by the states’ attorneys general. Failure of an entity to comply with the safeguard plan often results in claims of deceptive and/or unfair trade practices under the applicable law.

Depending on the type of entity or area of business, an organization may have to consider multiple other federal and state laws that regulate the storage of personal information and exposure to security breaches. These include but are not limited to:

  • U.S. Securities and Exchange Commission Requirements
  • The Privacy Act (5 U.S.C. § 552a)
  • Health Insurance Portability and Accounting Act of 1996
  • Fair Credit Reporting Act and Fair and Accurate Credit Transactions Act (15 U.S.C. §§ 1681-1681x) 

With companies and individuals steadily floating toward digital storage, the risk of exposure to cyber-related losses will only grow. This type of risk has shifted from being industry-specific to a threat that all businesses, regardless of size, should be aware of. Insurance companies have responded to these new types of exposures by underwriting cyberliability and cyber-loss policies or provisions. As a result, insurance coverage for cyber risk is now more available. 

Nonetheless, the diversity and complexity of the laws protecting digitally stored personal information indicate that both the insurer and insured should consider reviewing their existing protections and policies. The potential expense that could be occasioned by the notification requirements of these laws must be taken into consideration by insurers and insureds alike.

An insurer undertaking a broad form of coverage may not be aware of the full breadth of costs it may be indemnifying. Conversely, an insured who acquires a cyber policy that is more narrowly written may not have the protection it meant to acquire.

Data Breach Notification Laws and Their Requirements

Virtually anyone who possesses personal information of others may be exposed to liability in the event a data breach occurs that results in the loss of such personal information. A “data breach” is often characterized as an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”[2]

And, other than a few outliers, personal information is most often defined to be a person’s first name and/or first initial and last name in combination with any one or more of the following:

  • Social security number
  • Driver’s license number or state identification card
  • Credit or debit card number or bank account information
  • Passwords, security codes, pins and login information
  • Unique biometric data, including the individual’s fingerprint, voice print and retina or iris image 

A recent decision by the California Supreme Court has made California one of these outliers. In Pineda v. Williams-Sonoma Stores Inc.,[3] the court found that ZIP codes constituted personal information under California law. Given that California’s statute supports private rights of action, this has opened the door to multiple class actions that were previously denied under the statute. The expansion of liability under the California statute may be replicated in other states.

Organizations affected by a data breach are required to provide notice to each affected individual. This notice can be written, telephonic or electronic, and, if certain conditions are met (related to total cost or total number of notices required), a substitute general notice may be issued. Failure to notify the affected individuals or third parties will most likely result in a fine and depending on the jurisdiction, in private suits. These fines can be significant:

  • Texas: $100 (per person) to whom notification is due per day, not to exceed $250,000 per breach.[4]
  • Michigan: $250 per failure to notify capped at $750,000.[5]
  • Virginia: Attorney general may impose a civil penalty not to exceed $150,000 per breach.[6]
  • Utah: no more than $2,500 for a violation or series of violations concerning a specific consumer; no more than $100,000 in the aggregate for related violations concerning more than one consumer.[7] 

Even if notification requirements are met, the cost of assessing the breach, determining the affected parties, notifying the parties and providing remedial measures can be extremely costly. Merely determining which laws will apply is likely to result in expensive legal bills.

For these reasons, businesses are increasingly seeking insurance coverage for cyber exposure. While the cost of notification will vary depending on the size of the breach, both the insurer and insured must take into consideration that the potential monetary loss for only the notification aspect of a data breach can be significant.

Cyberliability Insurance

The type of loss that could arise in the event of a data breach that exposes personal information is rarely covered under traditional insurance forms. Insurers have developed specialty provisions that directly address cyberliability and cyber-related losses. The general language of provisions providing coverage for notification related costs may appear as the following:

  • Security Failure Notification Loss: "We will reimburse those reasonable and necessary legal expenses, public relations expenses, postage expenses, and related advertising expenses approved by U.S. and incurred by You in order to comply with state or federal privacy legislation mandating customer notification in the event of a Network Operations Security Failure that results in the compromise or potential compromise of Personal Information maintained or otherwise residing on Your Computer System. The Network Operations Security Failure must occur during the Policy Period."
  • Security Breach Remediation and Notification Expenses: "The Company will pay the Insured Organization for Security Breach Notification Expenses incurred by the Insured Organization within 12 months of, and as a result of, any Network and Information Security Wrongful Act."

Insurers should be aware of the practical and monetary implications of this line of coverage. A study conducted by NetDiligence looks at the average insurance payouts in cyber-related claims. In 2012, the average cost per breach (as paid by the insurer) was $3.7 million. The average cost per record was $3.94. These numbers include legal and crisis service costs, both often covered under the provisions providing coverage for notification-related costs.

Notification costs averaged $180,000 per breach or exposure, and the total average cost for crisis services, including notification, rose to $983,000.[8] One of the breaches was reported as costing as much as $2.5 million in crisis services only.[9] These numbers are significant. It is important for insurers to take this into account and to ensure that specialty coverages clearly delineate the corresponding limits and sublimits.

Lastly, it is important to consider that this area of coverage is still in its infancy, and making an estimation of exposure to possible losses is highly difficult. This new area of coverage does not only pose difficulties and unforeseen risks to insurers but also to the insureds.

The numbers presented above, while significant, do not fully illustrate the scope of losses that a business (insured) could face following a data breach that exposes personal information. A Ponemon Institute study puts the average organizational cost per record at $194 (not including legal costs). This is considerably higher than the number given above since the Ponemon study takes into consideration all costs to the organization rather than only costs covered by applicable insurance.

Similarly, the average overall notification cost per record was $19.81 versus $3.94 total cost per record covered by insurance.[10] The discrepancy between what it costs the organization and what the insurer pays out is significant.

Insureds need to take these factors into consideration when seeking coverage. Failure to do so could expose the organization to financial difficulties that could be hard to overcome without the proper coverage.

As the data breaches continue and the law develops, the risks and potential losses arising out of cyber claims will become clearer. This will be reflected in new specialty provisions and by new businesses seeking this type of coverage. Demand for this type of specialty coverage will most likely continue to grow, and more insurers will be ready to jump into this market.

In the meanwhile, both insurers and insureds should be aware of the implications of their existing insurance policies, the potential cost and losses arising out of data breaches and any changes in state or federal law.

--By Thomas B. Caswell and Hernán N. Cipriotti, Zelle Hofmann Voelbel & Mason LLP

Thomas Caswell is a partner in the firm's Minneapolis office. Hernán Cipriotti is a summer associate with the firm.

The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] A few of the most significant breaches of 2012: Global Payments (1.5 million records), Yahoo! (400 thousand passwords), Wyndham Hotels (600 thousand credit cards), eHarmony (1.5 million passwords), LinkedIn (6.5 million passwords), Zappos (24 million records), Gamigo (3 million records), and the Texas Attorney General’s Office (6.6 million records). Greisiger, M., NetDiligence, Cyber Liability & Data Breach Insurance Claims, October, 2012.

[2] Tex. Bus. & Com. Code §§ 521.002, 521.053

[3] 246 P.3d 612 (Cal. 2011)

[4] Tex. Bus. & Com. Code § 521.151 (2012).

[5] Mich. Comp. Laws § 445.72 (2012).

[6] Va. Code § 18.2-86.6 (2012).

[7] Utah Code § 13-44-301 (2012).

[8] Greisiger, M., NetDiligence, Cyber Liability & Data Breach Insurance Claims, p. 4, October, 2012.

[9] Id. at 9.

[10] Ponemon Institute, 2011 Cost of Data Breach Study: United States, 2-3 (March 2012)

Hernán N. Cipriotti also contributed to the article.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Zelle LLP | Attorney Advertising

Written by:

Zelle  LLP

Zelle LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.