“Either you have been data breached or you just do not know that you have been data breached”. IT security professionals’ adage.

Cyber Insurance, a/k/a/ Data Breach Insurance, a/k/a Privacy & Security Insurance, is a stand-alone policy that covers:

First Party Losses – those suffered by your firm due to a data breach.
Third Party Losses – those suffered by others due to your firm’s data breach.  

A unique aspect of cyber insurance is that it covers both first and third party risks.

Cyber Insurance: First Party Coverage to Manage, Investigate and Repair a Breach

A. Direct first-party costs of responding to a security failure or privacy breach:

  • forensics investigation to determine the scope of a breach;
  • notify and provide credit monitoring services to affected clients, employees, etc.;
  • legal, public relations and/or crisis management services to restore the company’s reputation.
  • may also cover regulatory fines or penalties incurred because of a data breach.
  • may also cover costs to repair/recover lost or damaged data.

B. Other first-party damages:

  • Business income: loss when business operations are interrupted or suspended as a result of a security breach, including extra expenses incurred to temporarily resume operations.
  • Extortion: threats made against a company’s computer network and confidential
    information by an outsider attempting to extort money or other
    valuables. Coverage includes monies paid to end the threat and the cost of
    an investigation to determine its cause.

A survey of risk managers revealed that the main reasons to buy cyber insurance are to have coverage for:

  • Reputational harm (79 percent)
  • Business interruption (78 percent)
  • Data breach response and notification (73 percent)

Cyber Insurance: Third Party Coverage for Your Firm’s Liability for Others’ Damages:

A. Privacy Liability
Covers liability, including payment of damages and defense costs arising out of:

  • liability arising out of a company’s failure to protect personally identifiable or confidential corporate information in its care, custody or control, or by others on its behalf.
  • regulatory proceedings brought by a government agency alleging the violation of any state, federal, local or foreign privacy legislation.

B. Network Security Liability
Covers liability, including payment of damages and defense costs arising out of:

  • the failure of a company’s network security to prevent computer attacks, including unauthorized access or unauthorized use of corporate systems resulting in deletion, corruption or theft of data;
  • a “denial of service” attack, which makes a network unavailable to its intended users; and
  • the failure to prevent transmission of malicious code to another party’s computer system, and subsequent damages from the theft, destruction, or denial of access to that data.

C. Regulatory actions in connection with a security failure, privacy breach, or the failure to disclose a security failure or privacy breach.

D. Media Liability

  • Liability faced by companies for content published online (including on their website), that results in a claim for copyright infringement, trademark infringement, defamation, and invasion of privacy.

Some notes:

1. Your firm doesn’t have to buy all of the above coverages. Some firms buy just direct first party coverage, i.e., breach investigation and notification, + privacy liability coverage.

The best approach is to have your broker obtain proposals for different combinations of coverages, and then compare the cost vs. the features.

2. Privacy liability coverage covers loss of a specific type of data – personally identifiable or confidential corporate information – regardless of what caused the loss (subject to certain exclusions), while network security liability coverage covers theft or loss of any kind of data, but due only to specific cause, i.e., the failure of a company’s network security.

3. Cyber insurance is “claims-made”, just like legal malpractice insurance, which means any data breach or other covered incident must occur and be reported by you to the insurer during the policy period.

It also means that your policy won’t automatically cover a data breach that occurred before your firm bought its first cyber policy. However, make sure your broker requests this coverage – retroactive or Prior Acts coverage – because a breach may occur a long time before it becomes apparent, without the firm knowing about it.

In other words, if your firm buys a policy without retroactive coverage, a breach occurs during the policy period, and forensic investigation reveals that the breach occurred before the policy period, the insurer can refuse to cover the claim.

One year of retroactive coverage is likely sufficient, but your broker should ask if the insurer will offer two years. Retroactive coverage will increase the premium, but unless you firm’s computer network has been tested for a breach and found to be “clean”, then it should seek a cyber policy that has retroactive coverage.

4. Most insurers have a network of forensic investigators, public relations firms, law firms, and other experts who will assist your firm if it has a claim. 

Most insurers provide a point of contact who will handle everything from the moment the insurer has agreed to handle the claim.

Cyber Insurance Claim Scenarios:

These scenarios are covered by cyber insurance:

  • A firm employee takes work home with information stored on a laptop computer. The laptop is stolen from the backseat of the employee’s car while the driver is in a restaurant. Cyber insurance covers the theft of data stored on a laptop and the cost of restoring that data.
  • A firm employee opens his or her Facebook account on their desktop computer at work and a virus or other malware infects the company computer network causing a system slow down that affects access to network systems. The costs of detecting and eliminating that virus can be covered by cyber insurance.
  • Client files stored in the cloud are stolen. The firm not only has the lost data to deal with, but is also in breach of client confidences. Forensic experts cannot determine whether the information has been hijacked during transmission to the cloud or from the cloud servers themselves. Either way, off-site data hosting can be covered by the firm’s cyber insurance policy.

Cyber Insurance Cost

As of mid-2016; subject to rapid change:

Large firms: $40,000 – $75,000 for a $5M to $10M limit policy.

Smaller firms: $3,500 – $7,500 for a $1M to $3M limit policy.

Small firms: $750 – $1,500 for a $500K limit policy.

Cyber Insurance – The Cost of Not Having It

Law firms that don’t have a Privacy & Security insurance policy and suffer a data breach will need to:

1. Get Help

Identify and engage a qualified attorney who will help navigate the breach notification requirements in states where potential victims reside.

Identify and engage forensic specialists to determine what information was lost.

If you have one, follow your breach response plan.

2. Report

Notify the proper governmental agencies (State Attorney General, Department of Health and Human Services, Federal Trade Commission, Department of Commerce, FBI, etc.).

Notify the potential victims and identify what information was lost and what you are doing about it.

3. Pay Up

Pay for credit monitoring and identity rehabilitation services if necessary.

Pay public relations firms to rehabilitate your image and bring back customers.

Defend yourself from governmental investigations, fines, penalties and restitution funds.

4. Wait

Hope that the records do not end up in the hands of people who will do harm to the victims.

Hope that you have handled the breach in a way that will not result in a lawsuit.

Data Breach Coverage Under Other Policies:

Standard property, general liability and crime policies will not cover damage to or loss of intangible assets such as data and systems.

Business Owners Policy

Many small firms have this type of policy, which generally combines Property, General Liability and Workers Compensation insurance.

Property insurance covers only tangible assets, such as computing equipment and office furniture. Since data can’t be touched or felt, it isn’t tangible, and won’t be covered by a property policy.

Some insurers offer an endorsement that covers only third-party claims. It will likely cover legally mandated notification costs and attorney’s fees after a breach has occurred, but not the first party expenses the firm will likely incur, i.e., data restoration by IT experts, lost revenue from business interruption during and after the breach, and crisis management services to protect and rebuild the business’s damaged reputation.

Too, the typical endorsement has a limit of $50,000 to $100,000. But if a cyber liability claim is made, defense costs and fees can quickly exceed those limits, as can notification costs to individuals whose data has been compromised, which generally costs from $50 – $150 per record, or 700 – 2,000 people.

Non-BOP CPP: If you have an all-risk policy that treats data as physical property, then you do have coverage, for example, if your servers have a malfunction or their storage facility is flooded—as long as you don’t have an applicable exclusion.

Comprehensive General Liability

CGL policies cover loss to “tangible” property, which may trigger coverage for a data breach that harms a third-party in certain instances.

A data breach may also be covered under the “personal injury” coverage section of the policy, if the breached data is published, as in the Ashley Madison hack, and the policy’s insuring agreement obligates the insurer to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” which is defined to include the “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”

However, nearly all insurers will argue that coverage for a data breach is beyond the scope of the CGL policy, and will likely deny coverage for any claim and then litigate the coverage issue. This means that the firm will have to pay all damages owed to third parties and the sot to litigate the coverage issue.

It will likely be cheaper to simply buy cyber insurance.

Legal Malpractice Insurance

Your firm’s Lawyers’ Professional Liability policy will cover a legal malpractice claim against your firm that arises out of a data breach your firm incurs that harms your clients, just as it would cover a non-electronic loss of lost client documents.

However, the policy doesn’t cover public relations costs, business income (reputational risk or lost opportunity costs) or the cost to recreate/rebuild data and programs. Also, it may not provide coverage if the data was handled by a third-party IT provider rather than by the firm directly.

Print Friendly, PDF & Email