Top Ten Tips for Companies Buying Cyber Security Insurance Coverage
Dec 20, 2012
By Kristi Singleton, Counsel, and Scott Godes, Counsel, Dickstein Shapiro LLP
1. Buy First-Party and Third-Party Coverage
There are two general categories of risks and potential liabilities for data breaches and cyber risks: “first-party risks” and “third-party risks.” Generally speaking, first-party risks are potential costs for loss of or damage to the policyholder’s own data, or lost income or business because of a data breach or cyber attack. Potential categories of first-party losses include the following: (i) physical damage to, loss of, or loss of use of data and software only, whether caused by third-party, contractor, employee/former employee, state actor, or “cyber war” or “cyber terrorism”; (ii) corrupted, lost, stolen, or ransomed data resulting from data theft, data breach, or virus; (iii) loss of use of data as a result of software failure, network interruption, or denial of service attack; and (iv) an inability to conduct business because of loss of software, data, or network access.
2. Consider Whether Your Cyber-Security Insurance Policy Protects Information On Unencrypted Devices
Many professionals today do a substantial amount of work on computers, and much of that work is done outside of the office. Technology has advanced so that an employee can accomplish much of the same work he used to do at the office while sitting at home, or in an airport, or even reclining on a beach on a tropical vacation. And while most company-owned laptops are encrypted, many personallyowned computers and storage devices, such as flash drives, are not. There is a significant potential for data breach claims and cyber-security claims arising from the theft of loss of such unencrypted laptops or flash drives that may contain a client’s confidential and/or proprietary information. Certain cyber-security insurance policies have language that may not extend to cover such claims, or specifically excludes claims arising from the theft or loss of such devices.
3. Protect Information in the Care, Protection or Control of Third Parties
Businesses may take every security precaution possible when protecting data in the company’s own electronic systems, but sometimes companies have to put confidential information in the hands of third parties, such as vendors or consultants. Cyber-security insurance policies that do not provide protection for data breaches that occur when confidential information is in the care, protection, or control of others may create a potential gap in coverage for companies that routinely use such third-party vendors. Another way that insurers may attempt to limit their risk on claims arising from data breaches at a third-party’s place of business are to provide coverage for such breaches, but only if the sharing of confidential information is authorized by contract. As copy vendors may not require a written contract before accepting a project, consider how the coverage would apply when there is not a written contract for work.
4. Consider Data Restoration Costs In Your Coverage
Many cyber-security insurance policies on the market today may not cover costs to replace, upgrade, update, improve or maintain a computer system that was breached. Data restoration costs are potentially prohibitive, especially for any companies that may rely on access to large amounts of data in order to conduct their business or service their clients. Any company that runs the risk of a data breach should ensure that its cyber-security coverage will “make it whole” in the event of a claim by paying for, or reimbursing the company, for data recovery costs.
5. Consider Whether Your Policy Covers Regulatory Actions
A data breach may cause not only the loss of information, or the disbursement of confidential information, but also could result in various regulatory actions against the company that is the victim of such a breach. State and federal agencies have become more active in the context of data breaches, privacy, and cyber-security. Consider whether your company’s insurance policy provides coverage for a regulatory investigation or a regulatory action resulting from a cyber incident. A comprehensive cyber-security insurance policy will provide coverage for a wide range of regulatory actions by different agencies, such as the Federal Trade Commission or the Department of Health and Human Services, or Consumer Protection Act.
6. Consider Whether Injuries to a Company’s Corporate Clients Are Covered, Not Just Injuries to Natural Persons
Consider whether your company’s cyber-security insurance policy protects corporate client data, not just the private information of natural persons. Many companies have more corporate clients than individual clients. To the extent that the cyber-security insurance policy contains language restricting coverage,consider whether thepolicy provides coverage for injuries only to natural persons, rather than to corporations as well, for certain types of cyber-risks. Companies should carefully review their cyber-security policiesto determine whether all of the language in the definitions and grants of coverage include coverage for injuries to companies, corporations, partnerships, and other entities, as well as natural persons.
7. Consider Whether The Insurance Policy Covers Data Transmittals That Take Place Outside of the Company’s Offices
Some cyber-security insurance policies, like property policies, contain coverage based on occurrences that take place in a certain territory, such as the United States, or for occurrences that take place within a certain distance from the policyholder’s place of business.In light of cloud providers and other vendors that may host data and software outside of the United States, as well as the increased amounts of global travel for company employees, however, considering the geographic limitations of a cyber-security insurance policy is critical.
8. If Your Business Accepts Payment By Credit Cards, Consider Whether Your Company’s Cyber-Security Insurance Policy Provides Coverage for Payment Card Industry Liabilities
It is not an exaggeration to say that the vast majority of businesses today that sell products to the public probably accept payments by credit card. Having access to credit card information makes companies a target to hackers. If there is a data breach that is traced back to your company, your company may face liability imposed via the Payment Card Industry. The liability for such a data breach may be significant. Certain cyber-security insurance policies are marketed as providing coverage for Payment Card Industry liability, and companies would be well-advised to consider how their insurance policies would respond to such liabilities.
9. Consider Whether Your Company’s Cyber-Security Insurance Policy Provides Coverage for Identity Theft Resolution Services
Identity Theft Resolution Services protects your company if private or personal data of individuals is leaked as a result of a data breach. A good cyber-security insurance policy will cover the costs associated with notifying individuals about the breach, and provide credit monitoring expenses for the individuals whose information was leaked as well as credit counseling services, credit restoration services, and even identity theft resolution services. The optimal policy will provide such coverage even when the notification is voluntary and there is no law requiring such notification.
10. Consider Including Loss Control Services In Your Coverage
It is an old saw that insurance companies do not want their policyholders to make claims. In order to decrease the number of claims that a policyholder may make, many insurers are selling cyber-security insurance policies that pay for, reimburse the client for, or offer discounted rates oncertain loss control services. Essentially, the insurer will pay up to a certain limit to have a pre-approved loss control services company evaluate the policyholder’s electronic security measures, and make recommendations on how to improve them. Companies should be careful, however, that the coverage they purchase, and any renewals, arenot contingent upon the policyholder agreeing to perform any security upgrades recommended by the loss control services company.
Reprinted with permission from the Association of Corporate Counsel (ACC)
Additional ACC Resources
Sep 2010 InfoPAK
This InfoPAK is intended to give in-house counsel background to assist her in identifying insurance issues that may arise, ...
Jan 2012 Quick Reference
This presentation provides an overview of legislative, regulatory, and enforcement developments in cybersecurity.
Jan 2012 Quick Reference
This Article discusses (i) the growing body of regulations in the U.S. and worldwide, with a concentration on recent U.S. ...