PERSPECTIVES: Don't bank on a general liability policy for protection after a cyber attackReprints
As the cyber market continues to grow, the range of insurance options is expected to expand. Now is a good time to move beyond any reliance on a general liability policy for a data breach and look into a cyber insurance product suitable for your business, according to Timothy D. Kevane, special counsel for law firm Sedgwick L.L.P.
Chances are that before December 2013, no one at Target Corp. had ever heard of “Kaptoxa,” Russian slang for potato, now infamously known for being associated with RAM-scraping malware unleashed by cyber thieves to steal customers’ credit and debit card information. But once the damage was done, these wily bandits had scooped up data on 40 million customers from the magnetic strips swiped at the retailer’s point-of-sale terminals, along with the phone and address information of another 70 million customers.
Multiple class action lawsuits have been filed in addition to claims by financial institutions, whose losses could approach $20 billion. The Kaptoxa malware may also have been used to exploit point-of-sale systems at Neiman Marcus, Michaels Stores Inc. and others. While the Target breach does not set the record for the largest data theft — hackers lifted 130 million records maintained by Heartland Payment Systems Inc. in 2009, and the TJ Maxx incident holds the retail record with the theft of 90 million records in 2005 — it brings to mind the FBI’s opinion about two groups of companies: those who have suffered a data breach and those who will.
Yet aside from certain security measures that companies have put in place, cyber liability insurance has yet to become a priority for most businesses. That’s a mistake.
Part of the problem is rooted in perceptions concerning the extent of coverage under a standard general liability policy. These policies typically consist of two parts, the first providing coverage for bodily injury and property damage, and the second part providing personal and advertising injury. Third-party claims arising from data breach incidents do not usually seek recovery for bodily injury. As to property damage, there may be situations where the insured unwittingly transmits malware to a third-party, damaging its hardware or data, which an insured may claim is “physical” in nature for purposes of property damage coverage.
In Target’s case, a shareholder derivative action against its directors and officers arising from a falling stock price may also implicate its D&O policy. But these limited scenarios won’t offer much consolation to a company that suffers a consumer data breach. Indeed, for several years now, as the result of litigation in the early 2000s, the standard liability policy has excluded electronic data from the property damage coverage. So the principal concern of managing the risk of exposure to customers whose sensitive information is stolen remains.
Most data breach claims will allege some form of negligence and violations of consumer protection laws, which allowed access to customer records, causing an invasion of privacy. The personal and advertising injury coverage in a general liability policy extends to claims for injury arising out of the written or oral publication in any manner of material that violates a person’s right of privacy. Thus, in such circumstances a business might argue that claims arising from a cyber-event would be covered under the policy because of the invasion of privacy. A recent case in New York, however, has exposed the flaw in this argument and should serve to caution companies against relying exclusively on such a policy for cybercrime coverage.
In April 2011, hackers accessed an online gaming and entertainment network operated by Sony Corp., enabling them to retrieve personal identification and financial information for millions of customers. The ensuing insurance case in New York, Zurich v. Sony, sought a determination of coverage for the customers’ claims. In a February 2014 decision, the court held that the publication of the material must have been committed by the insured, not a third party, such as the hackers, was not covered by Sony’s general liability. The court rejected the notion that the phrase “in any manner” referred to publication by others, as it only described how the publication was made, e.g., by email, facsimile or other media. The court seemed to view any other interpretation as an unwarranted expansion of the insurer’s liability.
One might wonder, then — to the extent the Sony decision is correct — why the insurance industry is close to formalizing endorsements to the standard liability policy that will specifically exclude personal and advertising injury coverage for data breaches. Policyholders might cite this as incriminating evidence that, absent that exclusion, there is coverage for data intrusions by third parties. But that logic is based on the mistaken premise that coverage existed to begin with, which the Sony decision negates. That won’t stop some insureds from making claims, resulting in substantial litigation costs. Thus, the exclusion should assist in ending these lawsuits.
More importantly, continuing to debate the merits of the Sony case, which is on appeal, and advancing theories that the new data breach exclusions symbolize some kind of admission misses the forest for the trees. The New York Times recently reported that since 2005, there have been over 4,000 breaches exposing more than 650 million records of personal information. Thus, prudent risk management by virtually any company whose transactions involve the handling of their customers’ personal and/or financial information warrants the addition of a cyber risk product to the company’s insurance portfolio.
Cyber liability policies can play a vital role in responding to a cyber attack, and are designed to specifically address incidents like the Sony data breach. While five or 10 years ago the market attracted mostly large organizations such as financial institutions, health care and national retailers, in the past few years an increasing number of middle market companies have purchased cyber insurance. Indeed, a 2011 Verizon Communications Inc. report found that the majority of cyber attacks in 2010 were against businesses with fewer than 100 employees. For publicly traded companies, in 2011, the U.S. Securities and Exchange Commission’s Division of Corporation Finance issued guidance on cyber security disclosures concerning not just risks and incidents, but a description of pertinent insurance coverage.
Information and communications technology insurance has actually been around since the late 1970s, and in the 1980s at least one carrier offered cyber security insurance to banks and blue chip companies. But that product was driven by then-existing technology, which would seem like the dark ages compared with today’s systems and the crimes they attract. Current cyber policies are, comparatively speaking, a relatively new insurance product with still-evolving terms, offered by about two dozen insurers. Premiums for a $1 million cyber policy may vary between $10,000 to $35,000, although that limit is below the average cover.
A cyber policy will extend coverage for lawsuits arising from the disclosure of personally identifiable information, which is generally a person’s name along with their Social Security number, a driver’s license number, PIN, financial account information, credit/debit card data or health information. Coverage is also available for data breaches that involve a third party’s sensitive customer information, financial data or market information; and for cyber attacks that infect the insured’s systems with malware, which is then accidentally transmitted to third parties.
Coverage may include defense expenses incurred in these types of lawsuits and resulting judgments or settlements, subject to policy exclusions or other limitations. Also, reasonable costs associated with notification to affected customers may be covered, along with the cost of credit monitoring services offered to affected consumers. Coverage for bodily injury is excluded, although some policies may allow a carve-back for claims of mental anguish arising from a privacy breach. Just as significantly for the insured, policies may provide assistance with crisis management and public relations expenses in dealing with the potential media fallout resulting from a major cyber attack.
By now, nearly all states have customer data breach notification laws in place, and there exist a host of federal laws that may also ensnare victims of data thefts. The Federal Trade Commission has filed almost 50 lawsuits against companies whose data security was not up to acceptable standards, and just recently prevailed in a proceeding against Wyndham Worldwide Corp. for its failure to maintain reasonable and appropriate data security for its customers’ credit card account numbers, expiration dates and security codes. Coverage may be provided for the legal and technical services that become necessary to respond to government investigations, as well as responding to fines or penalties.
Underwriters will need to assess the insured’s procedures to protect its networks and data from attack, including firewalls, virus scans and control procedures for access to computer systems. The insured will need to report its loss experience concerning prior unauthorized access, malware infections, data theft and network interruptions; and prior claims regarding disclosure of personal information or third-party computer damage claims.
As the cyber market continues to grow, the range of options available to prospective insureds will expand. In the current environment, with general liability coverage for cyber events under a cloud of uncertainty, and increasingly sophisticated cyber malfeasance, it is a good time to move beyond any reliance on a general liability policy for a data breach and look into a cyber insurance product suitable for your business.
Timothy D. Kevane is special counsel for law firm Sedgwick L.L.P. in New York. He can be reached at (212) 898-4008 or timothy.kevane@sedgwicklaw.