Hackers have found a new niche as society is transitioning from a paper world to a digital age. Personal identification information has become the new currency for the hacking black market. In the wake of the largest data-hack in our nation’s history, cyber hackers are emerging as a real threat to cyber security, deploying new methods to eviscerate the safety, security, and simplicity of electronic data storage and transfers around the globe. Businesses that store company and customer information in a digital format are now on notice of the threat and at risk to cyber liability.
Simply putting up a firewall will no longer “hack” it. If the Department of Homeland Security’s defenses can be breached, so too can your business’s. Hackers have become more than proficient at bypassing a myriad of security measures put in place to protect sensitive information. In order to be prepared for a cyber-attack and its aftermath, many businesses from sole proprietorships to vast corporation are beginning to purchase cyber liability insurance. What started in the ‘90s as a blip on the radar has now gained prominence, with many companies coming onboard in the last two years.
Policies commonly begin as off-the-shelf general coverage insurance. The policy may only cover first-party losses, third-party losses, or both. Not unlike automobile insurance and health insurance, cyber liability insurance is available at various rates with various forms of coverage from a nearly comprehensive policy to an exclusion riddled one. Many cyber liability insurance companies will want to learn of and evaluate a company’s existing risk management policy. Generally the presence of a strong and secure existing plan will lessen the cost of cyber liability insurance. However, where a company has large amounts of highly sensitive data stored electronically, costs will be higher.
Types of Coverage and Potential Liabilities
As with most trades, insurance companies are in business to make a profit. Cyber liability insurance policies, like any other type of insurance policy, contain limitations and generally are not drafted with every possible occurrence accounted for. It is essential that these limitations are understood, as negotiations can often expand coverage and/or narrow exceptions with little to no additional cost. Because the market for this type of insurance is only now becoming popularized, there are many different coverage options available with various cyber liability insurance companies. Securing legal representation is important to ensure your worries and needs are addressed with the appropriate legalese.
Generally, cyber liability insurance can be broken down into two categories – first- and third-party coverage. First-party coverage can protect the policy holder for losses in data, privacy notification expenses (the costs associated with notifying clients and customers of a breach), crisis management expenses (the costs of paying experts to investigate and fix the problem that led to the breach, and possibly the costs involved in hiring a public relations consultant), extortion expenses (the costs of investigations and ransoms to regain access to withheld data), losses in business, and the theft of money.
Third-party coverage can protect losses to others such as a client or customer as well as coverage for lawsuits brought by third-parties as the result of a cyber attack. Lawsuits by third parties can be based on the following types of injury: conduit (additional damage to a client’s computer system caused by a network security failure); reputational (damages resulting from an attorney’s use of social media); disclosure (damages resulting from unauthorized access to or dissemination of client information); and content (damages resulting from intellectual property or copyright infringement). A blanket first- or third-party coverage policy may not include all the aforementioned types of coverage, thus a comprehensive knowledge of the policy and what actually is covered is essential.
Still, There Are Additional Areas of Coverage Concern
With the advent of new technology, work need not be done at the workplace. Many jobs allow employees to work while traveling or from home on a personal laptop or cellphone, many of which are unencrypted devices. Damages that result from lost or stolen unencrypted devices may not be expressly covered or may be expressly excluded from coverage. If your company routinely does business in this manner, coverage for unencrypted devices may be a useful addendum to a cyber liability insurance agreement.
As the level and severity of cyber attacks have increased throughout the United States, so too has the Federal and State Governments’ responses. Regulatory actions are being implemented on various levels to protect the interests and security rights of third-parties. This means that a company who has already been the victim of a cyber attack may also face regulatory actions and investigations on top of losses sustained from the attack.
Other areas that may create gaps in coverage are information stolen while in the custody of third parties and payment card industry liabilities. As it is plain to see, purchasing cyber liability insurance is complicated and the devil is in the details.
First Comes the Cyber Attack, Then Comes the Litigation
Privacy violation lawsuits filed against Apple, HTC, Google, CVS Caremark Corporation, Samsung, Facebook, Amazon, Michaels Stores, UCLA Health System, Comscore, and Royal Bank of Canada mark a few of the cyber attacks that have led to legal liability. These lawsuits generally come in the form of class actions due to the macro level privacy breach. The courts, as of now, are reluctant to find standing for the unintentional dissemination of personal identification information without some damage coming from the breach of privacy.
However, while the courts are suspect to find standing without injury, fines for failure or delay in reporting a breach can and have been assessed on a company by the states. Health Net failed to timely disclose a data breach in 2009 and was fined $375,000 by the state of Arizona alone. In a move towards a liberal approach, a United States District Court Judge for the District of Wisconsin found plaintiffs with no present injury to have standing and allowed a suit to move forward. Target, the victim to the data breach has agreed on a $10,000,000 settlement fund.
With the digital age upon us, safeguards must be put in place to protect customers, clients, and companies from financial losses, hefty fines, burdensome legal fees, and costly court judgments that arise from cyber attacks. Cyber liability insurance appears to be emerging as a viable option, if not a necessity, to combat these growing concerns.