*This is the first post in a five-part series on cyber insurance, culminating in a webinar entitled “Insurance Coverage for Privacy and Data Breaches: Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern.
One of the most common questions we hear from CEOs, CFOs and Directors of businesses and public and private institutions is “Do I really need cyber insurance?” Our answer is always an emphatic “Yes,” whether it is a stand-alone cyber insurance policy or a cyber security rider with a fidelity bond.
Every organization runs on information. While some organizations may not seem information-oriented, they still have employee information, customer information, and their own proprietary information and trade secrets. And, they do lots of things with their information. They collect it. Store it. Use it. Share it. Mine it. Post it to a Cloud. And, dispose of it. More often than they like, information is lost or stolen, whether through a data breach through an internet connection, employee theft, or a simple mistake. There is a patchwork of 47 state laws and regulations, and numerous federal and international laws and regulations, that if applicable impose notification, disclosure, and other obligations on organizations as a result of a data breach. Data breaches also often result in regulatory investigations and lawsuits, which can result in serious financial and reputational consequences.
Why buy cyber insurance? A recent FINRA Report on Cyber Security Practices, discussed three broad reasons why to buy cyber insurance to protect your organization in the event of a data breach, including:
- to transfer potential unmitigated risks that are above your risk appetite;
- to obtain coverage for gaps that may not be covered in existing insurance policies; and
- to reduce the risk of a significant financial loss that could materially affect your financial condition.
What could my organization be liable for as a result of a breach? Many very smart organization leaders have been misled into believing that consumer class action lawsuits are the only risk that they face in the aftermath of a data breach, and that those cases are being summarily dismissed so they don’t need to buy cyber insurance. One case I often turn to in response involves the DSW data breach incident. In Retail Ventures v. National Union, a hacker used one store’s local wireless network to download credit card and checking accounting information on more than 1.4 million customers at 108 DSW stores. DSW suffered over $5.3 million in economic damages, not including interest. The damages were for notifying the customers of the data breach; public relations; investigating and defending customer claims and lawsuits; attorneys’ fees from responding to investigations initiated by seven State Attorneys General and the Federal Trade Commission (DSW entered into a FTC administrative consent decree that included initiating a robust security program); and losses of more than $4 million from charge backs, card reissuance, account monitoring, and fines imposed by VISA/MasterCard. While many (but not all) consumer class action lawsuits have been dismissed, the costs to defend those cases can be very expensive. These costs do not include damages resulting from diminished sales or the costs to defend against regulatory investigations. For example, Target just settled a customer class action lawsuit for $10 million (not including a little over $6 million for plaintiffs’ attorneys’ fees), but Target spent over $252 million to respond to the data breach incident through February 25, 2015, according to its recent 8-K filing. Finally, the Ponenom Institute’s 2014 Cost of Data Breach Study, which looked at data breaches involving less than 100,000 records in the United States, found that the average cost paid by organizations per data breach incident was $5.9 million.
Financial institutions have filed their own class action lawsuits as a result of data breaches. For example, in Greater Chautauqua Federal Credit Union v. Kmart Corporation, Case No. 15-cv-2228 (N.D. Ill. 3/13/2015), the financial institutions claim data breach damages from canceling or reissuing credit and debit cards affected by the Kmart data breach; stopping payments or blocking transactions for affected accounts; reopening affected accounts; refunding or crediting cardholders for unauthorized transactions; responding to a higher volume of customer complaints, confusion, and concern; increased fraud monitoring efforts; and lost revenue in card usage after public disclosure of the breach. Lawsuits by financial institutions are more likely to withstand motions to dismiss compared to consumer class action lawsuits.
You may not be able to recover benefits for a data breach incident from your standard commercial general liability policy. The standard commercial general liability policies that most businesses and public and private institutions rely on are increasingly being interpreted by the courts to not cover data breach claims and the resulting damages. Insurers have successfully argued that these types of policies were never meant or intended to cover data breach claims for a variety of reasons, and many courts have agreed with the insurers’ arguments. For example, policyholder claims have been dismissed on the grounds that electronic data is not tangible “property” covered by the policies; the policies only cover policyholder disclosures of information and not disclosures by hackers or other third parties; and there has been no disclosure of private information where there is no evidence that any of the information at issue has been disclosed to a third-party or otherwise made public, e.g., an encrypted laptop left in a cab and lost forever or a data breach with no attendant fraudulent charges to an account. Even in those cases where a policyholder can convince a court that coverage exists for a data breach incident, it may result in a costly and time-consuming battle with a well-funded insurance company.
To end any doubt as to coverage, insurers have begun issuing a new and very broad privacy and data breach-related policy exclusion. The Insurance Services Office issued a new exclusion to commercial general liability policies that is specifically intended to exclude data breach-related claims. The new exclusion eliminates coverage for “damages arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information, or any other type of non-public information; or the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” It also eliminates coverage for damages from “notification costs, credit monitoring expenses, or any other loss, cost, or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” The term “electronic data” is defined broadly. The new exclusion is meant to close the door on policyholders being able to recover damages resulting from data breaches under standard commercial general liability insurance policies.
In summary, because of the high costs that can result from a data breach and the uncertainty whether those costs can be recovered as damages under standard insurance policies, we recommend that businesses and public and private institutions purchase cyber insurance.
Look for our next post: Cyber Insurance: Why Can’t I Just Rely on My Agent for the Best Policy at the Lowest Cost?