29th November 2019
Adam Brouillet (Trenam Law)
Adam Brouillet, cybersecurity lawyer, at MSI's Florida law member firm Trenam Law discusses how cybersecurity insurance can be a key way any company can mitigate potential costs if a data security incidents occurs.
Imagine one of your company’s employees being tricked into clicking on a link in an email to trigger the complete destruction of the company’s electronic files, followed by a weeks-long forensic investigation, legal fees, bad press, regulatory investigations, and loss of business and goodwill. The total price tag? Maybe $200,000 if you’re lucky, or much more if you’re not.
Cybersecurity insurance is a key way the company can mitigate these potential costs. While technical cybersecurity measures, such as firewalls, strong passwords and multi-factor authentication, may filter out malicious emails and prevent at least some attackers from accessing company databases, they are not perfect cybersecurity protections.
If a data security incident occurs, cybersecurity insurance can cover some of the heavy costs incurred from a suspected or actual data breach. Following are some tips on the topic of commercial cybersecurity insurance.
The appropriate cybersecurity insurance policy for a company should cover the common causes and costs of a data breach. Common causes of a data breach include phishing emails, business email compromise, malware and ransomware. An ideal cybersecurity insurance policy will have language specifically providing coverage for all of these events.
As for common costs, the company should understand the potential costs to comply with any legal requirements after an actual or suspected data breach. In the United States, all fifty states, the District of Columbia, and U.S. territories Guam, Puerto Rico and the U.S. Virgin Islands have some form of a data breach notification law. These laws apply to companies that hold personal information of their customers and employees. Federal laws and regulations also may apply and generally require companies to maintain reasonable measures to safeguard personal information. Laws outside the United States, most notably the European Union’s General Data Protection Regulation, also require notifications in the event of a data breach.
If the company learns of a potential security breach that may have exposed personal information, the company must conduct a reasonable investigation. The best practice is to retain legal counsel, who then would retain a third-party forensics specialist under the attorney-client or work-product privilege. The forensic specialist would investigate the incident to determine whether there was a data breach and, if so, to what extent. This information will enable counsel to provide legal advice to the company on next steps.
The company may be required to notify those individuals whose information was or might have been accessed. The company also may be required to notify the state attorney general, law enforcement, credit card companies, consumer reporting agencies, or other parties as required by applicable law or contract. The company should implement protective measures to prevent a similar incident from happening again. The breach could lead to lawsuits by disgruntled individuals or other business clients whose information was accessed or to investigations by regulators concerning the company’s data privacy practices. These consequences are costly. Without cybersecurity insurance, the company must bear all of these costs itself.
With these general legal requirements in mind, the company should pick an insurance policy to cover the costs of compliance. Unfortunately, “traditional” commercial insurance policies (liability, property, D&O, E&O, crime, etc.) often do not cover those costs.
Companies sometimes assume they have adequate cybersecurity insurance when, in fact, they don’t.
Take the standard commercial general liability, or CGL, policy, for example. CGL policies typically cover bodily injury or accidental property damage. Data breaches do not involve bodily injury, nor are data breaches necessarily accidental; rather, they are intentional acts by the attackers, and CGL policies often exclude coverage for intentional or criminal acts.
Property damage under a CGL policy is usually damage to “tangible” property; electronic data, as “intangible” property, will not be covered by such a policy. A grocery store learned that lesson the hard way in a 2016 case in Alabama. The grocery store’s credit card database was hacked, and credit card data was stolen. The grocery store sought coverage under its CGL property policy, but the court denied coverage because credit card data was intangible property not covered by the policy.
Other companies have experienced similar denials of coverage under other commercial insurance policies. For example, certain property insurance policies may cover the destruction of, or damage to, company property. That may be good news for a company whose electronic data was destroyed by a malware attack, unless of course the policy excludes coverage for damage to electronic data—which is sometimes the case.
The same limitations or exclusions are in many directors and officers, errors and omissions, and crime policies. Either they narrowly define “claim” or other terms to limit coverage for data breaches, or they exclude such coverage altogether.
The best way to insure against a cybersecurity attack or data breach is to obtain a comprehensive cybersecurity insurance policy.
Over the past 20 years or so, as data breaches became more common, insurers frequently denied coverage for data breaches under “traditional” commercial insurance policies and instead created separate cybersecurity insurance policies.
Companies may obtain cybersecurity insurance by purchasing an endorsement to an existing policy or purchasing a stand-alone policy. No standard policy form has emerged, as cybersecurity policy language varies among insurers and policies, but the appropriate cybersecurity insurance policy for a company should cover the common causes and costs of a data breach.
As for common causes, the cybersecurity policy should cover:
As for costs, cybersecurity policies typically provide first-party and third-party coverages. First-party coverages cover the following common costs of a suspected or actual data security incident:
Third-party coverages cover the following potential legal claims and proceedings that can follow a data security incident, usually on a claims-made-and-reported basis:
In evaluating potential cybersecurity insurance policies, the company should understand the amount of coverage for each potential cause of a data breach and analyze where coverages may overlap. As a case in point, in 2016 and 2017, a small Virginia bank was hacked, and the attacker gained administrative-level control over the bank’s databases. The attackers removed anti-theft protections for ATM transactions and stole more than $2 million from the bank at various ATMs.
The bank’s insurance policy had two relevant riders: one covering up to $8 million in losses for the electronic theft of money except for losses from the use of ATMs; the other covering $50,000 in losses from the use of debit cards. This cybersecurity attack involved both an electronic hack and the use of debit cards at ATMs. Predictably, the insurer agreed to cover only $50,000 of the bank’s losses under the debit card rider and denied coverage under the $8 million rider.
The takeaway is that companies should closely scrutinize their cybersecurity risks, identify hypothetical breach scenarios, and evaluate whether the cybersecurity insurance policy would cover the resulting losses and costs. If not, negotiate with the insurer for a better policy or choose another insurance company.
Selecting the appropriate cybersecurity insurance policy requires an understanding of the legal implications of a data breach, the limitations of “traditional” commercial policies and the potential cybersecurity risks of the company. A comprehensive cybersecurity insurance policy covering the common causes and costs of a data breach is a key way to mitigate against those risks.
Adam Brouillet is a shareholder with Tampa-based Trenam Law (https://www.trenam.com/), located in the firm’s St. Pete office. Brouillet’s practice focuses on data privacy, cybersecurity and business litigation. He can be reached at ABrouillet@trenam.com or +1 (727) 824-6105.
Trenam Law serves the needs of our clients in the Tampa Bay community in Florida. We have over eighty attorneys practicing in multiple practice groups, all sharing the goal of working with clients to establish cost effective, highly automated, responsive, and successful representation.
View firm profile
New headquarters for @MSI_Global in London. We recently moved our headquarters to 10 Queen Street Place at the Lon… https://t.co/sk8PY556yB
Register for our free webinar and international panel discussion on trading with the UK post Brexit. Leading accoun… https://t.co/EsDqZVlRYD
MSI's Portuguese member Moneris @RPA_Moneris launches new mobile app to help clients plan and manage #tax payments… https://t.co/yIYisFWqPm