The Real Deal on Cyber Liability Insurance
May 8, 2012
by Technical Development Division
You have probably been hearing more about the concept of “cyber liability” from your insurance broker, or perhaps it is being discussed within the management circles of your industry. If your company does not sell any products or services over the Internet, you may be wondering why you would need cyber liability insurance – or worse yet – you may not have even given it a second thought.
If it can happen to NASDAQ, it can happen to you: late in 2010, “hackers” accessed one of NASDAQ’s web-based applications where corporations shared confidential financial and governance information.
If it can happen to Thomas Jefferson University Hospital, it can happen to you: in August 2010, 21,000 patient records were compromised after the theft of a laptop.
If it can happen to a local retailer, it can happen to you: in late 2009, customers’ credit card information was stolen while it was being stored temporarily via point-of-sale software. Fraudulent transactions totaling at least $250,000 resulted.
If it can happen to the U.S. government, it can happen to you: in 2009, “hackers” disrupted the Treasury and Secret Service Department websites for several days over the July 4th holiday.
What is Cyber Liability Insurance?
The term “cyber liability” encompasses an array of liability exposures that are not necessarily tied just to businesses that sell their products or services over the Internet. In fact, it is a bit of a misnomer, since a cyber liability policy can cover a number of exposures, including failure to protect an individual’s personally identifiable information or confidential corporate information from theft – even when the data was being stored in paper files.
Almost every type of business has an exposure to loss that can be covered by a cyber liability policy, including law firms, manufacturers, retail stores, restaurants, healthcare providers, technology companies, social service agencies, financial institutions, universities and government entities. Some of the exposures that can be covered include:
- Information security and privacy liability for failure to protect personal or corporate information held on computers systems, Smartphones, laptops or paper files
- Cost to notify affected individuals that their personal information has been breached, as required by
- Other costs associated with data breaches, such as public relations and investigative costs
- Loss of business income when a “hacker” prevents your customers from accessing your website
- Personal injury (such as libel) that may result from the use of blogs on your website or other social media
- Liability for your customers’ business interruption suffered because a “hacker” prevented their access to your website or systems, among others
Isn’t This Covered Under One of Our Other Insurance Policies?
Possibly, but not likely. Traditional insurance policies were not designed to cover these types of exposures, so any coverage you might find under your general liability, professional liability, crime or property policies or even a directors & officers liability policy written for a privately held company will either be very limited or simply accidental. Some carriers might offer you an endorsement to provide coverage for a specific component of your cyber liability exposure, but it is usually not as comprehensive as buying a separate policy.
From a 10,000-foot view, here are several reasons why your traditional insurance policies might not respond to a cyber liability claim:
- General liability policies do not respond to claims for damage to intangible property (there is also typically a specific exclusion for claims arising out of electronic data)
- General liability policies typically exclude claims arising out of “blogs” you own or host
- Property policies only provide loss of business income coverage if there was direct physical damage caused to your property (not caused by hackers that shut down your website)
- Crime policies do not respond to claims for damage to intangible property (there is also typically a specific exclusion for loss of confidential information)
- Private company directors & officers liability policies typically exclude claims arising out of bodily injury (including emotional distress), property damage and specific types of personal injury
- No traditional insurance policy currently provides coverage for the expenses associated with notifying affected individuals when their personally identifiable financial or medical information was breached while in your care, custody or control
These are just some of the hurdles to overcome in order to find coverage for cyber liability claims under a traditional insurance policy.
Privacy Breach Notification Expenses
I mentioned above that no traditional insurance policy currently provides coverage for the expenses associated with notifying affected individuals when their personally identifiable financial or medical information was breached while in your care, custody or control. That statement bears further explanation.
The Federal Government has seen fit to make sure businesses are acting responsibly when gathering, storing and using information that could possibly be used to harm an individual’s personal finances or reputation. That information includes, but is not limited to, names, addresses, driver license numbers, social security numbers, bank account numbers and health information. The Gramm-Leach-Bliley Act of 1999, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economical and Clinical Health Act of 2009 (HITECH), and various state privacy breach notification laws all include provisions requiring companies to protect this information in some way. These laws create liability for businesses. They also require notification of affected individuals when their information has been breached. The requirements for how and when you are required to notify are very specific within the HITECH Act and the individual state privacy breach laws. For instance, some states require notification for breaches of electronic data, where others require notification for breaches of data stored on any medium, including paper. The laws that you have to comply with depend on the state in which the affected individuals reside.
The cost of notification is fairly significant (not to mention the cost of legal fees to figure out which laws you would need to comply with and how). The estimated cost of a data breach, according to the Ponemon Institute’s 2009 Annual Study: Cost of a Data Breach, is $204 per compromised record. This cost estimate includes some costs that are not insurable, such as “lost customer business.” However, about 25% of this cost is currently insurable, including investigation, public relations/crisis management, general notification costs and credit monitoring services for affected individuals. According to the same report, the number of records that were compromised in any one event ranged from $5,000 to $101,000, and the average cost (direct and indirect) of a data breach was $6.75 million. These costs can add up quickly. (Note: The Ponemon Institute conducts independent research, provides education and verifies privacy and data protection practices of organizations in various industries. The full report is available at no charge at www.ponemon.org)
Back to the Real Deal
With the exception of privacy breach notification costs, it is still possible that you could find coverage for some cyber liability claims under your traditional policies, particularly those policies that are providing you liability-type coverage. If your company suffers a business interruption resulting from a denial of service attack, you might even find coverage under your property policy if there was some concurrent property damage that resulted.
Carriers have not yet added specific exclusions for these types of claims on their traditional policies. They are relying on their current policy definitions and exclusions to protect them for now. This is reminiscent of the evolution of employment practices liability policies. In the beginning, there were no specific exclusions on general liability or directors & officers liability policies to exclude employment practices claims. But, once those claims started materializing (and were covered), employment practices exclusions started appearing rather quickly on general liability and directors & officers liability policies. Today, we would not expect that a typical employment practices claim would be covered unless the company had purchased an employment practices liability policy.
The problem is that we do not yet know what the claims will be or how the lawsuits will be brought. The most significant claims the insurance industry has seen so far are for privacy breach notification costs, and the industry has already concluded those aren’t covered outside of a cyber liability policy. We can surmise that when the claims come in, they will be alleging things like “emotional distress” or “mental anguish” or “invasion of privacy.” Financial damages for an individual may be minimal, unless you find yourself in a situation where the breach of an individual’s health information caused them to lose their job or to be “blacklisted” by another company in their industry.
There may be some of you that could be faced with class action law suits. Just looking at the examples provided at the beginning of this article, you could imagine the possibilities. But truth be told: we just do not know yet. Buying a cyber liability policy would, however, provide some peace of mind that you have an affirmative coverage grant for exposures that are new and evolving. And, if you have an exposure for privacy breach notification expenses (including investigation, public relations/crisis management and credit monitoring), purchasing a cyber liability policy is the only way to obtain coverage.
It Is Still Evolving
Cyber Liability is an evolving exposure as well as an evolving insurance product. If you feel you might have one of the exposures described above, I would recommend you at least explore the product. Talk it through with your insurance broker. Once you have all of the facts, you will be much better positioned to make an informed decision. One word of caution: there is currently very little consistency among policy forms. A very thorough analysis of coverages should be done. Further, since the policies cover such an array of exposures that may or may not apply to your business, you have the ability to tailor the insurance policy to fit your needs and your price point. Whether yours is a law firm, manufacturer, retail store, restaurant, healthcare provider, technology company, social service agency, financial institution, university or government entity, you should give this coverage a second thought.
Technical Development Division