This article provides basic tips for companies purchasing coverage and pursuing claims for a cyber breach.
Recent media accounts are replete with stories of significant cyber-attacks affecting hundreds of private and public entities and millions of individuals worldwide. Third-party claims by customers, employees, and regulators, the loss of valuable trade secrets or other intellectual property, interruption of business operations, credit monitoring expense, damaged reputations, privacy notification, and data loss are only a few of the risks to which businesses are exposed in a cyber attack.
In response to the emerging threat of cyber assault, insurance may provide an important resource for companies coping with a network breach. In addition to traditional policies, many insurers have begun marketing dedicated cyber, network, or privacy liability insurance policies. Here are some basic tips for companies purchasing coverage and pursuing claims for a cyber breach:
- Purchasing Coverage. Many “cyber” insurance forms are new and untested. When negotiating coverage, carefully review all terms, but pay particular attention to those defining who is insured and what event triggers coverage. To the extent that network processes are outsourced to third-parties, make sure that (1) the appropriate parties are insured on your policy or a third-party’s coverage; and (2) contractual risk transfers are in place (supported by insurance) with appropriate waivers of subrogation. Consider carefully whether the policy’s coverage responds in the event of an injury, a claim, or incident, and how that particular trigger may affect policy limits, reporting obligations, and deductibles.
- Giving Notice. In the event of a cyber-attack, companies may be required by statute to give notice to law enforcement and any affected consumers or employees. Companies should not overlook the obligation to give notice to their insurers. Insureds should be familiar with the particular notification requirements for third-party claims and to provide a proof of loss for direct losses relating to business interruption and related first-party claims. In some cases, notice may be appropriate even if there is only the potential for a claim. If the insured is reliant on third-party contractors to facilitate network security, the insured should demand that appropriate notice be given on its behalf. When in doubt, give notice.
- Selection of Counsel/Investigators. When a data breach occurs, the benefits afforded under a network security or privacy liability policy may include the retention of legal counsel as well as forensic investigators to identify and respond to the cause of first-party and third-party loss. In connection with these benefits, disputes may arise regarding the choice of the counsel or consultant to be retained. Depending on the nature of the insurer’s initial response to notice of a claim, the insured may be entitled to select its own counsel to defend against a claim or suit, while still looking to the insurer to pay the reasonable cost of the insured’s defense. Likewise, insureds may be entitled to retain the investigator of its own choosing to respond to a cyber breach.
Do Not Overlook Traditional Insurance. For those corporate policyholders that have not yet purchased dedicated cyber liability policies, in the event of a cyber attack, some traditional forms of coverage may provide protection. General liability insurance, for example, provides specific coverage for “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy,” which may apply to a data breach that results in the disclosure of personally identifiable information. Commercial property insurance generally provides coverage for all risks of direct physical loss or damage to real and personal property, subject to exclusions. Alternatively, traditional crime/fidelity policies may include coverage for loss of property caused by a third party resulting from the entry or deletion of data from a computer system.
About the Author
Micah E. Skidmore is a partner in the Insurance Coverage Group at Haynes and Boone LLP. Mr. Skidmore represents corporate policyholders in significant insurance coverage disputes, including assistance in recovering defense costs, settlements, judgments and other losses under various types of insurance policies. He consults with brokers and policyholders in negotiations involving underwriting of directors and officers liability insurance policies and other sophisticated insurance products, including trade credit insurance. Mr. Skidmore is the 2014 Chair of the Tort and Insurance Practice Section of the Dallas Bar Association and a member of the Insurance Law Council of the State Bar of Texas. He is the editor of the DecSheet blog and a frequent author and speaker on insurance coverage law.