May 08, 2017 Practice Points

Is Insurance Part of Your Plan for Responding to a Data Breach? Hint: It Should Be

Companies frequently fail to make insurance a priority in responding to a cyber attack.

By Joseph Saka – May 8, 2017

By now, no company needs to be told about the risk of a cyber-attack or breach. As former FBI director Robert Mueller stated, we are getting to the point where there are only two types of companies: "companies that have been hacked and will be hacked again." To address this risk, sophisticated businesses spend millions in trying to avoid cyber attacks but also in putting a plan in place to respond to a cyber breach. Organizations retain breach coaches and SWAT teams, including cyber attorneys, forensics, and engineers, to help them respond quickly after an attack or breach.

Although businesses often have the foresight to purchase cyber insurance or other coverage to minimize the impact of a breach, companies frequently fail to make insurance a priority in responding to a cyber attack. Any well-developed plan for responding to a cyber loss should contemplate insurance. To make sure premium dollars are not wasted, companies should understand which policies may be implicated by a cyber event, what triggers insurance coverage under applicable insurance policies, and what needs to be done to comply with triggered policies. As a best practice, work with experienced coverage counsel who can help (1) assess existing policies to identify potential coverage and obstacles to coverage; (2) provide notice and comply with terms and conditions as expressly set forth in triggered policies; and (3) submit any losses in a manner that is likely to maximize coverage. In failing to take proper precautionary measures as it relates to their insurance coverage, businesses expose themselves to unnecessary litigation or a total loss of coverage.

Joseph Saka is counsel with Lowenstein Sandler LLP in the firm’s Washington, D.C. office.

Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).