In recent months, cyber liability policy forms offered by major insurance carriers have appeared in the insurance market under which coverage depends, at least in part, on the policyholder having been negligent. For example, one such policy provides that certain first-party expenses— e.g., notification, crisis management, investigation, credit monitoring and regulatory expenses— are covered only if they result directly from a “data privacy wrongful act” that was negligently committed by the policyholder or from the actions of a negligently supervised “rogue employee.”
In a breach in which a third party wrongfully gains access to the policyholder’s network and/or data, this type of policy language requires that the policyholder establish that it was negligent in establishing or enforcing its security measures and practices in order to obtain coverage. This presents potential issues for policyholders. First, recent history has shown that even policyholders with robust data privacy and security policies and comprehensive employee training on following such policies can find itself the victim of a data breach or social engineering scam. Such a policyholder would be hard-pressed to establish that it acted negligently, even if it wanted to do so to obtain coverage.