December 20, 2017 Practice Points

Cyber Liability Policies Conditioning Coverage on the Insured’s Negligence

Policyholders should consider seeking out a policy form that does not tie coverage to the policyholder’s negligence

by Ken Kronstadt

In recent months, cyber liability policy forms offered by major insurance carriers have appeared in the insurance market under which coverage depends, at least in part, on the policyholder having been negligent. For example, one such policy provides that certain first-party expenses— e.g., notification, crisis management, investigation, credit monitoring and regulatory expenses— are covered only if they result directly from a “data privacy wrongful act” that was negligently committed by the policyholder or from the actions of a negligently supervised “rogue employee.”

In a breach in which a third party wrongfully gains access to the policyholder’s network and/or data, this type of policy language requires that the policyholder establish that it was negligent in establishing or enforcing its security measures and practices in order to obtain coverage. This presents potential issues for policyholders. First, recent history has shown that even policyholders with robust data privacy and security policies and comprehensive employee training on following such policies can find itself the victim of a data breach or social engineering scam. Such a policyholder would be hard-pressed to establish that it acted negligently, even if it wanted to do so to obtain coverage.

Second, and perhaps more importantly, by making such an argument, a policyholder would increase the likelihood that it would face fines, penalties or a regulatory action by the FTC or another regulatory agency. These agencies tend to focus primarily on the reasonableness of the victimized company’s actions in determining whether to bring any type of enforcement action or levy any fines or penalties. As such, policy language tying coverage to the policyholder’s negligence puts the policyholder to a Hobson’s choice: if the policyholder is not negligent, it likely will not obtain insurance coverage, but will be less likely to face a regulatory action, fines or penalties; but if the company wants to obtain insurance coverage, it would need to argue that its acts or omissions that led to a breach were negligent, making the policyholder far more likely to find itself within the crosshairs of a regulatory agency.

Accordingly, policyholders would be best advised to closely scrutinize any current or prospective cyber liability policy to examine whether coverage thereunder is dependent on the company’s negligence. If so, and if the policyholder possesses the type of data that would attract regulatory attention if breached, it should weigh the considerations above and consider seeking out a policy form that does not tie coverage to the policyholder’s negligence.

Ken Kronstadt is with Kelley Drye & Warren LLP, Los Angeles.


Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).