If Cyber Crime Strikes, Will Your Insurance Be There For You?
Attacks by cyber criminals—whether they be rogue employees or outside hackers—have been making major headlines lately. Retailers like Target have seen their networks hacked and millions of their customers’ PIN numbers and other personal information stolen. Sony’s PlayStation Network suffered its own massive data theft in 2011, with credit card data and other personal information stolen by hackers. And over a million users’ email addresses and passwords were stolen from the popular Gawker blog site, along with the source code for its content-management system. These sorts of attacks on corporate computers are, unfortunately, no longer rare or isolated events. According to a Ponemon Institute survey, 40% of corporate IT security professionals reported being victimized by targeted cyber attacks.
But data breaches and computer hacking aren’t just a concern for Fortune 500 companies. Any business that electronically stores or transmits customer financial data, patient medical records, or personal information about its employees is a potential victim of cyber crime or malicious computer programs. Indeed, smaller companies are less likely to have sophisticated electronic monitoring and defense capabilities, and therefore may be even more attractive targets for identity thieves and hackers. Moreover, as companies conduct an increasing share of their business using mobile devices (like smartphones and iPads), the opportunities for company data to be compromised only increase. Another Ponemon Institute study recently concluded that the “explosion of mobile devices” on corporate networks is now the greatest security risk for corporate IT departments because such devices are not secure. For many businesses, it may be only a matter of when, not if, their sensitive data will be compromised.
Are You Covered?
The costs of dealing with a data breach or cyber attack can be enormous. These costs can take the form of investigation and customer notification expenses, security upgrades and repairs, regulatory penalties, and even class action suits for damages. Costs can easily (and often do) run into the hundreds of thousands or even millions of dollars. Given the potential for major financial losses associated with data security breaches and cyber attacks, smart businesses are taking a hard look at their insurance policies to see whether they are adequately covered.
Standard Commercial General Liability (CGL) insurance provides coverage for various kinds of claims brought by third parties against the policyholder—claims that, in some circumstances, might include losses caused to a third party by a data breach or malicious attack. Depending on the specific policy language, a cyber attack or data breach might fall within CGL provisions covering “property damage” or “personal or advertising injury” to a third party. Some CGL policies, however, specifically exclude “electronic data” from the definition of “property damage,” which could limit the insurer’s obligation to indemnify the policyholder (again, depending on the specific wording of the policy and the facts of the case). Court decisions to date have not provided policyholders with a great deal of reassurance about whether their CGL policies will protect them from liability associated with data breaches or computer hacking.
Aside from CGL policies, traditional first-party property insurance may also provide coverage for the victimized company whose data or computer networks are damaged by a malicious cyber attack. But these types of traditional property policies often contemplate physical loss or destruction of property and may not include language that expressly applies to unauthorized access to electronic data or communications networks and computer systems.
Should You Buy Cyber Risk Insurance?
Recognizing a growing demand by policyholders, some insurers are actively marketing cyber risk insurance—either as a stand-alone product or as a rider to a standard suite of insurance coverages. Caution is needed, however, to ensure that the policyholder is obtaining coverage that aligns well with the risks it faces in its business. In addition to insuring against potential liability to third parties for unauthorized access to or loss of data (and related remedial efforts), a good cyber risk insurance program should include coverage for possible damage to the policyholder’s own data and computer systems, including any losses associated with investigation, rapid response, network repairs, and notification of customers. It should also provide for recovery of any income lost due to business interruptions resulting from a cyber attack. These new insurance products are sold under various names: “cyber risk,” “network security,” “Internet liability,” etc. But regardless of what the insurer calls these products, the key message here is that not all cyber risk policies are created equal, which increases the need for companies to consult knowledgeable insurance coverage counsel to make sure they are getting the protection and peace of mind they think they are purchasing.
One often overlooked aspect of a cyber risk insurance program is coverage provided by company vendors and other entities often referred to by state and federal privacy regulators as “business associates.” Vendors’ insurance policies can be an important component of a company’s cyber risk mitigation efforts. In a future blog post, we will examine several ways that you can reduce the risks posed by vendors and other “business associates” who have access to your company’s data. But for now, suffice it to say that it’s nearly always a good idea to demand the right to review your vendors’ insurance policies, to insist that they maintain adequate coverage, and to require that they name you as an additional insured.