cybersecurity - data breach insurance

7/27/2019 Cybersecurity - Data Breach Insurance

1/4

Cybersecurity risks, including data breaches, are among the mostsigni cant risks acing any company in the hospitality industry that receives what may be characterized as personally identi able

in ormation, including credit card in ormation. When hackers, roguecurrent or ormer employees, or others steal or otherwise gain access tosuch personally identi able in ormation, the data breach may exposethe company to liabilities under statutory and regulatory schemes andto third parties, resulting in signi cant costs to mitigate, remediate,and comply with the obligations arising out o the liabilities.

CYBERSECURI Y: Does Your Company Have Insurance or Claims

Arising Out o an Alleged Data Breach?


2/4

Data Breaches May Result in wo Signi cantypes o Claims Against the Company:

Consumer Class Actions: Consumers have ledclass action lawsuits alleging, among the loss o the valueo their personal in ormation, identity the , invasion o privacy, negligence, or contractual liability. For example,in 2011, Sony allegedly su ered various cyber attacks anddata breaches, leading to multiple putative class actionlawsuits against various Sony entities. See, e.g., Johns v.Sony Computer Entmt Am. LLC, No. 3:11-cv-02063-RS,Complaint 101 (N.D. Cal. Apr. 27, 2011) (Sony Claims).Sony reportedly su ered a nine- gure loss as a result o the rst hack. See, e.g., Alastair Stevenson, Sony NetworksHacked Post-PSN and PlayStation Store Restart, Intl Bus.imes (June 3, 2011), available at http://uk.ibtimes.com/articles/156879/20110603/sony-hack-lulzsec-security-psn-playstation-network-hackers-security-breach-3-4.htm.

Governmental Actions: Governmental entities,such as the Federal rade Commission (F C) and stateattorneys general, have aggressively pursued companiesor alleged ailures to maintain reasonable security measures to protect consumers sensitive data. In a caseinvolving a business in the hospitality industry, the F Calleged that a companys ailure to maintain reasonablesecurity allowed intruders to obtain unauthorized accessto the computer networks on multiple occasions. Te F Calleged that the companys security ailures led to millions

in raudulent charges on consumers accounts, and theexport o thousands o consumers payment card accountin ormation to a domain registered overseas. Outside o the hospitality industry, in 2009, JX Companies, Inc.,agreed to pay $9.75 million to 41 attorneys general as parto a settlement that ollowed an investigation concerningthe retailers data security practices. Press Release,Washington State Ofce o the Attorney General, Attorney General McKenna Calls JXs Data Breach a Costly Lesson(June 23, 2009), available at http://www.atg.wa.gov/tjxsettlement062309.aspx.

Consumer and governmental actions expose a company tosigni cant liability i the allegations prove to be true. Acompany also can spend signi cant sums in legal expensesto de end itsel against such actions even i the allegationsprove to be un ounded. According to a new whitepaper rom NetDiligence, Cyber Liability & Data BreachInsurance Claims: A Study o Actual Payouts or CoveredData Breaches (Oct. 2012), which examined 137 eventsthat occurred between 2009 and 2011, the average costs o legal de ense was $582 thousand and the average total costper incident was $3.7 million. http://www.netdiligence.

com/ les/CyberClaimsStudy-2012sh.pd .

A Company Should Care ully Consider theypes O Insurance Tat May ProvideCoverage, Including Payment o De enseCosts or a Data Breach

A company should analyze its entire slate o insurancepolicies to determine in advance o any breach whatcoverages might apply to claims alleging a data breach.Such insurance may pay the costs o de ending againstsuch claims as well as liability due to any settlements or judgments arising out o such claims. Coverage may be available under traditional orms o insurance suchas commercial crime and commercial general liability (CGL) policies. Regarding commercial crime policies inparticular, the U.S. Court o Appeals or the Sixth Circuit

ound coverage under a computer raud endorsement toa crime insurance policy or certain costs relating to a databreach. Retail Ventures, Inc. v. Natl Union Fire Ins. Co. o Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012).

Insureds, however, should not assume that their insurancecompanies will agree that coverage is provided by moretraditional orms o insurance, such as crime and CGLpolicies, notwithstanding positive case law. For example,Zurich, seeking to avoid de ending or indemni ying Sony against the Sony Claims, led an action against numerousSony entities seeking declarations that there is no coverageunder various CGL policies, among other requests orrulings. See Zurich Am. Ins. Co. v. Sony Corp. o Am., No.651982/2011, Complaint (N.Y. Sup. Ct. July 20, 2011). Tematter is still pending and the outcome remains uncertain,particularly when Zurich itsel previously had recognized,in at least one article, that [t]hird-party liability policiessuch as Commercial General Liability (CGL) policiesprovide coverage to a company . . . [ or] data security breaches. Zurich, Data Security: A Growing Liability Treat (Aug. 24, 2009), http://www.zurichna.com/internet/zna/SiteCollectionDocuments/en/media/whitepapers/DOCold2DataSecurity082609.pd .


3/4

A good solution or a company concerned about havingcoverage in place or loss arising out o a data breach is topurchase insurance marketed expressly or cyber-relatedloss. Insurance companies market such standalone policiesas being speci cally designed to address in ormation risk.Many re er to such coverage as cyber insurance. For thepurposes o this article, we will continue to re er to thissolution as cyber insurance.

Many o these policies are marketed as contemplatingcoverage or loss due to in ormation risk, includingdata privacy and network security. A properly designedinsurance solution may very well preempt a difcultexplanation to senior management that, a er a cyber loss,the insurance company denied coverage under other lineso insurance, even i the denial was not warranted.

Cyber insurance comes in many orms and variations,including: echnology Errors and Omissions, In ormationSecurity Insurance, Network Security Insurance, Privacy Insurance, Data Breach Insurance, Network BreachInsurance, echnology Solutions, and a wide variety o trade names that seem to incorporate the term tech,cyber, or some orm o digital. Cyber insurance is o enwritten on orms that vary rom insurer to insurer. It iscritical, there ore, that those involved in the procurement

o such policies care ully consider the coverage a ordedby the policy, limitations on such coverage, and any conditions in the policy. Some high-level and importantconsiderations to keep in mind when considering thescope o cyber policies include (but are not limited to):

Will the policy respond to costs incurred because of liabilities that require the insured to take steps to remedy a breach o personally identi able in ormation, even i there is not a demand made by a claimant or governmentalentity?

Will the policy address coverage for liabilities to thepayment card industry?

Will the policy cover regulatory actions, such asactions brought by the F C and state attorneys general?I so, how ormal must any investigation be be ore thecoverage may take e ect? How is a covered actionde ned? Are investigatory subpoenas covered?

How broadly does the policy de ne computersystem or network and in ormation in the care,protection, or control o third parties, including those withwritten contracts and those without?

Will the policy provide coverage for identity theresolution services, including the costs associated withnoti ying individuals about the breach, credit monitoringexpenses or the individuals whose in ormation was leaked,as well as credit counseling services, credit restorationservices, and even identity the resolution services? (Teoptimal policy will provide such coverage even when thenoti cation is voluntary and there is no law requiring such

noti cation.)

Will the policy provide coverage for loss controlservices? (A company should consider, however, whetherthe coverage it purchases is contingent upon its agreeing toper orm any security upgrades recommended by the losscontrol services company.)

Will the policy pay for the costs of data restoration?

Will the policy cover liabilities arising out of injuriesto companies, corporations, partnerships, and otherentities, as well as natural persons?

What are the geographic limitations of the policy,and will the policy apply to a data breach involving datastored outside o the companys ofces (e.g., data storedwith cloud providers and other vendors that may host dataoutside o the United States)?

A Company Should Be Cognizant o thePotential or Claims Against the Company,

its Directors and Ofcers Relating to CyberRisks and Alleged Failures to Insure CyberRisks

On October 13, 2011, the Division o CorporationFinance o the Securities and Exchange Commission(SEC) issued CF Disclosure Guidance: opic No. 2,Cybersecurity, available at http://www.sec.gov/divisions/corp n/guidance/c guidance-topic2.htm. Te Guidancerecognizes the increasing dependence on digitaltechnologies or registrants to conduct their operations.Te Guidance suggests that registrants consider theadequacy o their disclosure relating to cybersecurity risks and cyber incidents. Te Guidance suggests thatappropriate disclosures may include . . . Description o relevant insurance coverage.

Tis recent Guidance has caught the attention o companies and commentators, including the emphasis onthe disclosure o insurance coverage. Commentators have


4/4

suggested that, in light o the Guidance, companies shouldbe cognizant o the claims against a companys directorsand ofcers or ailure to manage and insure I risk.See Lawrence J. rautman & Kara Altenbaumer-Price,Te Boards Responsibility or In ormation echnology Governance, 28 J. Marshall J. Computer & In o. L. 313,318 (2011) (In light o recent large cyber attacks, theSEC has issued new disclosure guidance requiring public

companies to disclose cybersecurity risks that reasonableinvestors would consider important to investmentdecisions and how they address them, including whetherthey have cybersecurity or privacy insurance.). Whethersuch claims are seen as meritorious or not, a company inthe hospitality industry should be aware o and considerthe Guidance, and it should have an understanding o thescope o the companys relevant insurance coverage orcybersecurity and data breach risks.

Conclusion

It is impossible to list in this article every issue that may arise,particularly since the coverage orms are rapidly evolvingand are not standard. Consideration o the above issues,however, will substantially assist counsel and a company in assuring that the appropriate coverage is purchased orrisks o and losses rom a data breach.

Scott Godes and Kenneth Berline rotter are attorneys withDickstein Shapiro LLP, who devote a signi cant portiono their practice to the representation o policyholders incomplex insurance disputes with insurance companies.Tey may be reached at [email protected] [email protected], respectively. Tisin ormation is general and educational and is not legaladvice.