Originally appeared in the Privacy Risk Report
At this point, we have been bombarded with many of the details and a lot of speculation related to the November 2014 Sony Pictures hack. In short, hackers stole sensitive information and data including everything from private employee information, emails sent inside and outside the company and unreleased films. In addition to the damage caused by the hack, Sony Pictures potentially suffered damages from extortion attempts and lost revenue from the limited release of the film The Interview.
While the details related to this hack are widely available in newspapers and entertainment magazines, the information publicly known at this time can provide insight for anyone considering cyberliability insurance.
A number of states base their data breach notification laws on whether “personal information” has been compromised. In general, “personal information” includes social security numbers, drivers’ license numbers and credit/debit card information. However, in addition to taking some of this information, the Sony hackers also obtained confidential information such as unreleased films. Therefore, while many states provide a concise definition of the information potentially at risk, insureds should consider whether their data and other information includes items beyond the short list of items in the definition of “personal information.
Recently, the pre-breach strength of a party’s security systems has become a central issue in data breach litigation. For example, in the lawsuit filed by banks against Target for its breach in December 2013, the banks claimed Target was liable for failing to disclose “material weaknesses” in its data security systems. Likewise, there were claims that Home Depot’s data breach could have resulted from Home Depot’s failure to perform regular tests on its Point of Sale systems, hiring their Senior IT security architect after he sabotaged his former employer’s network, and running an outdated version of Symantec Antivirus software from 2007. Therefore, underwriters will need to take an applicant’s overall defenses against hacks into account when assessing the risk prior to issuing a policy.
In light of the recent cyber attacks and data breaches, there should be little question that cyberliability insurance can provide valuable protection. Of course, a “cookie-cutter” approach using standard policy forms may not work for every insured. The Sony breach involved a substantial amount of information that only a movie studio would be expected to be storing on its systems. Obviously, a hospital would not need cyberliability coverage for unreleased motion pictures. The utility of this insurance will be limited by how closely the insurance applicant and the underwriters work together before a policy is issued. The key will be for insureds to disclose the specific data they want to protect and for underwriters to understand the insured’s business.