Insurance coverage for cyber risk – both first-party and third-party loss – is a burgeoning type of insurance many major carriers are now offering to their policyholders. In view of this significant growth, this blog will – from time to time – examine issues that arise when policyholders procure cyber insurance. This initial entry will serve to broadly describe the types of coverage afforded in a typical cyber policy.
The most common form of third party-liability protection in the typical cyber insurance policy arises in the form of “privacy” or “network security” liability coverage.
“Privacy liability” affords coverage to the policyholder for any alleged liability for errors, negligence, or breach of duty to a third-party regarding the maintenance/ storage of protected personal (private) information – data often subject to privacy regulations at both the state and federal level. Importantly, this coverage really has nothing to do with computers and potentially applies to any kind of data breach.
“Network security liability” coverage protects the policyholder from failure to protect against unauthorized access (and other cyber risks) to the insured’s own computer systems in general.
Visit the TLSS Cyber Law Blog
The third party data-breach claims are the rather high-profile cases that make the mainstream new media. These include cyber-occurrences covered by this blog including the Sony Playstation Network, Target, or Wyndham Hotel network breaches. These occurrences have led to third-party lawsuits against these entities for failure to protect their customers’ data. Standard commercial general liability or professional liability insurance policies often do not cover these types of claims and many carriers are now expressly excluding data breach/cyber events from coverage.
Cyber insurance also affords coverage for first-party losses related to cyber occurrences. This is often referred to as “data breach”, “crisis management”, or “network interruption” coverage. Some policies also extend coverage for protection against regulatory proceedings, while others specifically exclude such circumstances.
The greatest expense to a victim of a data-breach is often in the response to the occurrence itself. Many cyber policies provide for reimbursement of insureds expenses in managing such situations including reputation and public relations management, computer network forensics, notification obligations and business interruption. For example, in the Sony Playstation Network breach, Sony thus far appears to have very minimal liability to its customers for the breach because the cyber attackers appear not to have actually misappropriated any customer information on a large scale. Sony’s greatest expense likely consisted of its crisis management, business interruption, and resources devoted to remediating the breach. This form of loss is not typically covered in first-party property insurance policies as many courts do not consider attacks on data and computer software to be “direct physical loss” subject to coverage. Cyber policies can fill this gap in coverage in an ever-expanding field of risk.
At this point, cyber insurance policies are largely manuscript with little to no industry standards or court interpretations to aid in applying these policies. Policies often contain specific conditions and exclusions applicable to certain coverage forms. Until the industry further evolves and matures, insurers and policyholders alike should carefully review policy language prior to purchase to ensure the coverage received is not over-inclusive or under-inclusive based on the expectations and needs of each entity.