Misunderstandings over policy language can leave businesses unprotected, LeClair Ryan attorney Richard Caplan warns
Atlanta, GA (4/19/16) – An “alarmingly regular” series of data breaches and other digital attacks against major retailers and other organizations has set off a stampede for cyber insurance, according to Richard Caplan, a litigation associate in national law firm LeClairRyan’s Atlanta office. Purchases of such policies—which buttress traditional crime and general liability coverage—are expected to triple to $7.5 billion by 2020.
“But even if you purchase a cyber-specific insurance policy, disputes over coverage may still arise,” Caplan warns in a recent blog post at Information Counts, which focuses on privacy, data security, information technology, e-commerce and other digital issues. Some recent court rulings illustrate the challenges businesses face when they try to guard themselves against liability, where decisions can hinge on the meaning of certain key words and phrases in a policy.
For example, following the 2011 Sony PlayStation data breach—where sensitive personal data for some 100 million customers was exposed by hackers—a Supreme Court of New York judge ruled that the insurer had no duty to defend or indemnify the electronics company under its Crime and General Liability policy. While the case was on appeal, Sony and its insurer reached a settlement.
“The insurance company argued its policy ‘was never intended to cover cyber losses,'” Caplan writes in the blog, Cyber Insurance: Make Sure You Understand Your Coverage. “But even if you purchase a cyber-specific insurance policy, disputes over coverage may still arise.”
He also cites a case involving Federal Recovery Services, which allegedly mishandled data from a company that operated fitness centers in several states. Federal had a cyber policy, but the United States District Court in Utah determined the insurance company was not obligated to defend Federal under the policy terms.
“This case illustrates two conflicting issues floating around in the world of cyber insurance,” Caplan explains. “First, that whether an insured is actually covered is not always so clear; and, second, that courts may be requiring a heightened standard of care for insurers to diligently investigate a cyber-related claim.”
Companies considering cyber insurance should start with the basics common to any kind of policy, he advises: “Do you need it, what risks should be covered – first-party remediation, third-party claims or both – and how much is enough.”
Other cyber-specific issues include whether the carrier or the insured will choose a forensics expert in the event of a breach or whether the carrier will impose underwriting conditions like data encryption and periodic audits or penetration tests. Also, “What key data are you trying to protect, how it is currently secured and what is the risk of third-party claims or litigation if it is compromised?” Caplan notes. “Many companies think their GCL or Errors & Omissions policies cover certain cyber risks, when in reality those risks may be specifically excluded.”
Additionally, many companies that have already purchased cyber insurance mistakenly think it covers all first-party costs in the event of an incident – like investigation, notification and credit monitoring – when it actually only covers third-party claims or lawsuits.
“If your cyber coverage only kicks in when a third party makes a claim, then practically speaking, you may not have any coverage at all,” he warns. “For now, perhaps the most important thing to do is make sure you do not fall into the category of someone who thinks they are covered when they are not. Also review the language and scope of your coverage on a periodic basis, speak with counsel about developing law in this rapidly evolving area and monitor the way insurance companies are modifying their terms and contracts in response to recent legal and other developments.”
To read the full blog post, visit http://informationcounts.com/understanding-cyber-insurance-coverage/
As a trusted advisor, LeClairRyan provides business counsel and client representation in corporate law and litigation. In this role, the firm applies its knowledge, insight and skill to help clients achieve their business objectives while managing and minimizing their legal risks, difficulties and expenses. With offices in California, Colorado, Connecticut, Delaware, Georgia, Maryland, Massachusetts, Michigan, Nevada, New Jersey, New York, Pennsylvania, Texas, Virginia and Washington, D.C., the firm has approximately 390 attorneys representing a wide variety of clients throughout the nation. For more information about LeClairRyan, visit www.leclairryan.com.