Insurance And Risk Management For Breach Of Data Privacy And Information Security

Article by Louise K. Thomas¹

Originally published in the December 2011 issue of inFocus, PRISM's Quarterly Journal

When a case of back-up tapes containing individual medical records falls off the truck and is lost, who will pay for the notice to the patients of the loss of their medical records, as required by state and federal laws?

When a hacker invades your computer system, and corrupts the computerized tracking system, do you have insurance to cover the cost of reconstructing those warehouse records and your loss of business income while the warehouse is unable to retrieve items?

When an error by your software consultant enables access to your records without a password, does the consultant have the requisite insurance to indemnify your business and cover your damages?

Unfortunately, the standard commercial property and general liability insurance policies do not cover electronic data, network and privacy risks and so, unless you have taken steps to specifically cover these "electronic" risks, your business may have to pay for these losses out of its own funds. The preceding articles discussed your expanded legal responsibilities and your exposure to suit when records containing personally identitifiable or confidential information are lost or stolen. The cost of just complying with the regulatory requirements associated with a data breach, especially notification, is, 7on average, more than $6 million and that number doesn't even address the cost of defending the myriad of lawsuits that may arise out of a breach. Very few businesses can easily absorb such losses without insurance coverage. This article addresses the role that insurance should play in protecting your company from the losses relating to electronic data, privacy and information security breaches.

The risks in our current world can be starkly expressed by thinking about where the smart modern criminals spend their energy today. In the 19th and 20th century, robbers held up banks with guns to get money. Today, only a dumb and desperate thief shows up at the physical premises with money bags and a handgun. The best of modern criminal thinking focuses on computer theft, hacking and selling personally identifiable information.

Given today's realities, locking the doors to the warehouse and posting a security guard may protect your business if Jesse James and his gang are in town, but that is little defense against Jonathan James, the 16 year old who hacked into Department of Defense and NASA computer systems. Relying on the standard commercial property or commercial liability policies to protect your business from a loss of personally identifiable information or a virus that corrupts your computer system may be just as outdated.

Insurance for the Old Bricks and Mortar World Offers Little Protection for Cyber Risks.

The popular thinking is that the standard commercial property or commercial liability policies cover all risks and, given the likelihood of damage to electronic data or a privacy breach, those standard policies must cover those kinds of losses. However, absent specific endorsements, it is unlikely that your business or that of your subcontractors will have the requisite coverage in the event of a data breach.

Most standard insurance products were created to protect losses in a bricks and mortar world, where physical damage to tangible property or bodily injury to persons were the primary risks faced by businesses. "Cyber risks" or "electronic data" were not even part of the vocabulary when these policies were drafted and no one even thought about privacy rights in personal information. Over the last 15 years, as the world rapidly moved into the electronic sphere, insurance carriers have resisted providing coverage for these new electronic risks under policies underwritten for the old bricks and mortar world.

The Sony Nightmare

For example, in the spring of 2011, computer hackers gained access to the PlayStation Network where Sony sells online games and stole the personal information and financial information, such as credit or debit card numbers, of approximately 77 million Sony customers. By July, fifty eight class actions had been filed against Sony in state and federal courts and also in Canada. When Sony asked its commercial general liability carrier, Zurich, to defend and indemnify it from the lawsuits, Zurich denied coverage on the grounds that the claims for unauthorized access to and theft of personal and financial information are not "bodily injury", "property damage", or "personal and advertising injury," as those terms are defined in the standard commercial general liability policy.²

"Property Damage" is defined in your company's commercial general liability as: "physical injury to tangible property" or "loss of use of tangible property that is not physically injured." The insurance industry has repeatedly denied claims arising from hacking or other cyber-security breaches on the grounds that damage to electronic data does not constitute "tangible property" and theft or alteration of information electronically stored is not "physical injury." Many courts agree; e.g. State Auto Prop. & Cas. Ins. Co. v. Midwest Computers, 147 F. Supp. 2d 1113, 1115-16 (W.D. Okla.2001) [''computer data cannot be touched, held, or sensed by the human mind [and thus] it has no physical substance'' and is, therefore, not tangible property]; cf. NMS Servs., Inc. v. The Hartford, 62 Fed. Appx. 111, 115 ["a computer stores information by the rearrangement of the atoms or molecules of a disc or tape to effect the formation of a particular order of magnetic impulses" and therefore erasure was a "direct physical loss."]

Starting in 2004, the insurance carriers tried to remove any argument that the property damage coverage in commercial policies covered electronic data by expressly stating that electronic data is not covered. "Electronic data" is very broadly defined to mean: information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications, software, hard or floppy disks, CDROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.³

As a result of these changes, it is unlikely that your standard commercial property policy will cover damage to your electronic data or the interruption of your business as a result of a computer event, unless it is specially endorsed.

The standard commercial general liability policy also includes Personal and Advertising injury coverage, which includes "oral or written publication, in any manner, of material that violates a person's right of privacy." Policyholders have had more success in recovering defense costs for third party claims for data breaches when they can be construed within the definition of "personal and advertising injury." E.g. Netscape Comm. v. Federal Ins Co., 343 Fed. Appx. 271 (9th Cir. 2009). However, as the Zurich Insurance v. Sony lawsuit demonstrates, the insurance companies are still fighting any argument that personal and advertising injury coverage applies to data breach claims.

If your business has to rely on the standard commercial products in the event of a data breach, at a minimum, there will be a significant fight with your insurance carriers at the same time that the business is trying to comply with various notification laws and defending law suits; at worst, your business will have to pay all costs, attorneys fees and settlements out of its own funds. Therefore, your business needs to start planning now to identify and manage the risks of an electronic data event so that when the inevitable occurs, you are protected.

There are a variety of new insurance products available both as stand-alone policies or endorsements to your existing policies, which specifically cover damage to electronic data and data breach claims.

Risk Management for Cyber Risks

First step – Identify the Risks.

As with all insurance purchases, the prudent business outlines the nature of the risks of its particular business before meeting with the insurance broker – in effect a shopping list of the "horribles" that could happen and the types and extent of damage that could result. While your insurance broker may be very knowledgeable about the details of insurance policies, only you know the specific and peculiar risks posed by your own operations. Further, most insurance forms are designed for businesses in general and not geared to the specific industry in which you operate.

Just like insurance, the commercial records management industry started in a brick and mortar world, and paper was the primary medium for holding information. While confidentiality of client information has always been a concern, it is only recently that the state and federal governments have enacted specific protections, including notification, concerning personally identifiable information. When your business first purchased insurance, fire and theft were primary concerns, but corruption of electronic data or compliance with HIPPA obligations were not even contemplated.

The risks associated with storing and maintaining personally identifiable information are not limited to an organization's potential liability from negligent acts that cause others to suffer identify theft or invasion of privacy. You need to consider direct damage to the organization itself. A destructive virus can spread havoc within an organization with the same disruptive impact as if the brick and mortar organization had undergone the effects of a natural disaster.

So, it is important to make a new shopping list to reflect today's technology and electronic risks. In doing so, it is helpful to think about two broad categories of risk:

1. Potential damage to your own property and events that could adversely impact your operations and trigger regulatory requirements.
2. Potential damage to other individuals or entities and events that could result in claims and lawsuits against your business.

Spending even half an hour creating your business' insurance risks could accomplish exactly what a grocery store list does – you will only buy the right products and you won't have to make a second trip because you forgot an essential ingredient.

Cyber Risk Insurance Products

1st Party coverages

You may wish to start by considering whether you want to buy insurance products that will cover damages that could be suffered by your own business, known as 1st party coverages. These products are similar to the traditional commercial property policy insuring a warehouse from fire, windstorm, or other casualty but the property covered by these policies is electronic rather than bricks. Those products may include:

1. Information Asset Coverage - Coverage for restoration or recreation of data, computer system resources, and information assets that are damaged by a computer attack or other failure of the system.
2. Crisis Management/ Identity Theft Expenses. This coverage would pay the expensive notifications required by most states' data breach notification laws. Some policies also cover the costs of credit monitoring for the injured people, even if that monitoring in not required by law. The cost of the technology experts needed to respond to the breach and even public relations consultants may be covered.
3. Business Interruption coverage to compensate for the business's lost income suffered as the result of a system outage or extended downtime due to failure of security.
4. Cyber Extortion. As the sophistication of computer crime increases, some policy forms may extend to extortion threats to commit an intentional computer attack against you.

3rd Party Coverages

Your business may also want to purchase insurance that will cover it when there are claims made by third parties against the business arising out of the disclosure of personally identifiable information or damage to another entity's electronic data. Those products may include:

1. Privacy liability policy, which will pay defense costs as well as pay judgments in suits against the company from persons claiming to be injured by your wrongful disclosure of confidential information. As noted in the preceding articles, while the courts have been reluctant to actually award damages to individuals, the cost of defending these class actions regularly exceeds one million dollars.
2. A Cyber Risk liability policy to cover claims for damage to a third party's computer system or electronic data or interruption of service to a customer caused by computer malfunction. This coverage fills in the hole in the commercial general liability policy, which specifically excludes claims against your business for damages "arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data."

Insurance Coverage Required in your Contracts with Service Providers

Unfortunately the insurance requirements in standard service contracts were also written in a brick and mortar world and it is likely that the only coverage required in the numerous contracts your business has with providers is a commercial general liability or automobile policy. It is common for a provider to agree to indemnify for claims against your business arising out of its work; if the provider only has a commercial liability policy, indemnification may be an empty promise in the event of an information security incident.

For example, too many small computer consultants have the following insurance requirements language in their provider contracts:

As discussed above, the consultant's CGL policy provides no protection when its error causes the loss of important inventory records or allows a hacker into your computer systems. The consultant needs an error and omissions policy for the types of services he renders. There are numerous Technology E&O policies available that cover a computer consultant's professional services and the contract must provide such coverage.

Therefore, your exploration of the potential risks to your business posed by electronic data and privacy concerns should not be limited to the business's own activities. The myriad of service providers your business employs also pose a constellation of risks for which it is important that they carry the right coverage... or there may not be any funds to cover your damages.

A word of caution - Not all Cyber Insurance is the Same

Cyber Risk insurance products are all very new, carry a variety of labels and differ widely in the nature and extent of coverage. They may be called: Cyber Security Liability policy, Electronic Data Processing Endorsement, Privacy Protection, Network Risk, NetProtect Essential, Breach Response, Security and Privacy Liability, Technology E&O, Computer Related Crime, Electronic Liability, or e-Commerce policy. Do not assume that the names of policies and the labels for coverages and endorsements define the coverage; they do not.

Further, there are no "standard" cyber forms like there are for commercial property or general liability policies, where a CGL policy from Travelers is very similar to a CGL form from the Hartford. Unlike the standard forms, the cyber risk policy language has not been interpreted by thousands of court decisions. Therefore, it is essential that your broker carefully compare the coverages offered by a few competing products so you can make a reasoned decision about what product fits the particular needs of your business. There will be some gaps of coverage in each policy – the key is being aware that the gaps exist and choosing the risks for which you most need insurance.

Conclusion

In today's world, viruses, worms, Trojan horses and other malware can spread havoc within an organization with the same disruptive impact as a fire might have 20 years ago. In the 5th annual IDC Digital Universe Study released in June 2011, the authors make these sobering observations:

These statistics demonstrate the necessity of a careful review of your cyber risks and insurance program to be sure that these 21st century risks are covered as well as the 19th century ones.

1. Do not assume that the standard commercial property and general liability policies will protect your business if electronic data is corrupted or stolen. They probably will not.
2. Identify the risks that electronic data and computer networks pose, both to your own business and to potential claims against the business. The new privacy and data security laws can impose very significant expenses when personally identifiable information is disclosed.
3. Ask your insurance broker to compare several different cyber risk policies – the nature and scope of the coverage varies widely. Then compare those coverages to your "shopping list" of most significant risks.
4. Review the insurance requirements in technology vendor contracts to make sure that the vendor has the appropriate insurance policies in place when their services cause damage to your business.

Footnotes

1 The author is a senior litigation partner at Pierce Atwood LLP, a leading New England regional law firm. Louise has over 30 years of experience in commercial litigation and insurance coverage disputes. http://www.pierceatwood.com/louisethomas.

2 Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup.Ct.) July 20, 2011).

3 Insurance Services Office Forms, CP 00 10 06 07 and CG 00 01 12 07

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.