Liability and damages arising out of data breaches and other “cyber” events present some of the greatest risks currently facing small and large businesses. Common costs include (1) investigation and mitigation by IT professionals; (2) notification to customers/clients, along with help desk and credit monitoring services; and (3) civil and/or regulatory penalties. While certain commercial policies previously provided limited coverage for damages caused by a cyber event, the recent trend among insurers has been to exclude this coverage and force businesses to purchase stand-alone cyber policies. Despite the increased prevalence and potentially devastating consequences of cyber risks, however, there is not yet a standard form policy for cyber insurance. As a result, cyber insurance coverage can vary dramatically from one carrier to another, requiring careful review of the details of each individual policy. And the failure to identify and fix a gap in coverage before a cyber event occurs may have catastrophic consequences.
The attorneys at Franklin | Soto LLP are well-equipped to navigate through the morass of cyber insurance policy language, both in negotiating enhanced coverage for businesses that are purchasing or renewing a cyber policy, and in establishing coverage when an insurance carrier has wrongfully denied a claim. In fact, we have written and presented to other attorneys on (1) key areas of cyber coverage; (2) key exclusions; and (3) significant court decisions in this developing area of law.
The most common categories of cyber insurance coverage include the following:
a. Forensic Investigation Coverage
Immediately after a data breach, a business will usually incur significant costs in hiring IT consultants to identify the nature and scope of the problem, and to contain it. These costs are not typically covered by any other type of insurance policy.
b. Crisis Management Costs
These costs may include the hiring of public relations consultants and/or attorneys to help craft an appropriate company statement, notify customers, and comply with data breach notification laws in the wake of a data breach.
c. Notification/Credit Monitoring Costs
Many states, including California, require that businesses notify customers within a certain period of time following discovery of a data breach. In addition, where customer credit card or other financial information has been compromised, certain states require businesses to provide credit monitoring services for the affected customers, typically for up to one year. Only cyber insurance can provide coverage for this significant expense.
d. Data Breach Notification and Privacy Litigation
This coverage provides for the defense and indemnity of lawsuits brought by affected customers following a data breach.
e. Online Defamation, Copyright and Trademark Infringement
This coverage provides for the defense and indemnity of certain categories of litigation outside of the context of a data breach.
f. Regulatory Defense and Penalties
Cyber policies are somewhat unique in providing coverage for the defense and indemnity of regulatory investigations and prosecutions. Other commercial insurance policies typically exclude coverage for regulatory action.
g. Business Interruption
This coverage typically protects against a complete cessation of business, as opposed to a reduction in business, as a result of a cyber event.
h. Data Loss and Restoration
When a company loses its own data as a result of a data breach, the costs of hiring IT consultants to restore the data can be enormous. But this expense is a component of first-party coverage under many cyber policies.
i. Computer Fraud
Computer fraud coverage protects against loss sustained by the insured through the fraud of a third party. But many cyber policies contain exclusions that complicate, if not eliminate, coverage for computer fraud under certain circumstances.
j. Cyber Extortion Coverage
Cyber extortion coverage comes into play where hackers obtain confidential customer or business data and demand a ransom in exchange for the safe return of the data. This is, unfortunately, becoming a more common occurrence. Only cyber insurance policies provide coverage for this type of event.
Given that the current cyber insurance landscape is changing day by day, our attorneys regularly monitor developments in cyber insurance law and are committed to helping shape it in a manner that is fair to cyber insurance policyholders.
If you have any questions in connection with the purchase or renewal of a cyber policy, or if your insurance company has denied coverage for your cyber claim, contact us at 619.872.2520 to discuss your matter.