Read the Fine Print

Franchisors should carefully review both their third- and first-party cyber coverage, according to Taffae and Magnuson. Third-party cyber liability coverage addresses liability arising from violations of privacy and data breach notification laws, as well as liability for transmitting a computer virus to another party or from copyright infringement included in the insured's website and other violations. “It is important to pay attention to the Prior Acts Date included in the policy, keeping it as far in the past as possible,” the authors wrote, noting that a 2010 Verizon study found that over half of all breaches take weeks to months from the date of first compromise to discovery.

Policies vary in coverage, but franchises should look for protection that includes:

• Any type of media, as well as physical breaches;
• Personal and corporate information;
• Employee data and customer information;
• Accidental losses, leaks or breaches perpetrated by criminals;
• Breaches caused from company insiders, who, by some estimates, account for about half of cyber breaches; and
• Information in the “care, custody or control” of vendors. Some policies limit coverage to information in the “care custody, or control” of the insured, but the authors point out that this leaves open questions such as whether data on cloud servers is in the insured's “care, custody or control.”

On the other side of the ledger, franchises should avoid language in their policies that they be “PCI compliant,” the authors wrote. “Compliance is an ongoing state,” they point out. “Many companies are 'PCI validated' at one point in time, but when a breach occurs, almost by definition, the company is not 'compliant,'” and thus insurance could be denied.

Virus, malware, hacking coverage. Franchises, like every other computer user, are vulnerable to viruses and malware, but they also are potentially liable if their system sends those damaging files to others. Some policies limit the coverage for viruses and hacking to direct intentional attacks that target the insured specifically, which does not protect a franchise very effectively.

Intellectual property infringement. “The exposure to intellectual property infringement libel, and disparagement suits resulting from websites, e-mail newsletters, blogs and social network marketing activities is underestimated by many companies,” the authors wrote. “Beware of policy language that limits coverage to only claims made in the United States and its territories. The World Wide Web is just that, worldwide, and these types of claims can emanate from anywhere.”

When seeking insurance coverage for intellectual property violations, franchises also should remember that consumer-generated content on social media is especially crucial because many consumers are unaware (or don't care) that they are violating another company's intellectual property rights. “Although limited protection exists via the Digital Millennium Copyright Act's safe harbor provision, costs of defense can still be crippling to small and mid-sized companies,” the authors point out.

First-Party Cyber Coverage

The other aspect of coverage is protecting against liability from first-party exposures through a data breach or cyber attack against the franchisor or franchisee.

A franchise's protection in this area should begin with coverage for fines, penalties and contractual obligations it would incur after a breach (such as chargebacks from credit card companies). Taffae and Magnuson point out that shoe retailer DSW's content agreement with the Federal Trade Commission (FTC) after a major breach in 2005 required that it obtain a security audit from a qualified, independent third-party every two years for 20 years ' a cost that DSW would surely like to share with its insurer.

Similarly, franchises will have to handle the public relations aspect of a major breach. They might face notification expenses, as well as follow-up public relations expenses ' some dictated by law, and some essential to protect the brand. A policy should specifically identify issues such as:

• May the insured use any service provider, or must it use a provider selected by or approved by the carrier?
• What expenses are included within the breach notification expenses? Some policies include attorneys' fees, and some include staffing a call center for victims.
• Is credit monitoring included for individual victims, and for how long and for how many victims?

Other questions can arise about when coverage is triggered. Does the insurer begin its coverage when the insured suspects a breach, or does a breach have to be confirmed? Some insurance policies allow expenses incurred prior to a claim being filed, such as forensic costs, to be counted against the deductible.

Franchises also should consider coverage for lost business due to a breach or a service outage. A study by the Ponemon Institute in 2011 found that business-interruption costs can be about 55% of the cost of a cyber event. “A policy should respond not only when interruption occurs as a result of the insured's own systems, but also because of a failure on a third-party system, including large-scale Internet failure,” wrote Taffae and Magnuson. However, in obtaining the coverage, franchises should be aware of waiting periods and time restrictions. For example, most new policies impose at least a 12-hour waiting period prior to coverage being triggered, but the authors point out that few outages are longer than a few hours, and other policies include back-up and/or redundancy warranties that “all but preclude any event that would last more than 12 hours.”

Caveats

One of the biggest takeaways for franchisors is that cyber liability insurance is evolving quickly. Breach disclosure laws increase awareness of the problem, and victims' complaints are starting reach the courts in larger numbers, so court decisions are providing some direction about responsibility and costs. They point out that although ISO has developed a form called the Internet Liability and Network Protection Policy, experts view it as outdated and inadequate. “As the legal environment matures and reduces uncertainty, and as insurers gain experience, [we] expect to see a more homogeneous market approach. We think it will be at least five to 10 years before we see standardization,” Taffae and Magnuson wrote. “Today, however, the market is far from uniform.”

Their conclusion: Given the uncertainty in coverage and even in nomenclature in this area, it pays for an insurance buyer to do its research.

Kevin Adler is Editor-in-Chief of FBLA . He can be contacted at [email protected].

The difficulties of securing important company and customer data are not new to franchised businesses, but the scale of the problem continues to increase. A new white paper by insurance consultants Peter R. Taffae and M. Damien Magnuson indicate another threat: inadequate insurance coverage when security breaches occur. See, “What Every Insurance Professional Must Know About Network Security and Privacy Liability,” 2nd ed., Peter R. Taffae and M. Damien Magnuson, ExecutivePerils.

Insurers are adding new restrictions to their cyber liability coverage, even as industry executives incorrectly assume that their standard insurance policies provide them with protection. “While limited coverage for some privacy, media or data breach exposures may be included in 'traditional' insurance programs comprised of commercial general liability, umbrella liability, fidelity/crime, and kidnap, ransom and extortion policies, there will inevitably be substantial gaps and plenty of room for coverage disputes,” wrote Taffae and Manguson. “Most underwriters of traditional types of insurance contend that it is not the intent of these policies to pick up cyber exposures. Changes have been made, and are continuing to be made, to these forms to clarify the intent not to cover cyber exposures.”

The authors cite numerous significant limitations that have been added to the standard Insurance Services Office, Inc. (ISO) CGL policy in the past decade, such as:

• An exclusion for damage arising from damage to or the loss of electronic data;
• A clarification that electronic data is not tangible property (thus, damage to electronic data is not covered property damage);
• An exclusion for liability arising from violation of statutes, regulations or ordinances related to sending, distributing or transmitting information;
• An exclusion for personal or advertising liability arising from chat rooms or bulletin boards owned, managed or controlled by the insured; and
• Limits on standard CGL policies to cover copyright infringement only if the infringement is in an “advertisement,” which is strictly defined and narrowly construed.

Third-Party Cyber Liability Coverage

Franchisors should carefully review both their third- and first-party cyber coverage, according to Taffae and Magnuson. Third-party cyber liability coverage addresses liability arising from violations of privacy and data breach notification laws, as well as liability for transmitting a computer virus to another party or from copyright infringement included in the insured's website and other violations. “It is important to pay attention to the Prior Acts Date included in the policy, keeping it as far in the past as possible,” the authors wrote, noting that a 2010 Verizon study found that over half of all breaches take weeks to months from the date of first compromise to discovery.

Policies vary in coverage, but franchises should look for protection that includes:

• Any type of media, as well as physical breaches;
• Personal and corporate information;
• Employee data and customer information;
• Accidental losses, leaks or breaches perpetrated by criminals;
• Breaches caused from company insiders, who, by some estimates, account for about half of cyber breaches; and
• Information in the “care, custody or control” of vendors. Some policies limit coverage to information in the “care custody, or control” of the insured, but the authors point out that this leaves open questions such as whether data on cloud servers is in the insured's “care, custody or control.”

On the other side of the ledger, franchises should avoid language in their policies that they be “PCI compliant,” the authors wrote. “Compliance is an ongoing state,” they point out. “Many companies are 'PCI validated' at one point in time, but when a breach occurs, almost by definition, the company is not 'compliant,'” and thus insurance could be denied.

Virus, malware, hacking coverage. Franchises, like every other computer user, are vulnerable to viruses and malware, but they also are potentially liable if their system sends those damaging files to others. Some policies limit the coverage for viruses and hacking to direct intentional attacks that target the insured specifically, which does not protect a franchise very effectively.

Intellectual property infringement. “The exposure to intellectual property infringement libel, and disparagement suits resulting from websites, e-mail newsletters, blogs and social network marketing activities is underestimated by many companies,” the authors wrote. “Beware of policy language that limits coverage to only claims made in the United States and its territories. The World Wide Web is just that, worldwide, and these types of claims can emanate from anywhere.”

When seeking insurance coverage for intellectual property violations, franchises also should remember that consumer-generated content on social media is especially crucial because many consumers are unaware (or don't care) that they are violating another company's intellectual property rights. “Although limited protection exists via the Digital Millennium Copyright Act's safe harbor provision, costs of defense can still be crippling to small and mid-sized companies,” the authors point out.

First-Party Cyber Coverage

The other aspect of coverage is protecting against liability from first-party exposures through a data breach or cyber attack against the franchisor or franchisee.

A franchise's protection in this area should begin with coverage for fines, penalties and contractual obligations it would incur after a breach (such as chargebacks from credit card companies). Taffae and Magnuson point out that shoe retailer DSW's content agreement with the Federal Trade Commission (FTC) after a major breach in 2005 required that it obtain a security audit from a qualified, independent third-party every two years for 20 years ' a cost that DSW would surely like to share with its insurer.

Similarly, franchises will have to handle the public relations aspect of a major breach. They might face notification expenses, as well as follow-up public relations expenses ' some dictated by law, and some essential to protect the brand. A policy should specifically identify issues such as:

• May the insured use any service provider, or must it use a provider selected by or approved by the carrier?
• What expenses are included within the breach notification expenses? Some policies include attorneys' fees, and some include staffing a call center for victims.
• Is credit monitoring included for individual victims, and for how long and for how many victims?

Other questions can arise about when coverage is triggered. Does the insurer begin its coverage when the insured suspects a breach, or does a breach have to be confirmed? Some insurance policies allow expenses incurred prior to a claim being filed, such as forensic costs, to be counted against the deductible.

Franchises also should consider coverage for lost business due to a breach or a service outage. A study by the Ponemon Institute in 2011 found that business-interruption costs can be about 55% of the cost of a cyber event. “A policy should respond not only when interruption occurs as a result of the insured's own systems, but also because of a failure on a third-party system, including large-scale Internet failure,” wrote Taffae and Magnuson. However, in obtaining the coverage, franchises should be aware of waiting periods and time restrictions. For example, most new policies impose at least a 12-hour waiting period prior to coverage being triggered, but the authors point out that few outages are longer than a few hours, and other policies include back-up and/or redundancy warranties that “all but preclude any event that would last more than 12 hours.”

Caveats

One of the biggest takeaways for franchisors is that cyber liability insurance is evolving quickly. Breach disclosure laws increase awareness of the problem, and victims' complaints are starting reach the courts in larger numbers, so court decisions are providing some direction about responsibility and costs. They point out that although ISO has developed a form called the Internet Liability and Network Protection Policy, experts view it as outdated and inadequate. “As the legal environment matures and reduces uncertainty, and as insurers gain experience, [we] expect to see a more homogeneous market approach. We think it will be at least five to 10 years before we see standardization,” Taffae and Magnuson wrote. “Today, however, the market is far from uniform.”

Their conclusion: Given the uncertainty in coverage and even in nomenclature in this area, it pays for an insurance buyer to do its research.

Kevin Adler is Editor-in-Chief of FBLA . He can be contacted at [email protected].