Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

When Your Data Goes Viral

By Sherilyn Pastor and Kelly Lloyd
January 31, 2015

As discussed in Part One of this article, a data breach can jeopardize a company's confidential information such as client records, trade secrets, privileged legal information, or employee records. Although many associate data breaches with hackers or cyberattacks, human error, such as a mistake in computer coding or losing a company laptop, also results in significant breaches.

Is there insurance coverage when a company's data goes viral? Maybe. Part One of this article explained the traditional insurance products that may provide a policyholder with insurance coverage for data breaches, and some of the newer products available to policyholders for these risks. It also considered the mixed law developing around these matters, analyzing the recent New York trial court decision in Zurich American Insurance Co. v. Sony Corporation, Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014). The discussion concludes herein.

Coverage Exclusions

Given the array of state and federal privacy and consumer protection statutes, data breaches may trigger statutes or regulations, and insurers may argue that the latest form of the “Distribution of Material in Violation of Statutes” exclusion bars or limits coverage. The changes to that endorsement are illustrated in the chart below.

Insurers contend that these exclusions confirm that they do not intend to cover certain cyber-related risks, including data breaches, under traditional general liability policies. Indeed, brokers have observed that these broader exclusions may be signaling, among the markets that adopt them, an intent to encourage policyholders to purchase cyber and/or media policies to accommodate such risks. See Marsh, ISO General Liability Form Revisions ' Effective April 1, 2013, available at http://usa.marsh.com (last visited Jan. 9, 2015). In fact, insurers now are offering specialized “Cyber Liability” and “Security and Privacy Protection Policies.” ISO, for example, has introduced cyber coverage on standard forms and will be offering a new endorsement for business owner policies. See, e.g., ISO Form No. BP 15 07 03 15.

The policies currently offered vary significantly in terms of the coverage provided. Both first-party and third-party products are available. First-party coverage may insure the policyholder from losses resulting directly from fraudulent input; preparation or modification of data in an policyholder's computer system; cyber-attacks; fraudulent communications causing loss; impairment of services; malicious acts by a person who alters, damages, deletes or destroys company data; instructions or communication that are part of the policyholder's system; fraudulent electronic signatures; and misappropriation of records or data due to a cyberattack or unauthorized hacking. The policy also may cover costs for legal and forensic services, notification to affected individuals, customer credit monitoring, crisis management or public relations services, and business interruption expenses.

Third-Party Liability Policies

Third-party liability policies usually cover losses resulting from claims made against the policyholder. They often reimburse damage to a third party's computer system or content; and protect against claims alleging invasion of privacy; libel, slander or defamation, lost or damaged data, impairment or interruption in services or access, and lost business opportunities or unauthorized access of a customer's account.

Conclusion

The newer insurance products are far from uniform. When purchasing insurance, policyholders should consider the type and magnitude of their risks, and tailor their insurance policies to best meet their individualized needs. To the extent that the policies offered to them contain technical terms of art, or computer- or insurance-related jargon, policyholders should seek advice from their insurance professionals, brokers, or attorneys before they purchase coverage to confirm it meets their needs and covers risks as they intend it to do so.

Following a loss, insureds should consider their factual circumstances, applicable law, and all insurance policies that may respond to their losses. The law is developing, and it remains to be seen how traditional and new insurance forms ultimately will be interpreted and applied by courts.


[IMGCAP(1)]


Sherilyn Pastor, a member of this newsletter's Board of Editors, leads McCarter & English's Insurance Coverage Group. She is is Co-Chair of the ABA's Insurance Coverage Litigation Committee, holds an AV Preeminent Rating from Martindale-Hubbell, and has been honored as a New Jersey Super Lawyer since 2006. Kelly Lloyd is an associate in the Insurance Coverage Group, representing clients in complex insurance coverage litigation.

As discussed in Part One of this article, a data breach can jeopardize a company's confidential information such as client records, trade secrets, privileged legal information, or employee records. Although many associate data breaches with hackers or cyberattacks, human error, such as a mistake in computer coding or losing a company laptop, also results in significant breaches.

Is there insurance coverage when a company's data goes viral? Maybe. Part One of this article explained the traditional insurance products that may provide a policyholder with insurance coverage for data breaches, and some of the newer products available to policyholders for these risks. It also considered the mixed law developing around these matters, analyzing the recent New York trial court decision in Zurich American Insurance Co. v. Sony Corporation, Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014). The discussion concludes herein.

Coverage Exclusions

Given the array of state and federal privacy and consumer protection statutes, data breaches may trigger statutes or regulations, and insurers may argue that the latest form of the “Distribution of Material in Violation of Statutes” exclusion bars or limits coverage. The changes to that endorsement are illustrated in the chart below.

Insurers contend that these exclusions confirm that they do not intend to cover certain cyber-related risks, including data breaches, under traditional general liability policies. Indeed, brokers have observed that these broader exclusions may be signaling, among the markets that adopt them, an intent to encourage policyholders to purchase cyber and/or media policies to accommodate such risks. See Marsh, ISO General Liability Form Revisions ' Effective April 1, 2013, available at http://usa.marsh.com (last visited Jan. 9, 2015). In fact, insurers now are offering specialized “Cyber Liability” and “Security and Privacy Protection Policies.” ISO, for example, has introduced cyber coverage on standard forms and will be offering a new endorsement for business owner policies. See, e.g., ISO Form No. BP 15 07 03 15.

The policies currently offered vary significantly in terms of the coverage provided. Both first-party and third-party products are available. First-party coverage may insure the policyholder from losses resulting directly from fraudulent input; preparation or modification of data in an policyholder's computer system; cyber-attacks; fraudulent communications causing loss; impairment of services; malicious acts by a person who alters, damages, deletes or destroys company data; instructions or communication that are part of the policyholder's system; fraudulent electronic signatures; and misappropriation of records or data due to a cyberattack or unauthorized hacking. The policy also may cover costs for legal and forensic services, notification to affected individuals, customer credit monitoring, crisis management or public relations services, and business interruption expenses.

Third-Party Liability Policies

Third-party liability policies usually cover losses resulting from claims made against the policyholder. They often reimburse damage to a third party's computer system or content; and protect against claims alleging invasion of privacy; libel, slander or defamation, lost or damaged data, impairment or interruption in services or access, and lost business opportunities or unauthorized access of a customer's account.

Conclusion

The newer insurance products are far from uniform. When purchasing insurance, policyholders should consider the type and magnitude of their risks, and tailor their insurance policies to best meet their individualized needs. To the extent that the policies offered to them contain technical terms of art, or computer- or insurance-related jargon, policyholders should seek advice from their insurance professionals, brokers, or attorneys before they purchase coverage to confirm it meets their needs and covers risks as they intend it to do so.

Following a loss, insureds should consider their factual circumstances, applicable law, and all insurance policies that may respond to their losses. The law is developing, and it remains to be seen how traditional and new insurance forms ultimately will be interpreted and applied by courts.


[IMGCAP(1)]


Sherilyn Pastor, a member of this newsletter's Board of Editors, leads McCarter & English's Insurance Coverage Group. She is is Co-Chair of the ABA's Insurance Coverage Litigation Committee, holds an AV Preeminent Rating from Martindale-Hubbell, and has been honored as a New Jersey Super Lawyer since 2006. Kelly Lloyd is an associate in the Insurance Coverage Group, representing clients in complex insurance coverage litigation.

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.