EdLawConnect Blog

As one means of managing the cost of a data security breach (when confidential electronically stored information is disclosed), public and private organizations may purchase “cyber insurance” policies. The purchaser seeks to limit the substantial costs involved in investigating and remedying a breach. However, such policies (which are relatively new to the marketplace) have considerable potential for gaps in coverage and misunderstandings between the insured organization and the cyber insurer extending the policy. For example, an organization’s basic purpose for buying coverage — to protect itself from lawsuits when personally identifiable information is compromised — should be unequivocally communicated to the insurer when the policy is purchased.

The terms and conditions of a cyber insurance policy can vary depending on an organization’s size, the industry in which it operates, and the types of data it holds.  These considerations, while not an exhaustive list, can benefit the purchaser during policy negotiations:

• Purchase a policy according to your organization’s specific risks. An organization may wish to exclude unnecessary coverage costs. For example, costs for theft of data assets may be unnecessary, but coverage for the expense to notify all those affected by a privacy breach is a basic component of any policy.
• Limit the policy according to total exposure of liability your organization would face in the event of a breach. Costs of responding to a data breach, including liability for each electronic record involved in loss or theft of personal data, can be substantial. However, the size and type of information stored by an organization will affect its liability limit. Also, any “sublimits” to liability for notification costs, or for regulatory investigations such as a consumer protection audit, should also be adequate according to the size and type of the organization purchasing the insurance policy.
• Consider a policy with retroactive coverage. To protect against data breaches that occurred before the policy’s inception date (and not discovered until after a claim is made), ask insurers about a retroactive policy date to cover undiscovered breaches. Some insurers may even offer unlimited retroactive coverage.
• If confidentiality agreements are common for your organization, a cyber insurance policy should not exclude coverage for liability arising from breach of contract. For many organizations that hold personally identifiable information of students, employees, and clients, cyber insurance is necessary to protect against damage claims arising from a breach of privacy pursuant to confidentiality agreements. Policies that broadly exclude breach of contract liability should be modified.
• Add your preferred attorneys or consultants to any pre-approved list required by the insurer. Some policies require that any professional used by the organization to respond to a claim filed against the organization be approved by the insurer prior to responding. A professional who is familiar with the organization’s business (such as an attorney or other consultant) should be pre-approved during the policy’s drafting phase.
• Seek modification of prior consent provisions. If a policy provides that an insurer must consent before emergency costs are incurred (such as costs of notification of a data breach), the policy may be modified so the insurer’s consent cannot be withheld if the costs are reasonable.
• Distinguish between “duty to defend” provisions and “duty to reimburse” provisions. Parties to the policy should agree on how defense costs will be allocated when a lawsuit against an organization asserts claims covered by the cyber insurance policy. Under a “duty to defend” policy, the insurer may cover 100% of defense costs for any covered claim. Under a “duty to reimburse” policy, allocation depends on whether the insurer agrees to reimburse the organization for its defense costs or pay them on the organization’s behalf.
• Consider coverage for third-party vendors. If your organization uses a vendor to store its private information, the policy may be structured to cover claims against the organization that result from breaches caused by the vendor. Also, a policy should address any indemnity agreement to avoid interference with the organization’s insurance coverage in the event the organization collects an indemnity award from its vendor. Organizations may also encourage vendors to obtain their own cyber insurance policies, so the vendor has primary coverage over claims brought against it, and your organization’s insurance policy limits will not be adversely affected by claims for which the vendors are responsible.
• Partial subrogation waivers in cyber insurance policies. Vendor contracts typically contain a limitation of liability provision, where the organization promises not to sue its vendor in certain contexts. Yet this limitation may interfere with a cyber insurer’s subrogation rights, or its ability to assert claims against an organization’s vendor. It may be prudent to consider negotiating a partial “waiver of subrogation” provision in a cyber insurance policy, whereby the cyber insurer promises to not assert an impairment of contract claim against the organization based on a liability limitation provision that was in place in the organization-vendor contract prior to any loss the cyber insurer ultimately pays on behalf of the organization.

Courts have noted some potential areas of dispute arising from cyber insurance policies.  For example, New York’s highest court recently ruled in favor of a cyber insurer, agreeing its policy covering losses for “fraudulent entry” into the insured’s data system did not cover losses that resulted from authorized access to the system by the insured’s own employees.  (See Universal American Corp. v. Nat’l Union Fire Ins. Co. (2015) 2015 WL 3885816.) In a recent unpublished California decision, the insurer claimed it was not required to cover the insured’s loss when the insured never followed its own internal risk controls to prevent data security breaches. (See Columbia Casualty Co. v. Cottage Health System (2015) 2015 WL 4497730.) Dismissing the case because the policy provided for mediation of coverage disputes, the federal district court did not resolve this issue, but similar issues may surface in the future.

By using these considerations as a starting point, organizations may begin to design a cyber insurance policy to address their liabilities and risks in the event of a security data breach. Advice of legal counsel is strongly recommended when considering such a policy.