As one means of managing the cost of a data security breach (when confidential electronically stored information is disclosed), public and private organizations may purchase “cyber insurance” policies. The purchaser seeks to limit the substantial costs involved in investigating and remedying a breach. However, such policies (which are relatively new to the marketplace) have considerable potential for gaps in coverage and misunderstandings between the insured organization and the cyber insurer extending the policy. For example, an organization’s basic purpose for buying coverage — to protect itself from lawsuits when personally identifiable information is compromised — should be unequivocally communicated to the insurer when the policy is purchased.
The terms and conditions of a cyber insurance policy can vary depending on an organization’s size, the industry in which it operates, and the types of data it holds. These considerations, while not an exhaustive list, can benefit the purchaser during policy negotiations:
- Purchase a policy according to your organization’s specific risks. An organization may wish to exclude unnecessary coverage costs. For example, costs for theft of data assets may be unnecessary, but coverage for the expense to notify all those affected by a privacy breach is a basic component of any policy.
- Limit the policy according to total exposure of liability your organization would face in the event of a breach. Costs of responding to a data breach, including liability for each electronic record involved in loss or theft of personal data, can be substantial. However, the size and type of information stored by an organization will affect its liability limit. Also, any “sublimits” to liability for notification costs, or for regulatory investigations such as a consumer protection audit, should also be adequate according to the size and type of the organization purchasing the insurance policy.
- Consider a policy with retroactive coverage. To protect against data breaches that occurred before the policy’s inception date (and not discovered until after a claim is made), ask insurers about a retroactive policy date to cover undiscovered breaches. Some insurers may even offer unlimited retroactive coverage.
- If confidentiality agreements are common for your organization, a cyber insurance policy should not exclude coverage for liability arising from breach of contract. For many organizations that hold personally identifiable information of students, employees, and clients, cyber insurance is necessary to protect against damage claims arising from a breach of privacy pursuant to confidentiality agreements. Policies that broadly exclude breach of contract liability should be modified.
- Add your preferred attorneys or consultants to any pre-approved list required by the insurer. Some policies require that any professional used by the organization to respond to a claim filed against the organization be approved by the insurer prior to responding. A professional who is familiar with the organization’s business (such as an attorney or other consultant) should be pre-approved during the policy’s drafting phase.
- Seek modification of prior consent provisions. If a policy provides that an insurer must consent before emergency costs are incurred (such as costs of notification of a data breach), the policy may be modified so the insurer’s consent cannot be withheld if the costs are reasonable.
- Distinguish between “duty to defend” provisions and “duty to reimburse” provisions. Parties to the policy should agree on how defense costs will be allocated when a lawsuit against an organization asserts claims covered by the cyber insurance policy. Under a “duty to defend” policy, the insurer may cover 100% of defense costs for any covered claim. Under a “duty to reimburse” policy, allocation depends on whether the insurer agrees to reimburse the organization for its defense costs or pay them on the organization’s behalf.
- Consider coverage for third-party vendors. If your organization uses a vendor to store its private information, the policy may be structured to cover claims against the organization that result from breaches caused by the vendor. Also, a policy should address any indemnity agreement to avoid interference with the organization’s insurance coverage in the event the organization collects an indemnity award from its vendor. Organizations may also encourage vendors to obtain their own cyber insurance policies, so the vendor has primary coverage over claims brought against it, and your organization’s insurance policy limits will not be adversely affected by claims for which the vendors are responsible.
- Partial subrogation waivers in cyber insurance policies. Vendor contracts typically contain a limitation of liability provision, where the organization promises not to sue its vendor in certain contexts. Yet this limitation may interfere with a cyber insurer’s subrogation rights, or its ability to assert claims against an organization’s vendor. It may be prudent to consider negotiating a partial “waiver of subrogation” provision in a cyber insurance policy, whereby the cyber insurer promises to not assert an impairment of contract claim against the organization based on a liability limitation provision that was in place in the organization-vendor contract prior to any loss the cyber insurer ultimately pays on behalf of the organization.
Courts have noted some potential areas of dispute arising from cyber insurance policies. For example, New York’s highest court recently ruled in favor of a cyber insurer, agreeing its policy covering losses for “fraudulent entry” into the insured’s data system did not cover losses that resulted from authorized access to the system by the insured’s own employees. (See Universal American Corp. v. Nat’l Union Fire Ins. Co. (2015) 2015 WL 3885816.) In a recent unpublished California decision, the insurer claimed it was not required to cover the insured’s loss when the insured never followed its own internal risk controls to prevent data security breaches. (See Columbia Casualty Co. v. Cottage Health System (2015) 2015 WL 4497730.) Dismissing the case because the policy provided for mediation of coverage disputes, the federal district court did not resolve this issue, but similar issues may surface in the future.
By using these considerations as a starting point, organizations may begin to design a cyber insurance policy to address their liabilities and risks in the event of a security data breach. Advice of legal counsel is strongly recommended when considering such a policy.
- Partner
Scott Sachs represents private and governmental entities in complex litigation in the areas of data privacy and security issues, construction and environmental law.
Mr. Sachs helps clients procure equipment, set up safety ...
Other AALRR Blogs
Recent Posts
- Are You Ready for AB 2534? Our AB 2534 Toolkit Is Here to Help
- Don't Start from Scratch: Our AI Policy Toolkit Has Your District Covered
- Slurs and Epithets in the College Classroom: Are they protected speech?
- AALRR’s 2024 Title IX Virtual Academy
- Unmasking Deepfakes: Legal Insights for School Districts
- How to Address Employees’ Use of Social Media
- How far is too far? Searching Students’ Homes and Remote Test Proctoring
- Making Cybersecurity a Priority
- U.S. Department of Education Issues Proposed Amendments to Title IX Regulations
- Inadvertent Disability Discrimination May Lurk in Hiring Software, Artificial Intelligence and Algorithms
Popular Categories
- (55)
- (12)
- (81)
- (96)
- (43)
- (53)
- (22)
- (40)
- (11)
- (22)
- (6)
- (4)
- (3)
- (2)
- (3)
- (2)
- (4)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
Contributors
- Steven J. Andelson
- Ernest L. Bell
- Matthew T. Besmer
- William M. Betley
- Mark R. Bresee
- W. Bryce Chastain
- J. Kayleigh Chevrier
- Andreas C. Chialtas
- Georgelle C. Cuevas
- Scott D. Danforth
- Alexandria M. Davidson
- Michael J. Davis
- Mary Beth de Goede
- Anthony P. De Marco
- Peter E. Denno
- William A. Diedrich
- A. Christopher Duran
- Amy W. Estrada
- Jennifer R. Fain
- Eve P. Fichtner
- Paul S. Fleck
- Mellissa E. Gallegos
- Stephanie L. Garrett
- Karen E. Gilyard
- Todd A. Goluba
- Jacqueline D. Hang
- Davina F. Harden
- Suparna Jain
- Jonathan Judge
- Warren S. Kinsler
- Nate J. Kowalski
- Tien P. Le
- Alex A. Lozada
- Kimberly C. Ludwin
- Bryan G. Martin
- Paul Z. McGlocklin
- Stephen M. McLoughlin
- Anna J. Miller
- Jacquelyn Takeda Morenz
- Kristin M. Myers
- Katrina J. Nepacena
- Adam J. Newman
- Anthony P. Niccoli
- Aaron V. O'Donnell
- Sharon J. Ormond
- Gabrielle E. Ortiz
- Beverly A. Ozowara
- Chesley D. Quaide
- Rebeca Quintana
- Elizabeth J. Rho-Ng
- Todd M. Robbins
- Irma Rodríguez Moisa
- Brooke Romero
- Alyssa Ruiz de Esparza
- Lauren Ruvalcaba
- Scott J. Sachs
- Gabriel A. Sandoval
- Peter A. Schaffert
- Constance J. Schwindt
- Justin R. Shinnefield
- Amber M. Solano
- David A. Soldani
- Dustin Stroeve
- Constance M. Taylor
- Mark W. Thompson
- Emaleigh Valdez
- Jonathan S. Vick
- Jabari A. Willis
- Sara C. Young
- Elizabeth Zamora-Mejia
Archives
2024
2022
2021
2020
2019
2018
- December 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- January 2018
2017
- November 2017
- October 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
2015
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
2014
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
2013
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
2012
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012