“CYBER INSURANCE: WHAT YOUR CORPORATE CLIENT NEEDS TO KNOW” by David A. Shaneyfelt

It’s not if, it’s when. When your corporate client gets hacked, will it have insurance available to cover ensuing losses? You don’t have to be Sony to be hacked or to face huge losses. Companies large and small, urban and remote, are equally vulnerable. The threat from foreign espionage, malicious insiders, unsafe devices, and cloud storage is omnipresent. And the Dark Market for stolen personal information is growing. Experts agree that technology can only minimize current risks; it cannot eliminate them.

With this bad news comes this good news – the insurance market has responded and now more than twenty companies are writing insurance policies for it. Policy terms vary widely and need to be tailored to the specific needs of individual companies. But it’s worth advising your corporate clients about the issues now, before harm arises.

Chief among issues to address is whether your client is a data vendor or a data owner. A data vendor possesses confidential information of others (referred to as “personally identifying information” or “PII”). In that case, the client faces risk of claims by third parties when the data breach occurs. A data owner possesses confidential information valuable to it – such as internal financial information, patent information or customer lists. In that case, the client faces risk of damage by loss or leak of that information.

Consideration of these kinds of risks will determine a client’s needs in obtaining coverage. Data vendors generally need protection for defense and indemnity of third-party claims; data owners generally need protection for the loss and restoration of property. Insurance can focus on one or the other or both, if needed.

Coverage options vary widely regarding expenses your client may or may not incur in responding to a breach. Will it need to repair a data system or restore data? Will it need to notify customers or others whose data has been accessed? Will it need to set up call centers? Will it need to provide identify theft services or credit monitoring for  affected individuals? Will it need to retain a security forensics firm or a public relations firm?

Other damages for losses must also be considered – costs for “e-extortion” paid to hackers to get data back, for loss of use and business interruption, for disclosure of information to a competitor or for recreating intellectual property. Other potential costs include investigation expenses and time and legal expense involved in responding to government administrative inquiries. Indeed, while general liability policies typically exclude coverage for fines or administrative hearings, cyber insurance is allowing for coverage of such costs.

Cyber coverage is also allowing for broader coverage of third-party claims. Not only can it offer defense costs for attorneys’ fees and expert witness fees, but it can also cover losses for fines and penalties assessed under privacy statutes or regulations, as well as losses a third party incurs through its inability to access data.

As noted, coverage terms vary, and a client will need to decide whether it wishes the freedom to pick its own data breach consultant or use that of the insurer’s; whether it wants coverage for losses going forward for one year or for longer; whether it wants coverage for loss of business income to begin immediately on breach, after some period of time or for only a set period of time; and whether it wants coverage for responding to government enforcement of privacy laws (in addition to private claims).

As with any insurance policy, pay attention to the exclusions. Find out what is not covered. Pick a policy with a broad definition of “Personally Identifying Information.” You don’t want to fight over what’s covered and what’s not covered. Watch out for exclusions based on contractual liability. Many thirdparty claims are based on contract and those claims should not be excluded from coverage. Many policies limit coverage for criminal conduct, but many criminal laws related to privacy have broad application. Get broad defense coverage. Policies often

exclude damage caused by terrorism or acts of foreign enemies. Make sure your cyber policy drops these exclusions – your data breach is more likely to come from Russia than from Las Vegas. Another common exclusion is for unauthorized data collection. But that is precisely a risk a company needs protection against if it is in the business of data collection.

Perhaps the most practical advice you can give when your client first discovers a databreach is this: give notice to the insurance company. You do not want to fight with an insurance company about whether it got notice of a claim late or was prejudiced in handling the claim because of it. When in doubt, give notice out.

Further, give careful consideration to whether any data breach might occur through your client’s use of a contractor. A chain is only as strong as its weakest link, and hackers often make inroads through outside parties who have legitimate access to company systems. Make sure your client’s contractors have at least as much cyber insurance coverage as your client has, with coverage terms your client needs. Having your client become an additional insured on those policies will help shift risk of loss, too. In short, you can do your corporate client a world of service by nagging about whether it is prepared for the inevitable data breach. Your knowledge of its business operations will help streamline that process greatly.

David A. Shaneyfelt represents companies in disputes against insurance companies. He practices with the Alvarez Firm, with offices in Camarillo and Calabasas.

About Bar