BY JEANNE ORONZIO WERMUTH, CPCU, CIC, ARM, senior technical specialist at The Graham Company, an insurance and employee benefits brokerage
You have probably been hearing more about the concept of cyberliability from your insurance broker, or perhaps it is being discussed within the management circles of your industry.
If your company does not sell any products or services over the Internet, you may be wondering why you would need cyberliability insurance--or worse yet--you may not have even given it a second thought.
If it can happen to Nasdaq, it can happen to you. Late in 2010, hackers accessed one of Nasdaq's Web-based applications in which corporations shared confidential financial and governance information.
If it can happen to Thomas Jefferson University Hospital in Philadelphia, it can happen to you. In August 2010, 21,000 patient records were compromised after the theft of a laptop.
If it can happen to a local retailer, it can happen to you. In late 2009, customers' credit card information was stolen while it was being stored temporarily via point-of-sale software. Fraudulent transactions totaling at least $250,000 resulted.
If it can happen to the U.S. government, it can happen to you. In 2009, hackers disrupted the U.S. Treasury Department and U.S. Secret Service websites for several days over the July 4th holiday.
The term cyberliability encompasses an array of liability exposures that are not necessarily tied just to businesses that sell their products or services over the Internet.
In fact, it is a bit of a misnomer, since a cyberliability policy can cover a number of exposures, including failure to protect an individual's personally identifiable information or confidential corporate information from theft--even when the data was being stored in paper files.
Almost every type of business has an exposure to loss that can be covered by a cyberliability policy. Businesses include law firms, manufacturers, retail stores, restaurants, healthcare providers, technology companies, social service agencies, financial institutions, universities and government entities.
Some of the exposures that can be covered include:
-- Information security and privacy liability for failure to protect personal or corporate information held on computers systems, smartphones, laptops or paper files.
-- Cost to notify affected individuals that their personal information has been breached, as required by law.
-- Other costs associated with data breaches, such as public relations and investigative costs.
-- Loss of business income when a "hacker" prevents your customers from accessing your website.
-- Personal injury (such as libel) that may result from the use of blogs on your website or other social media.
-- Liability for your customers' business interruption suffered because a "hacker" prevented their access to your website or systems, among others.
HOW BROAD THE COVERAGE?
Traditional insurance policies were not designed to cover these types of exposures, so any coverage you might find under your general liability, professional liability, crime or property policies or even a directors' and officers' (D&O) liability policy written for a privately held company will either be very limited or simply accidental.
Some carriers might offer you an endorsement to provide coverage for a specific component of your cyberliability exposure, but it is usually not as comprehensive as buying a separate policy.
From a 10,000-foot view, here are several reasons why your traditional insurance policies might not respond to a cyberliability claim:
-- General liability policies do not respond to claims for damage to intangible property. There is also typically a specific exclusion for claims arising out of electronic data.
-- General liability policies typically exclude claims arising out of "blogs" you own or host.
-- Property policies only provide loss of business income coverage if there was direct physical damage caused to your property, and not caused by hackers that shut down your website.
-- Crime policies do not respond to claims for damage to intangible property, and there is also typically a specific exclusion for loss of confidential information.
-- Private company D&O liability policies typically exclude claims arising out of bodily injury including emotional distress, property damage and specific types of personal injury.
-- No traditional insurance policy currently provides coverage for the expenses associated with notifying affected individuals when their personally identifiable financial or medical information was breached while in your care, custody or control.
These are just some of the hurdles to overcome in order to find coverage for cyberliability claims under a traditional insurance policy.
No traditional insurance policy currently provides coverage for the expenses associated with notifying affected individuals when their personally identifiable financial or medical information was breached while in your care, custody or control. That statement bears further explanation.
The federal government has seen fit to make sure businesses are acting responsibly when gathering, storing and using information that could be used to harm an individual's personal finances or reputation.
That information includes, but is not limited to, names, addresses, driver license numbers, social security numbers, bank account numbers and health information.
The Gramm-Leach-Bliley Act of 1999, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economical and Clinical Health Act of 2009 (HITECH), and various state privacy breach notification laws all include provisions requiring companies to protect this information in some way.
These laws create liability for businesses. They also require notification of affected individuals when their information has been breached. The requirements for how and when you are required to notify are very specific within the HITECH Act and the individual state privacy breach laws.
For instance, some states require notification for breaches of electronic data, where others require notification for breaches of data stored on any medium, including paper. The laws that you have to comply with depend on the state in which the affected individuals reside.
The cost of notification is significant, not to mention the cost of legal fees to figure out which laws you would need to comply with and how. The estimated cost of a data breach, according to the Ponemon Institute's 2009 Annual Study: Cost of a Data Breach, is $204 per compromised record.
This estimate includes some costs that are not insurable, such as "lost customer business." However, about 25 percent of this cost is insurable, including investigation, public relations/crisis management, general notification costs and credit monitoring services for affected individuals.
According to the same report, the number of records that were compromised in any one event ranged from 5,000 to 101,000, and the average cost, direct and indirect, of a data breach was $6.75 million. These costs can add up quickly. The full report is available free at http://www.ponemon.org
BACK TO THE REAL DEAL
With the exception of privacy breach notification costs, it is still possible that you could find coverage for some cyberliability claims under your traditional policies, particularly those policies that are providing you liability-type coverage.
If your company suffers a business interruption resulting from a denial of service attack, you might even find coverage under your property policy if there was some concurrent property damage that resulted.
Carriers have not yet added specific exclusions for these types of claims on their traditional policies. They are relying on their current policy definitions and exclusions to protect them for now. This is reminiscent of the evolution of employment practices liability policies.
In the beginning, there were no specific exclusions on general liability or D&O liability policies to exclude employment practices claims. Once those claims started materializing and were covered, employment practices exclusions started appearing rather quickly on general liability and D&O liability policies.
Today, we would not expect that a typical employment practices claim would be covered unless the company had purchased an employment practices liability policy.
The problem is that we do not yet know what the claims will be or how the lawsuits will be brought. The most significant claims the insurance industry has seen so far are for privacy breach notification costs, and the industry has already concluded those are not covered outside of a cyberliability policy.
We can surmise that when the claims come in, they will be alleging things like "emotional distress" or "mental anguish" or "invasion of privacy." Financial damages for an individual may be minimal, unless you find yourself in a situation where the breach of an individual's health information caused them to lose their job or to be "blacklisted" by another company in their industry.
There may be some of you facing class-action lawsuits. Looking at the examples at the beginning of this article, you could imagine the possibilities. But truth be told, we just do not know yet.
Buying a cyberliability policy would, however, provide some peace of mind that you have an affirmative coverage grant for exposures that are new and evolving. And, if you have an exposure for privacy breach notification expenses, including investigation, public relations/crisis management and credit monitoring, buying a cyberliability policy is the only way to obtain coverage.
Cyberliability is an evolving exposure as well as an evolving insurance product.
If you feel you might have one of the exposures described above, explore the product. Talk it through with your insurance broker. Once you have all of the facts, you will be in a better position to make an informed decision.
One word of caution, though, there is currently very little consistency among policy forms. A thorough analysis of coverages should be done. Further, since the policies cover an array of exposures that may apply to your business, you have the ability to tailor the insurance policy to fit your needs and your price point.
Whether yours is a law firm, manufacturer, retail store, restaurant, healthcare provider, technology company, social service agency, financial institution, university or government entity, you should give this coverage a second thought.
May 1, 2011
Copyright 2011© LRP Publications