In spite of robust security measures, a number of prominent companies – Equifax, Target, Uber, Yahoo and others – have in recent years been victims of cyberattacks. But it is not only the large companies that are hit with such attacks – according to a Verizon Data Breach Investigations Report, 61% of breaches in 2017 were sustained by firms with fewer than 1,000 employees.
Insurance companies have for some time provided network and data security and privacy insurance (NDSP) to address such hazards. And the coverage offerings have been continually improved to keep pace with the evolving threats. All good. But just what’s covered under a NDSP policy?
First, with respects to coverage arrangement, NDSP coverage is available under a stand-alone policy or via endorsement to a broadcasters E & O/media liability insurance policy. Unless specifically endorsed otherwise, a standard broadcasters E & O/media liability insurance policy does not provide NDSP coverage. And general liability policies likewise do not provide NDSP coverage (although some insurers are now providing a very limited NDSP coverage (limited scope of coverage with nominal limits) as an enhancement to their commercial general liability insurance policies).
NDSP policies and endorsements typically provide both first party coverages – payment for costs and expenses incurred by the policyholder – and third party coverages – coverage for defense costs and damages awarded as result of lawsuit or regulatory action. And the policyholder can elect to purchase either or both coverages.
First Party Coverages
Your IT Director walks into your office one Monday morning and says “We’ve got a problem, we’ve been hacked!”. Or it could be that you become aware of a ransomware threat. Now what? NDSP policy first party coverages reimburse the policyholder for the following expenses and costs that are incurred in response:
Crisis Management/Fraud Mitigation
- Forensic: Costs incurred to ascertain the cause and scope of the intrusion
- Legal: Costs incurred to consult with legal professionals to ascertain your notification duties and to develop the appropriate form and content of notification
- Communications: Costs incurred to communicate with affected parties including the distribution of notices, establishing a call center or website, and related measures
- Fraud Response: Costs for credit and identity monitoring services for affected parties
- Public Relations: Hiring a public relations firm or like skilled enterprise for the extended public interface to manage the situation (advertisements, press releases, training a spokesperson, etc.)
- Costs incurred to evaluate the threat and to affirm that the threat has ended
- Payment of actual funds to satisfy and extinguish the extortion threat
A key consideration is that coverage is provided only for those payments that have been approved in advance by the insurer. It is essential that the policyholder promptly advise the insurer of any systems security breach and that the policyholder then meaningfully engage with the insurer on measures in response.
Business Interruption/Data Restoration
Whatever the intent of the attack – theft of personally identifiable information, trade secrets, client information or extortion – consequences can also include a systems shutdown and/or loss of data. Some NDSP policies include business interruption/extra expense coverage and digital data recovery expense protection.
Third Party Coverages
In spite of the policyholder’s best efforts to contain and mitigate the third party consequences of a breach, affected parties may sustain financial loss which individually or collectively can be substantial (just this past month hackers stole $530 million worth of digital money from Coincheck’s cryptocurrency exchange). Among other legal theories, lawsuits brought by third parties in connection with a breach can allege that the organization failed to maintain the appropriate security measures or did not provide timely notification of the breach to affected parties. Or the breach could arise out of an accidental, unintentional release of data (employee’s laptop is left on the airplane) or an employee unknowingly enabling unauthorized access.
In addition, there are various privacy regulations (HIPA, California Database Breach Act, etc.) that speak to an organization’s duties and responsibilities relative to the care, custody, or use of personally identifiable information. Non-compliance with such regulations can result in civil investigations and civil proceedings being brought by or on behalf of a government agency or regulatory authority, which can result in fines and penalties in addition to required payments to a consumer redress fund.
NDSP policies provide the policyholder with coverage for both circumstances – claims brought by affected parties for their financial or other losses and claims brought by relevant regulatory authorities. And coverage for punitive damages is included where permitted by law.
Limits, Deductibles, Terms and Conditions
Separate limits of protection are typically declared for each distinct coverage, although first party coverages may be subject to a single combined/total limit of protection for all such coverages. All coverages provided under the policy or endorsement are then subject to a policy/endorsement aggregate limit of protection. Defense costs for the third party coverages are included within the limits of protection and deductibles apply for all coverages.
Third party coverage is provided under a claims-made policy forms – in order to be eligible for coverage, the breach/wrongful act must occur subsequent to the policy effective date or retroactive date and then be reported to the insurer as soon as practicable but no later than prior to the policy expiration date or end of the extended reporting period.
Unlike workers compensation insurance — for which coverage is subject to standard, statutory forms — each NDSP insurer develops and uses its own, unique policy form. NDSP policies can be very complex and coverage terms can differ substantially from one insurer to another. This discussion is general in nature and is intended as a brief overview of certain NDSP coverage considerations. Consult the actual policy forms for details.
Contact: Stephen W. Patterson, MBA, CPCU, firstname.lastname@example.org, 800-516-5199 ext. 111