Insurance in the Digital Age: New Risks May Require New Coverage



Practice Areas

R. Steven DeGeorge
Robinson Bradshaw Publication
Sept. 13, 2011

Businesses have always collected and held valuable personal information belonging to their customers and employees, but that information is rapidly approaching the end of a near-universal migration from stuffed filing cabinets to networked hard drives. In its new electronic space, it becomes no more valuable, but far more vulnerable to mischief-makers worldwide. So-called “cyber attackers,” who President Obama has called “one of the most serious economic and national security threats our nation faces,” have generated an entire mini-industry devoted entirely to protecting businesses and consumers from their malevolence. In fact, October is National Cyber Security Awareness Month -- so named by Presidential proclamation for the last seven years. There are cybersecurity companies, think tanks, government agencies, and, of course, insurance – the subject of this article.

It should be no surprise that the consequences of a data breach can be disastrous. Sony Corporation currently faces 55 putative class action lawsuits stemming from the widely-publicized data breaches that shut down its PlayStation Network for weeks. Hundreds of similar lawsuits are winding their way through state and federal courts across the country. A single data breach can result in massive defense costs, huge jury verdicts, crippling publicity, and governmental civil and criminal proceedings.

Data breach litigation is on the rise, due in part to laws in most states (including North Carolina) requiring disclosure of data breaches. Earlier this year, the Obama Administration called for federal legislation that standardizes these laws. While intended to improve consumer awareness, these laws also provide opportunities for plaintiffs’ attorneys to bring lawsuits on behalf of huge classes of consumers. In short, as hackers get smarter and laws get tighter, the risk of a costly data breach rises – particularly for businesses without the resources to centralize IT departments and invest in cutting-edge security measures. Businesses are increasingly turning to insurance to manage this risk, where they find themselves surprised by the limitations of their existing coverage.

Whether data breach losses are covered by traditional Commercial General Liability (“CGL”) policies is an open question, although the weight of judicial authority is trending against coverage. The U.S. Court of Appeals that covers both North and South Carolina has ruled that insurance covering losses associated with “tangible property” -- a common form of commercial liability coverage -- does not apply to electronically-stored data. Although other courts have reached different conclusions, this ruling is binding precedent for federal litigation in North and South Carolina (as well as Virginia, West Virginia and Maryland). Therefore, businesses holding only traditional CGL policies should presume they currently have no coverage for losses caused by data breaches.

For businesses looking to mitigate these risks, several insurers now offer stand-alone cyber liability policies, including AIG (netAdvantage) and Chubb (Safety Net and Cyber Security). The scope of coverage varies, but cyber liability policies generally cover defense costs, settlements, judgments and sometimes governmental penalties resulting from theft and unauthorized dissemination of electronic data; virus transmission; security failures causing network unavailability to third parties; and intellectual property infringement, libel, slander and defamation caused by data breaches or activities on the policyholder’s web site. Coverage can also be obtained for lost profits and crisis management costs. Although premiums vary significantly depending on the scope of desired coverage and the insured’s business, a typical annual premium might be $5,000 for coverage of $1 million, with a $25,000 deductible. Businesses that store especially large amounts of personal data, such as financial institutions and healthcare providers, can expect to pay substantially higher premiums.

A business considering cyber liability insurance can take the following steps to help ensure it procures the right type and amount of coverage, at the lowest possible cost:

The business world is becoming ever more dependent upon electronic collection and storage of sensitive customer data, and breaches of that data are easier than ever to identify and exploit through the legal system. The cost of a security breach can be far-reaching and long-lasting. When combined with appropriate security measures and disclaimers, wisely-selected insurance can be an essential backstop to an overall risk-management program.

Main Menu