The frequency and intensity of data breaches and other cyberattacks keeps escalating. Although most of the publicity surrounding breaches has involved large, well-known companies, startups and other small companies are not immune.
Any company that possesses sensitive business information or that stores personal customer data, such as names, dates of birth or credit card numbers, is a potential target. And the risk does not always come from the outside. An employee may lose a phone or tablet that contains sensitive data, or a disgruntled employee may leak it.
Given the risks, startups must consider whether it is worthwhile to purchase insurance for data breaches, especially where data breach-related expenses may not be covered by existing policies.
Insurance companies keep issuing new variants of cyber insurance policies. While such policies could provide critical protection for a startup that has fallen victim to a data breach, just buying a policy is not a guarantee of coverage. Insurance companies may deny claims for a host of reasons, only some of which are grounded in explicitly labeled exclusions.
Consider the following points if you decide to shop for cyber insurance.
KNOW THE DIFFERENCE BETWEEN FIRST-PARTY
AND THIRD-PARTY COVERAGE
Data breach policies generally provide two broad categories of coverage: first-party coverage and third-party coverage.
First-party coverage is for losses the policyholder incurs directly, such as the costs entailed by investigating the cause of a breach, restoring the company”™s reputation and notifying affected customers as well as follow-up costs, such as credit monitoring services.
Third-party coverage kicks in when a policyholder (the company) is sued by someone (a customer) claiming to have suffered a loss resulting from the data breach and alleging the policyholder was at fault for allowing the breach to occur. This coverage encompasses the costs of defending against litigation and of any judgments or settlements up to policy limits.
Startups can buy data breach insurance policies that offer both types of coverage or policies that cover only one or the other. Omitting third-party coverage can be risky. In Innovak Int”™l Inc. v. Hanover Ins. Co., a software developer had purchased a data breach insurance supplemental policy to its commercial general liability insurance policy.
The supplemental policy stated that the insurance company would provide certain coverage for losses related to data breaches but that it would not cover expenses arising from lawsuits against the developer. In other words, the policy provided first-party, but not third-party, coverage. While the policy was in effect, hackers accessed the developer”™s database and stole users”™ personal information, including Social Security numbers, addresses and employment information.
The users sued the developer and the developer notified its insurance company demanding that it pay for the defense of the action. The insurance company refused on grounds that it was not obligated to provide coverage for expenses related to third-party litigation.
Innovak serves as a warning to startups that possess sensitive customer information. Data breaches involving the compromise of such information can lead to liability to third parties. Consider whether third-party coverage is worthwhile, and work with an insurance broker to ensure that you get a policy that fits your needs.
BEWARE ”˜FAILURE TO FOLLOW”™ EXCLUSIONS
Insurance companies giveth coverage and insurance companies taketh away through policy exclusions. Under the “failure to follow” exclusion, an insurance company retains the right to deny coverage if a policyholder fails to maintain certain minimum security standards. In some policies, this exclusion is broadly worded and may give insurance companies wide latitude for denying a claim. In one ongoing case testing this exclusion”™s reach, Columbia Casualty Co. v. Cottage Health Sys., the insurance company, Columbia Casualty, is seeking reimbursement for defense and settlement costs it already paid to a hospital system, Cottage Health System (CHS), after an exposure of patient data. Columbia Casualty alleges that CHS failed to follow minimum required security practices by making the information it stored too easily accessible to anonymous users.
PROVIDE ACCURATE INFORMATION
IN THE POLICY APPLICATION
Some insurance companies require potential policyholders to submit an application for insurance setting forth their cybersecurity standards. Knowingly providing false or misleading information on such applications could result in the insurance company attempting to void the policy. In Columbia Casualty, the insurance company argued as alternative grounds for reimbursement that CHS provided false responses in the “Risk Control Self Assessment” section of its policy application. Columbia Casualty essentially asserted that CHS did not implement the safety measures that it said it would in its application and, as a result, Columbia Casualty was not obligated to provide coverage under the policy.
KNOW WHETHER LIABILITY DERIVES FROM
CONTRACTUAL OR ASSUMED OBLIGATIONS
Another exclusion to watch for in data breach policies bars coverage for losses arising from an obligation under a contract or agreement. This exclusion may be important to startups that contract with merchants to process credit-card transactions on their behalf.
This exclusion was tested in P.F. Chang”™s China Bistro, Inc. v. Fed. Ins. Co. Restaurant chain P.F. Chang”™s contracted with Bank of America Merchant Services (BAMS) to process credit card payments made by P.F. Chang”™s customers. BAMS negotiated P.F. Chang”™s arrangements with credit card companies, and in those contracts, agreed to pay fees to the credit card companies in the event of a data breach, which P.F. Chang”™s agreed to indemnify.
P.F. Chang”™s suffered a data breach that resulted in 60,000 credit card numbers of its customers being posted online. At the time of the breach, the restaurant chain possessed a cybersecurity insurance policy sold by Federal Insurance Co. Federal agreed to pay $1.7 million for a forensic investigation and litigation expenses, but rejected coverage under the contractual liability exclusion for the more than $1.9 million in fees that P.F. Chang”™s was obligated to pay pursuant to its agreement with BAMS. Chang”™s sued, but the court agreed with Federal, holding that the exclusion was clear.
Startups that have similar arrangements with credit card processing contractors should consider whether they would be liable under contract for a data breach and if so, seek cyber insurance without this kind of contract exclusion.
The issues and pitfalls discussed above are far from exhaustive. They serve to illustrate, however, the core principle of buying cyber or any other kind of insurance: know your risks, read the policy carefully and seek expert help from a broker or counsel. Given the prevalence of cyberattacks, such coverage must be considered. Because the law surrounding interpretation of these types of policies is still developing, litigation over coverage and policy terms likely will arise.
Cort T. Malone is a shareholder in the New York and Stamford, Connecticut, offices of Anderson Kill PC. Grant E. Brown is an attorney in Anderson Kill”™s New York office. Malone can be reached at cmalone@andersonkill.com. Brown can be contacted at gbrown@andersonkill.com.
