Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices—or lack thereof. This monthly series is intended to provide high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations.  Part 7 examined the types of lawsuits that companies could face due to a data breach. 

This series has examined the various legal risks that companies face after a data breach. If your company has experienced a data breach, you probably will ask your insurance carrier to cover lawsuits and other costs related to a data breach, just as you would with a slip-and-fall accident on your property. Don’t be surprised if your insurance company refuses to pay for your legal expenses, credit monitoring for customers, and other breach-related costs, especially if you haven’t purchased insurance that specifically covers cybersecurity incidents.

Many companies attempt to rely on their commercial general liability insurance coverage, which is standard for U.S. businesses and protects them from claims arising from bodily injury, property damage, and other harms. Commercial general liability insurance policies vary by carrier, so it is necessary to first review you’re your policy (or better yet, have your lawyer review it) to determine whether it specifically addresses cybersecurity. That may provide a clear answer as to whether your breach-related costs are covered.

Unfortunately, in many cases, commercial general liability insurance policies do not specifically address cybersecurity. This can lead to a great deal of uncertainty during the already chaotic days after a large data breach.

Form ISO CG, the standard form for commercial general liability policies provided by Insurance Services Office Inc., covers certain expenses related to “personal and advertising injury,” which it defines as including “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”  Some companies that have experienced data breaches have sought coverage under such provisions, arguing that the expenses that they face – such as litigation defense and credit monitoring – arise from the publication of their customers’ personal information. Some insurers will challenge this claim, arguing that the policies only cover publication by the policyholder, not by an anonymous hacker. 

Courts are divided as to whether data breaches should be covered under “publication” clauses in commercial general liability insurance policies. In a case decided in April, the United States Court of Appeals for the Fourth Circuit required an insurance company to cover the expenses of a healthcare company whose customers sued after their medical records allegedly were exposed on the Internet. The insurance policy required the insurer to cover expenses arising from the healthcare company’s “electronic publication of material that ... gives unreasonable publicity to a person’s private life.”  The insurer argued that no “publication” occurred because the healthcare company did not intend to expose the medical records to the public, but the court rejected that argument, reasoning that the distinction was irrelevant, and a publication clearly occurred.

However, other courts have reached the opposite conclusion and refused to require insurers to cover data breaches under the “publication” clause of their commercial general liability policies. Among the highest profile disputes arose from the 2011 breach of Sony PlayStation’s online network. A New York state trial court judge ruled that Sony’s commercial general liability policy only covered publication by Sony, and therefore its insurer, Zurich American Insurance, was not required to cover the costs of the breach. Sony appealed, but reached an undisclosed settlement with Zurich before the appellate court ruled on the issue.

In light of the uncertainty as to whether commercial general liability policies cover data breaches, companies are increasingly considering whether to purchase cybersecurity insurance policies, which supplement their commercial general liability policies and are intended to cover incidents such as data breaches. 

Because such coverage is relatively new, companies still are assessing whether cybersecurity insurance is a prudent expense. Instead of purchasing cybersecurity insurance, some companies “self-insure,” covering their own costs of potential breaches. In light of the increasing frequency – and cost – of data breaches, self-insurance can be a costly option, particularly for companies that handle large volumes of personal information.

And even if a company purchases cybersecurity insurance, it may not receive coverage for all of its breach-related costs. For instance, the P.F. Chang’s restaurant chain purchased a cybersecurity insurance policy for approximately $134,000 a year. After a 2014 data breach that exposed approximately 60,000 customer credit card numbers, its insurer reimbursed the company more than $1.7 million for various costs, including a forensic investigation and defense costs in a lawsuit brought by customers. However, the insurer refused to cover more than $1.9 million in assessments by credit card companies due to the chain’s alleged failure to comply with Payment Card Industry Data Security Standards. In May, a federal judge in Arizona ruled that the credit card assessments were not covered by the insurance policy, noting that P.F. Chang’s is a “sophisticated party” that “could have bargained for that coverage.”

The bottom line: never assume that your insurance will cover all costs that arise from a data breach. If you decide to purchase cybersecurity-specific insurance, carefully evaluate the policies to ensure that they cover the wide range of costs that your company might experience after a data breach.

photo credit: Dell Women's Entrepreneur Network 2014 - Austin via photopin (license)