Protecting a company against data breaches requires not only measures to prevent the adverse cyber event, but also adequate insurance to minimize the financial impact should such an event occur. Unlike traditional lines of insurance for which there is substantial uniformity among the coverage available in the marketplace, the evolving market for data security and privacy liability (“cyberliability”) insurance coverage reveals significant differences in the scope of coverage afforded under these policies. Policy forms may vary widely depending on the particular insurer and the industry served, reflecting material differences in contract language, terminology and structure. As a result, whether coverage is available under a particular cyberliability policy requires a careful analysis of the nature of the event as measured against the terms of that policy. What once appeared to have been comprehensive coverage may be revealed to have significant gaps.
A coverage gap that may exist under some policies is for insider cyber attacks. While external attacks receive substantial news coverage and many companies have become more vigilant and better prepared to prevent an external cyber attack, a recent study published in the Harvard Business Review finds that businesses may be far less equipped to stave off attacks involving insiders – employees, vendors, suppliers and others who may have authorized access to critical or sensitive data. Liability insurance protection – even under specialized cyberliability policy forms – may potentially lag behind on this important issue. It is therefore critical to understand the scope of coverage provided under your company’s cyberliability policy in response to insider attacks or data breaches.
In evaluating whether a particular policy adequately protects against both external and insider cyber risks, it is important to closely review the insuring agreements and any exclusions that may apply to such claims. Some forms, for example, expressly exclude coverage for dishonest or fraudulent conduct by any Insured, including claims arising out of an Insured’s collusion or assistance provided to third parties. Other policy forms expressly exclude coverage for any unauthorized use or accessing of a computer, network or data storage device by an Insured. If the policy at issue defines an “Insured” to include current or former employees, insurers may assert that these exclusions are triggered in many situations for which the company thought coverage existed.
In contrast, other policy forms take a more constrained approach, excluding claims involving only a limited class of insiders. For example, conduct exclusions in some policy forms only preclude claims arising out of an act, error or omission of a director, officer, or senior manager, rather than by any current or former employee.
Thus, in evaluating policy forms when purchasing or renewing coverage, it is important to understand how differences in policy language – including policy definitions and exclusions – may have a significant impact on the scope of coverage available for a cyberliability claim, particularly for claims arising out of malicious conduct by “rogue” employees or other insiders. Companies considering cyberliability coverage or interested in determining whether certain types of claims may be included as an insured risk under a particular policy form should therefore seek guidance from experienced coverage counsel to evaluate that coverage. Because liability insurance should be a vital part of any company’s comprehensive data breach response plan, the time to identify and address potential gaps in coverage is before an adverse cyber event occurs.
Client Alert 2014-269