On the 12th Day of Privacy, ISO gave to me….
The question is not whether a company will be the target of a data breach, but when. Verizon’s most recent Data Breach Investigation Report states that, in 2012, there were over 47,000 reported security incidents, which resulted in 621 confirmed data disclosures and at least 44 million comprised records. Additionally, states continue to pass – and enforce – strict breach notification statutes, as well as proscriptive statutes mandating encryption to secure data. The Ponemon Institute’s recent study reported that the average cost of a data breach was $5.5 million, with a per record cost of approximately $194. Despite the tremendous exposure in this area, only 30-35% of companies have purchased stand alone cyber insurance coverage. Thus, many companies have elected either to retain the risk associated with a data breach or turn to their traditional insurance program, such as their commercial general liability policy, for coverage.
A standard-form ISO* commercial general liability policy contains coverage for “Personal and Advertising Injury” (Coverage B) which insures against injury, including consequential bodily injury arising from a list of specific offenses, including “oral or written publication, in any manner, or material that violates a person’s right to privacy.“ Over the past several years, there have been many coverage disputes regarding the meaning and scope of “publication” and “right to privacy”. (*ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners)
Policyholders have argued that, because a data breach implicates privacy rights, the insurer is required under Coverage B to pay the resulting damages. While commercial general liability policies and, in particular, Coverage B were never intended to provide coverage for data breaches, courts interpreting Coverage B have issued conflicting decisions. For example, many courts found that Coverage B applied to “junk fax” claims arising under the Telephone Consumer Protection Act (TCPA). In response, ISO issued an endorsement barring coverage for such claims. Thereafter, in 2007, ISO revised the standard form to bar coverage for TCPA claims and, in 2013, ISO further revised the standard form to bar coverage for claims arising out of the violation of a federal, state or local statute that “addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
Nevertheless, there continues to be litigation arising out of the scope of coverage afforded under Coverage B for data breaches. Continuing to respond to these disputes, in late 2013, ISO issued a series of data breach exclusion endorsements which will become effective in May of 2014. The endorsement applicable to Coverage B (CG 21 06 05 14) provides:
This insurance does not apply to:
Access or Disclosure of Confidential or Personal Information
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.
The clear intent of this endorsement, as well as the recent revisions to the standard form, is to exclude coverage for data breaches and related privacy claims under Coverage B and more broadly under traditional commercial general liability policies. Indeed, in the filing materials, ISO explains that when commercial general liability and umbrella policies were drafted, “certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.”
A stand alone cyber insurance policy provides broad coverage for both first and third party claims, including costs associated with data-breach notification, credit monitoring services, forensic investigations, public relations and crisis management expenses, regulatory proceedings and third party liability claims. While there are multiple insurers providing these policies, the scope of coverage provided can vary dramatically from policy to policy – even with the same insurer. As such, it is imperative that, when deciding to purchase cyber insurance, a company engage not only an experienced broker but also experienced insurance coverage counsel to confirm that the policy negotiated and purchased provides the most favorable coverage to a company for its unique risks and exposures.
As we ring in the New Year, one or your resolutions should include not only resolving to strengthen your data security systems, but also evaluating what, if any, insurance your company maintains to provide coverage for this increasing and very costly exposure.