In late 2013, the infamous Target data breach was announced, and the world of cyber security changed forever. Faced first with the embarrassment of having to admit hackers had gotten not only credit card data but also encrypted PIN numbers from debit card customers, Target then faced regulatory actions and a substantial loss of business. Target was ultimately hit with multiple lawsuits from consumers and financial institutions seeking billions of dollars in damages.
Lost in all this was the news that Target might have cyber insurance for some of its losses, but even this was, at least in the beginning, far from certain. (Ultimately Target did recoup some of its losses through it insurance policies). So it will go in the brave new world of cyber.
Data breaches, accompanying damages and losses and the inevitable litigation have been all over the news lately. Target was joined by such well-known merchants as Niemen Marcus and Home Depot in suffering highly publicized data breaches and have been sued in the aftermath. What hasn’t got as much attention, however, is the insurance implications of these breaches and losses, and whether cyber insurance will end up being the savior or part of the problem. Whichever it will be, over the coming years its safe to say that hard-fought litigation will ensue, not only with respect to the data breaches themselves, but whether and to what extent insurance covers the losses.
A little background. The most common way of transferring risk in America is through insurance: if a risk is insurable and insurance companies are willing to accept the risk, then risk is transferable. Most businesses at the very least maintain commercial general liability and directors and officers insurance. And while arguably these policies may apply to data breach losses, many carriers are now specifically excluding these losses from the traditional policies. Instead, more and more, carriers are offering specific cyber insurance policies designed to protect businesses from at least some data breach losses.
Because no standard form exists for these policies (they actually differ substantially from one another), because some of the policy language remains negotiable, and because the law and policy language interpretation may differ from state to state, what these polices actually cover will have to be defined through extended litigation. And as we all know, technology is constantly changing, giving rise to more and more different cyber risks. Add to this the fact that many insureds think they have very broad coverage, while many insurers believe the coverage being offered is more narrowly defined, you get an explosive mix that will fuel lawsuits and claims for the foreseeable future.
Cyber and privacy insurance has been available on the market for the last decade, allowing businesses to ostensibly transfer the risk of liability and losses for a data breach in which the organization’s or customers’ information is lost or stolen. Marsh Inc., a global insurance broker, has estimated that the number of organizations that purchased cyber insurance in the United States increased by 33 percent from 2011 to 2012, and increased nearly 32 percent in the first half of 2015, making cyber insurance the fastest-growing area of commercial insurance in the world. (See, for example, “Cyber insurance in demand after recent data breaches: banks, hotels, educational institutions buying cyber insurance”, July 28, 2013, CBC News)., ;
In fact, the overall written gross cyber insurance premium is estimated to top $2.5 billion in 2015. The policies vary, with cyber insurance offered as a stand alone policy, or as an add-on or included in more generally policies.
Two recent surveys, the Advisen Cyber Liability Insurance Marker Trends Survey and the Advisen Information Security and Cyber Liability Risk Management White Paper,demonstrate the shift toward cyber insurance and highlight the legal issues that may be just over the horizon. These surveys confirm:
- “The demand for cyber insurance is increasing and the insurance market is responding by adding new capacity and coverage.”
- “The cyber insurance market has grown to over $2 billion, with industry prognosticators expecting it to double by 2020.”
- 61 percent of businesses surveyed now have cyber coverage.
- “[T]he cyber insurance market is disjointed and muddled by…inconsistent policy forms.”
- “While the demand for cyber insurance is arguably skyrocketing, the industry’s attempt to understand a consumer’s risk profile…is currently causing some confusion.”
- Social media, cloud services, IoT and mobile devices are ever emerging risks. There are huge concerns about the security implications and exposure from these sources.
- The claims, risks and coverages are evolving constantly.
So more and more cyber polices are being written, they contain different policy language and there is no form coverage. What does this mean?
For those not familiar with insurance coverage law and litigation, you need to understand that this law developed slowly over the years as different policy terms were created, reworded and dropped or added in light of the risks being presented. Gradually, the law evolved so that it was clear that certain language by and large meant the same thing. This gradual development was acceptable, since exposures and risks also evolved relatively slowly as well. This process provided some level of certainty for the carriers –who were pricing the policies and evaluating the risk –and the insureds,who knew what they were buying. This is why most standard policies today by and large say the same thing.
But when a new area of coverage develops for new and changing risks and where no standard policy language exists, to pardon the expression, all hell is likely to break loose. No body of law definines what certain terms mean. And different albeit similar terms could give rise to different and multiple meanings depending on the jurisdiction. We have found that policy language varies widely in definitions, and even what constitutes an insurable event and occurrence.
Since what the language means is now open, and the typical way of resolving disputed insurance policy language is through litigation, lots of coverage disputes are likely in the near future. “As time passes, we may see more litigation in this area,” said Nigel Pearson, global head of fidelity at Allianz Global and corporate Security, in a new report, A Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity. “There will be uncertainty about how courts will interpret some of the concepts. This is not unusual with new products and will result in a body of knowledge for underwriters.” Industry representatives already privately predict they will be grappling with these problems the rest of their careers.
And of course, with coverage disputes come the inevitable bad faith claims, which up the ante and exposure. Given the unsettled nature of the law, even more opportunity may exist for these claims to be made.
While it’s impossible to predict all the issues that will arise as these losses and claims proliferate, it is easy to see that they will be multiple and hard-fought, given the risk and exposure. And it doesn’t take long to come up with just a few issues that themselves could easily fuel a decade’s worth of litigation:
- Will business interruption losses be covered? One of the biggest financial hits taken by a breached party is for business interruption or lost profits—just ask Target. Generally speaking, the insurance industry is not eager to extend coverage for these losses due to the risk of large losses. And insureds often fail to address this up front assuming that these losses are covered. So when a loss occurs and this becomes an issue, look out.
- Insurance coverage ramifications often stem from the use of cloud computing or other vendors for hosting and processing data. Some cyber-risk insurance policies available today reflect the fact that the insured delegates this function to third parties. Some don’t. But again many insureds may assume they are covered.
- Some cyber insurance policies condition coverage on the policyholder having employed “reasonable” data security measures. Insureds will claim these clauses are so vague and subjective that they can’t be enforced. And, given the speed of technological innovation and ever changing nature of cyber risks, what’s reasonable just months ago may look less so in hindsight. Suffice it to say, as a general proposition, carriers will focus more and more on insurance application responses and use them against policyholders to contest insurance claims. Such arguments are notorious for leading to protracted coverage fights.
- Will the coverage include expenses of responding to informal inquiries and formal proceedings that ensue from state attorneys general, the Federal Trade Commission (FTC) and others when a breach occurs? The recent case of FTC v. Wyndham, T.C. v. Wyndham Worldwide Corp., No. 14-3514, 2015 WL 4998121 (3d Cir. Aug. 24, 2015) in which the FTC data breach/privacy regulatory and enforcement authority was upheld, highlights another element of data breach damage since the regulatory actions stemming from a breach can generate millions in costs. The FTC has been pursuing these enforcement actions for years, and will be even more aggressive now. Will the polices cover cyber-related regulatory actions and the FTC enforcement of alleged cyber security failures that lead to breaches of consumers’ personal information? Will coverage be limited to defense costs, as opposed to also covering fines and penalties? Traditionally, fines and penalties often were not covered under CGL policies, but who knows under the new cyber policies.
- In addition to fines and penalties, the FTC often seeks injunctive remedies, such as requiring companies to submit to security audits for a period of up to 20 years. Such remedies obviously cause companies to incur significant costs, yet the “Loss” definition of many cyber policies is also written to try to exclude such relief.
- Some cyber-policies offer regulatory coverage only through an add-on endorsement that must be purchased on top of a standard-form policy that contains a regulatory exclusion. When coverage is added by endorsement, there can be arguable ambiguities because the endorsement, which is not a standard form, may not line up perfectly with the underlying policy.
- Will the policies cover breaches arising from mobile devices that may or may not be connected to the company’s computer network? More and more employees can access systems through tablets, smartphones, and PCs; some employees may unknowingly create security risks, even when the device is not logged onto the company servers. Will losses from this kind of breach be covered?
- How will courts treat notice requirements under cyber policies when there is a breach? Unlike other types of events, every second counts when dealing with a breach and mitigation issues may arise where notice is not promptly given.
- Some policies contain exclusions that specifically apply to certain alleged violations of statutes or regulations. This could be troubling in the data breach context, particularly since what is a violation in some states is not in others yet the applicability of various state laws can be quite broad depending on where a company does business. And what about the costs of notice under the varying state statutes? How will this be treated?
- How will the definition of a “claim” be treated? Cyber-insurance liability coverage usually is triggered by a “claim” made against the policyholder. Even when the “claim” definition encompasses a regulatory “proceeding,” it may be limited to “formal” proceedings and actions “commenced by the filing of a notice of charges, formal investigative order or similar document.”
- What about sublimits? Cyber policies often limit regulatory coverage by imposing “sublimits” that drastically reduce the amount of coverage for regulatory and other claims; in some policies, the regulatory sublimits may be a quarter, or even a tenth, of the aggregate limits. But ambiguities and inconsistencies can arise when the sublimit is compared to the overall coverage.
- What do the policies say about coverage for consumer or business credit card information breach? These can be large exposures when there is a significant data breach.
- What about costs associated with ransomware? Insureds will claim they have little choice here: pay or be shut down, and that this is just another cost of doing business. Will these costs be covered? Even if not, will the associated investigation costs and business interruption losses if the ransom is not paid be covered.
These are just a few of the more obvious issues. Given the plethora of policies and policy terms in the marketplace that even still are evolving, countless other issues will no doubt arise. And the evolving nature of devices and applications together with constantly changing cyber threats will also lead to new and unexpected insurance demands and coverage claims. So what these polies mean and what they cover could be a litigation issue that’s not going to be resolved for quite a long time. Fasten your seatbelts, folks, we could be in for a wild ride.
About the Author
Steve Embry is a partner at Frost Brown Todd LLC in Louisville. He focuses his practice on class action, privacy and mass tort litigation.