Data breach insurance

Cyber security and privacy liability focuses on emerging risks arising from information technology that are outside the scope of traditional insurance policies. Traditional insurance is generally focused on issues of physical damage and bodily harm. The core components of a cyber liability policy are designed to help companies deal with specific legal obligations and liabilities associated with a loss, theft or unauthorized disclosure of confidential information, for example a data breach event. Cyber liability is also known as data breach insurance.

Note: technology errors & omissions (Tech E&O) insurance policies provide professional liability insurance to entities that provide technology services for others. These policies often include cyber coverages as well. For simplicity, this presentation will not cover Tech E&O.

  • Legal liability coverage
  • Breach response costs

In terms of insurance for data breach events, ‘cyber’ policies typically provide two broad types of coverage.

1. legal liability coverage – defense costs and indemnification for amounts that the insured is required to pay as damages because of a data breach; and

2. breach response costs – expenses incurred to investigate an actual or suspected breach event and to comply with legal obligations arising from such an event.

  • Claims seeking damages
  • Regulatory claims and penalties
  • Payment Card Industry (PCI) fines and assessments

There are three key third-party legal liability coverages provided for data breach events.

1. Coverage for claims seeking damages. These are most often class action claims.

2. Coverage for legal representation for a regulatory investigation probing a data breach event as well as for fines resulting from such investigations.

3. Coverage for amounts that the insured is contractually liable to pay as fines and loss assessments to payment card issuers under a merchant services an agreement to accept credit/debit card payments.

  • Computer forensics costs
  • Legal fees
  • Consumer notification
  • Credit monitoring
  • Crisis management expenses

Breach response costs are focused on helping an insured to determine if they have a legal obligation to notify consumers of a data breach event and funding the cost of such an obligation. Coverage typically includes the costs to investigate an actual or suspect incident (computer forensics), to obtain counsel, the cost of notifying consumers as well as other crisis management expenses. Often, companies will offer the consumers a remedy in the form of credit monitoring services. This is generally covered as well.

  • Media liability
  • Cyber extortion
  • Other first party coverages

A big part of what can make a cyber liability policy confusing is that the policies often include other coverage parts in addition to data breach coverages.

Let’s take a quick look at these other coverage parts.

Typical cyber liability policies include some type of media liability coverage in order to address gaps in the Personal & Advertising Injury section of Commercial General Liability Policies.

Media liability is provided in different forms by different carriers, but coverage generally falls into one of two forms:

  • Internet media liability
  • Multimedia liability

Internet media liability is limited to material published on the insured’s website(s), and often also includes material published via social media (such as Facebook or Twitter) Note: carriers that offer internet media will often offer multimedia coverage by endorsement.

Multimedia liability includes all material (online or offline) disseminated by an insured.

Cyber extortion coverage will indemnity an insured for amount paid under duress arising from threats to damage or release data from the insured’s computing system or to disable or interrupt the normal operations of the insured’s computer system.

The most common recent example of cyber extortion are ransomware attacks. These are malware programs (a type of computer virus) that infects the victims computer system and encrypts the data stored on that system. The criminals behind the malware will require a ransom, typically paid in the digital currency known as Bitcoin, in order to provide the victim a password required to decrypt the information.

Another form of cyber extortion, typically directed against online merchants during peak periods, involve denial of service attacks. Under this scheme, the bad actor will flood the victims computer system with a stream of data. The victims system will be overwhelmed and, effectively, will be shut down. The bad actor will continue this attack until the victim agrees to pay a ransom.

Other first party coverage parts commonly found on cyber policies include:

  • Data protection
  • Business interruption
  • Crime or social engineering

Data protection
Pays the insureds costs to recreate or restore data corrupted or deleted due to a failure of computer security.

Business interruption
Coverage for the insured’s loss or income or extra expenses. Most forms are triggered by a failure of computer security. Some also are triggered by a data breach event. It is occasionally possible to expand coverage to include loss due to a hardware or software failure within the insureds computer system. This is known as systems failure coverage.

Crime or social engineering
Some cyber liability policies will offer some type of crime coverage, most often in the form of social engineering coverage. Social engineering coverage will indemnify an insured for a loss when an employee has been tricked into sending money or securities to a bad actor by virtue of a fraudulent instructions intended to mislead the employee through the misrepresentation of a material fact that is relied upon in good faith by the employee.