Does Your Data Breach Insurance Policy Measure Up?


My role on our law firm’s data breach rapid reaction team includes mitigating litigation risk and assessing the data breach and other insurance coverage available to the client in their time of need. I also help the client comply, if feasible, with any policy preconditions to obtaining coverage and help frame the initial notification to the insurer(s) to improve the likelihood of a favorable coverage decision.

In too many cases where we have been retained post-breach, it turns out our client has not purchased the appropriate coverage for their cyber risks. Unfortunately, some clients are under the usually mistaken impression that a standard Commercial General Liability (“CGL”) policy or a Commercial Crime policy will provide meaningful coverage in the event of a data breach. While there were arguments for third-party coverage available under the advertising injury provisions of older versions of the standard Insurance Services Organization (“ISO”) CGL policy form widely used by insurers, new exclusions added to these policies in 2014 make it much more difficult to obtain coverage for data breach claims under them. As a general rule, adequate data breach coverage will require the purchase of a separate data breach policy or a data breach endorsement to an existing policy.

When considering data breach insurance coverage, it is important to distinguish between first party and third-party claims. Pre-2014 CGL policies may potentially some cover third-party data breach claims, e.g., defense costs and indemnification if you are sued by a customer for exposing their data. This is to be contrasted with first party claims by the insured for reimbursement of the high costs of responding to a data breach—such as hiring data breach counsel, computer forensic experts, a PR firm to provide crisis management services, an administrator for sending legally sufficient notice to those persons and businesses whose data has been compromised, and potentially providing credit monitoring services to the victims. Claims made by an insured for expenses it has incurred in responding to and mitigating liability for a data breach are generally considered to be first-party claims, and are not typically covered by most standard CGL policies.

Several of my data breach clients thought they were covered with so called “cyber breach” policies, but in reality the policies provided little if any coverage to reimburse the insured for monies they necessarily incurred in rapidly responding to the breach. In one case, on the recommendation of their broker, a client in the financial industry purchased an additional policy endorsement titled “Technology Services Endorsement” that to a layman appeared to be comprehensive data breach coverage, but after all the exclusions were applied, in reality provided no additional meaningful coverage for the extra premium—no mitigation or response costs and not even coverage for third party claims except for social media defamation claims which were an unlikely risk for my client in the payment processing business. My conclusion was that the coverage was illusory and the insurance broker had committed malpractice by recommending an inappropriate and inadequate policy. The insurer and broker were eventually “persuaded” to pitch in toward the substantial response costs under threat of bad faith and broker malpractice litigation.

In another case, my client had a reasonably comprehensive multi-million dollar CGL policy with a data breach first party response cost endorsement. One problem with this endorsement was that data breach coverage was limited to $25,000.00 and there was a sublimit for legal and forensic expense reimbursement of $5000.00. This was token coverage at best. The policy also required the insured to use the insurance company’s designated breach counsel and data forensics company.  This can be an issue because a data breach demands immediate action to limit the damage done and to timely comply with statutory notification requirements. Insurance companies, however, generally want to ponder on a claim. I am not confident that many insurers are set up to react quickly enough to rapidly get qualified personnel on the ground to timely assist their insured with the breach response. I do know that even at low insurance company rates, the forensics and legal work related to a data breach cannot be done for $5000. Once again we were able to convince the insurance company to pay most of their $25,000 limit by pointing out ambiguities in the policy language.

While we do our best to “find” some coverage for clients who come to us after a breach has occurred, the much better practice is to have an evaluation done of your insurance needs compared your coverage in advance of a breach. This should be stating the obvious, however, based upon what I see in the field, it bears repeating: do not wait until a breach occurs to find out if you are adequately insured. One of the services our firm offers is a review of the client’s insurance portfolio to assess whether they have adequate and appropriate insurance coverage for a data breach considering the nature/size of their business and their financial/legal exposure. The few thousand dollars spent for such a review is a small investment for the peace of mind that comes from knowing you have taken reasonable steps to ensure adequate coverage.

While not a substitute for a review of your insurance portfolio by an experienced data breach insurance coverage attorney, the following checklist will give you a flavor for some of what I look for when conducting such a review:

Data Breach Insurance Coverage Checklist

  • Understand nature of client business and identify data maintained and likely   risk areas.
  • Gather and inventory all active insurance policies.
  • Assess data breach coverage, if any, provided by standard policies.
  • Do you have a specific “Data Breach,” “Cyber Security,” “Cyber Risk” or similarly titled Policy or Endorsement to another Policy (such as CGL).
    • If not, how are you covering the data breach risk?
    • What are the Data Breach Limits of Coverage? Are they per incident or per claim?
    •  Amount of deductible/retention for data breach claims?
    • What sublimits apply? (This could be the ball game).
    • Are defense costs unlimited or included in the limits of liability?
    • Does your policy provide for third-party (liability) and first-party coverage – i.e., the policy provides protection to the insured for liability to others and reimbursement for expenses incurred responding to the breach?
    • Does your policy apply to claims made or events occurring anywhere in the world?
    • Does your policy provide an option to choose your own defense counsel – i.e., option to select duty to defend or reimbursement coverage at policy inception?
    • Does your policy provide first-party coverage for computer program and electronic data restoration expenses?
    • Does your policy include cyber extortion coverage – applies to expenses to deal with the threatened compromise of your network or data?
    • Does your policy include business interruption coverage – applies to expenses and lost revenue due to a computer virus or denial of service attack that impairs your computer system?
    • Does your policy provide coverage for security breach remediation and notification expenses including:
      • Management of breach response by counsel?
      • Legally sufficient notification to impacted persons?
      • Purchase of an identity fraud insurance policy?
      • Credit monitoring services?
      • Computer forensics?
        • Does the policy provide option to choose your own forensics expert or provide a preapproved list? [important to allow rapid reaction]?
      • Does the policy provide coverage for regulatory fines and penalties?
      • Does the policy provide for reimbursement of crisis management and public relations services?
    • Does the Policy contain exclusions barring coverage in the event breach is a result of:
      • Mechanical failure?
      • Failure to maintain a computer network or system?
      • Failure to maintain risk controls?
      • Lack of performance in software?
      • Spyware, cookies or other information collection?
      • Lack of encryption?

This checklist list is not exhaustive and the requirement for a particular coverage will vary depending upon the nature and extent of the client’s business. The important take away, do not wait for a breach to occur before you have the adequacy of your insurance coverage assessed by experienced data breach coverage counsel.  The few thousand dollars spent on such a review is chump change compared to the risk of inadequate coverage.

For more information contact

Leave a Reply

Your email address will not be published. Required fields are marked *