It’s a familiar pattern. First, new risks inspire legislation and regulations that impose new penalties. Next, insurers and policyholders fight over whether the new liabilities are covered under traditional liability policies. Finally, insurers craft new coverages to define their obligations in the changed environment. See, e.g., DeMeo, Eldred, Utiger & Scruggs, “Insuring Against Environmental Unknowns,” 23 J. Land Use & Envtl. L. 61, 62-65 (2007). In this respect (if not in any others), the unprecedented growth of both cybersecurity exposure and the demand for cybersecurity insurance have unfolded in a predictable way. In 2015, some of the most closely-watched suits over traditional CGL policies wound down or settled, while litigation under early cyber endorsements has begun to spring up. Last Fall, the Insurance Services Office (ISO) amended its standard CGL coverage form specifically to exclude data breach liability; then, in a March 2015 press release, it unveiled a standardized cyber-liability coverage form.
The First Wave Recedes: Square Peg Litigation
The first wave of coverage litigation over claims related to cybersecurity tested the limits of policies that had been issued without specific underwriting of cybersecurity risks. Insureds typically sought coverage under GL and E&O/D&O/professional liability coverages. In many cases, the policies were written before the privacy laws and regulations that imposed the policyholder’s loss had been enacted. This first wave of litigation thus consisted of “square peg” cases—courts struggled to fit a square peg of liability into a round hole of coverage.
- In 2013, for example, in First Bank of Delaware v. Fidelity and Deposit Co. of Maryland, No. N11C-08-221 (Del. Super. Ct. Oct. 30, 2013), VISA claimed a bank was liable for a data breach, after a subcontractor that processed the bank’s credit and debit transactions was hacked, and customers’ personal identification numbers were compromised. The breach resulted in millions of dollars in unauthorized withdrawals, and it also triggered contractual indemnification issues by and among the bank, the subcontractor and VISA. Under one of the relevant contracts, VISA charged the Bank $1.5 million in cost reimbursement assessments.
The bank looked to its D&O carrier to defend and indemnify. Its policy included an “electronic risk liability’ coverage that insured against “unauthorized use of, or unauthorized access to electronic data or software with a computer system.” Coverage under that provision depended, in part on whether the hacked computer system, which belonged to the subcontractor, was “used to transact business on behalf of the [bank].” The Delaware court found that it was (at least arguably), and so that coverage was available.
Then things got complicated. The court examined whether a fraud exclusion applied, and it held that the insurer had met its burden of proving that it did. But it went on to hold that the exclusion, when applied to a data breach, would render the entire coverage grant for electronic risk liabilityillusory, and it therefore declined to apply the exclusion. After reargument was denied, the insurer did not pursue an appeal.
- The coverage saga of Recall Total Information Management, Inc. v. Federal Ins. Co., 317 Conn. 46 (Conn. May 26, 2015), finally came to an end this year. In that case, the insured was an information management contractor for IBM. On a trip from one IBM facility to another, a van belonging to a subcontractor inadvertently dropped 130 computer tapes—containing HR data about 500,000 current and former IBM employees—onto a highway. The contractor sought coverage under the theory that the associated losses—such as the costs of notification and credit—came within the personal injury coverage of its GL policy, which applied to “injury. . . caused by an offense of . . . electronic, oral, written or other publication of material that. . . violates a person’s right of privacy.”
An intermediate appellate court found there was no coverage, but the Connecticut Supreme Court granted certiorari to review the decision. At oral argument, the Justices openly struggled with the insured’s square peg argument that the employee information had been “published” within the meaning of the policy, because the record contained no evidence that the data on the tapes had actually been accessed—which would have required special equipment. (The only evidence of what happened to the tapes was a report that a motorist had been seen loading them into his car.) One of the Justices asked whether a hacker who gains access to a “closed architecture system” has thereby “published” the information in that system; he also suggested that the theft at issue had involved only the medium on which the information was stored, rather than the information itself. Shortly after argument, the Court ruled in favor of the insurers, holding that this peg did not fit into an advertising injury hole.
- 2015 also saw the resolution of another much-watched cybersecurity coverage case, pitting Sony Corporation against its insurers in a dispute over coverage for Sony’s much-publicized Playstation data breach. In 2014, a New York trial court dismissed the insurers from a declaratory judgment action. Sony appealed, and industry watchers eagerly awaited an appellate ruling—especially because the trial court decision was a short bench ruling, blunting its usefulness as precedent. They were disappointed: the case settled before the appeal was heard.
The underlying bench ruling may be of little precedential value, but it might also have been the catalyst for the explosive increase in demand for dedicated cybersecurity coverage that followed it. Whatever the cause, the purchase of cyber- specific coverage has sky-rocketed.
A New Regime Emerges
So what do these new cyber policies look like? How do they fit into an overall coverage program? What are the limits and contours of coverage under these policies? These questions will drive the second wave of cybersecurity coverage litigation.
According to recent industry data, the coverage is not cheap. This is due in large part to the growth of the liability exposure. As noted by one analyst, “the average costs for a breached company total $9.4 million over a 24-month period.” Those costs include both first- and third-party losses, including regulatory penalties and fines, credit monitoring, public relations costs to address reputational harm, costs associated with the lost data itself, business interruption and, of course, litigation expense. Annual premiums can range from $7,000 – $15,000 for smaller companies to as high as $50,000 for larger ones, depending on variety of factors.
One important factor that can help keep premium costs down will be loss services associated with the new insurance regime. In scoring the risk, underwriters will look to the level of the cybersecurity measures employed. Industry organizations have developed standards and best practices (see e.g.ISO/IEC 27001:2013), and insurers may require or offer incentives to insureds to adhere to such standards in maintaining an Information Security Management System (ISMS). Prevention-driven loss services of this kind can create a “virtuous cycle” of reducing losses, and thus reducing premiums costs over time. This cycle creates additional benefits to the consuming public, whose data is being vacuumed up at astonishing rates and in often surprising ways.
View the original content and more from this author here: http://ift.tt/1LxEl8E
from cyber security caucus http://ift.tt/1e1hcjD
via IFTTT
No comments:
Post a Comment