A data breach may cost a company millions in recovery and liability damages, but rarely does a breach force a company into bankruptcy. However, a months-long data breach at American Medical Collection Agency (AMCA) in 2018-2019 did just that, forcing its parent company, Retrieval-Master Creditors Bureau Inc., into Chapter 11 bankruptcy. AMCA has not stated whether it had cyber insurance, but the situation presented by this breach and bankruptcy filing serves as a cautionary tale for those without adequate cyber insurance coverage—or any at all.
Recently, the Board of Governors of the Federal Reserve System has indicated it may move forward with enhanced cybersecurity standards for large financial institutions and the third-party vendors that serve them. Over on Pillsbury’s SourcingSpeak blog, colleagues Andrew L. Caplan, Meighan E. O’Reardon and Curtis A. Simpson examine just what those standards might be in “The Fed May Increase Cybersecurity Standards for Large Financial Institutions and their Service Providers.”
Experts are full of advice about the importance of designing and implementing a robust cyber breach response plan. They opine frequently on its key components, such as identifying the roles and responsibilities of the response team, steps for investigating and containing the breach, internal and external communications regarding the breach and the response, and applicable legal requirements. For the most part, however, their advice focuses on the information-technology aspects of the plan, with some attention given to the roles of senior management and the legal department. But few commentators offer tips on one of the most consequential components of a cyber response plan: insurance.
Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
In late January 2019, the French data protection authority, CNIL, imposed a fine of €50 million—or roughly $57 million—on Google for violations of the GDPR. The fine is the largest imposed to date under the GDPR, since it came into effect in May 2018. The Google fine highlights a couple of things: the GDPR has teeth, and regulators in the EU won’t hesitate to enforce the regulation. Possibly more frightening to companies subject to the GDPR is that the fine was not imposed because of any data breach or disclosure of sensitive information but, rather, on account of Google’s ordinary data privacy practices.
Even when you’ve done your utmost to secure your organization’s cybersecurity—you’ve followed the advice of all the experts, you’ve checked all the boxes—you still may have an Achilles’ heel. Your cybersecurity is only as strong as its weakest point, which is often a vendor or supplier. In this context, a vendor could be anything from a cloud service provider, data processor, or IT engineer to an HR consultant, accounting firm, or health care benefits manager, while a supplier could be a key provider of manufacturing components or raw materials.
On insurance coverage issues, sometimes the boat seems to be listing in the wrong direction. For example, insurers have long tilted the decks to avoid coverage for “spoofing” attacks and similar kinds of email fraud by throwing their weight behind arguments that such transactions do not involve a “direct loss” from the use of company computers to implement a fraudulent scheme, which they claim their policies require. But in the first half of July, not one, but two federal appellate decisions—Medidata Solutions Inc. v. Federal Insurance Co. and American Tooling Center, Inc. v. Travelers Casualty & Surety Co.—rocked the insurers’ boats.
Remember the “good” ol’ days when the run-of-the-mill theft involved someone physically taking something tangible? That is so 20th century. Now, thieves and fraudsters are able to use computers and the internet to carry out much more complex schemes. The insurance industry has attempted to keep up with the technological evolution in the coverage it provides, but insurers have also used unclear policy language and the complexity and individualized nature of today’s fraudulent schemes to avoid covering the resulting losses. A slew of courts over the past few years have decided whether crime policies—particularly those with a computer fraud coverage component—cover complex, technology-related fraudulent schemes. The Eleventh Circuit recently joined the fray and ruled that computer fraud coverage did not apply to a policyholder’s $11 million loss.
Artificial Intelligence (AI) is a hot topic in industries from manufacturing to the medical profession. Developments in the last ten years have delivered AI technology, once a fiction reserved for the movies, to private corporations and even to everyday homes. Examples include:
- 2004 Defense Advanced Research Projects Agency (DARPA) sponsors a driverless car grand challenge. Technology developed by the participants eventually allows Google to develop a driverless automobile and modify existing transportation laws.
- 2005 Honda’s ASIMO humanoid robot can walk as fast as a human, delivering trays to customers in a restaurant setting. The same technology is now used in military robots.
- 2011 IBM’s Watson wins Jeopardy against top human champions. It is training to provide medical advice to doctors. It can master any domain of knowledge.
- 2012 Google releases its Knowledge Graph, a semantic search knowledge base, likely to be the first step toward true artificial intelligence.
- 2013 BRAIN initiative aimed at reverse engineering the human brain receives $3 billion in funding by the White House, following an earlier billion euro European initiative to accomplish the same.
- 2014 Chatbot convinced 33% of the judges it was human and by doing so passed a restricted version of a Turing Test.
The stopwatch is running. Companies are scrambling to figure out how the EU’s General Data Protection Regulation (GDPR)—due to go into effect on May 25, 2018—will affect how they do business. Uncertainty and speculation abound; no one knows exactly how the law will be enforced, particularly with respect to companies domiciled outside the EU, with no EU footprint, who process and hold the personal data of EU residents. But while publications are awash with advice regarding compliance, few tackle the question whether your business is protected against loss in the event of a data breach or other unintentional failure to comply. We strongly suggest that your due diligence include a review of your insurance coverage for GDPR non-compliance, especially for fines, penalties and lawsuits (individual or class action). Qualified coverage counsel should assist in the review, but key areas of focus include:
Coverage for Costs of Compliance
Many costs that companies will incur to comply with GDPR simply will not be covered by any insurance. Insurance is designed to respond to fortuitous loss or liability, not ordinary costs of doing business. Thus, for example, coverage likely is unavailable for expenses to adopt and implement data security measures, maintain required records, respond to individuals’ requests to access or delete their data, or hire a Data Protection Officer.
One thing is for certain: cyberattacks have become the norm, not the exception. Not even the NSA is capable of completely warding off security breaches. Major banking and retail institutions, as well as the government, are not surprisingly the most likely targets because of the amount of sensitive and private data they control. Still, other companies outside these sectors must heed the warnings and not become the next cyber victim. Protecting against cyber vulnerability is not merely a domestic issue. Rather, multinational companies are prime targets, and are currently undergoing institutional changes to navigate the EU General Data Protection Regulation (GDPR) that goes into effect May 2018.