A few months into the COVID-19 pandemic, the insurance focus (understandably) has been on business interruption and event cancellation coverage. Various other coverages are in play as well, given the types of COVID-19-related claims and lawsuits being filed (and that will be filed in the future) against corporate policyholders, from bodily injury due to exposure to the virus, to breach of contract, to securities violations, to misrepresentations and consumer protection violations, just to name a few. However, cyber risks are also highly salient for companies in this “new normal,” and companies must consider the role their insurance plays in preparing for and responding to those risks.
Have $57 million (or more) to spare? You’re going to need it if you run afoul of the EU’s General Data Protection Regulation (GDPR) without cyber insurance.
In late January 2019, the French data protection authority, CNIL, imposed a fine of €50 million—or roughly $57 million—on Google for violations of the GDPR. The fine is the largest imposed to date under the GDPR, since it came into effect in May 2018. The Google fine highlights a couple of things: the GDPR has teeth, and regulators in the EU won’t hesitate to enforce the regulation. Possibly more frightening to companies subject to the GDPR is that the fine was not imposed because of any data breach or disclosure of sensitive information but, rather, on account of Google’s ordinary data privacy practices.
Does the coverage in commercial general liability (CGL) policies for violations of the right to privacy extend to unwanted intrusions, or is it limited to the disclosure of personal information to a third party? On a recent request for clarification from the U.S. Court of Appeals for the Ninth Circuit in Yahoo Inc. v. National Union Fire Insurance Company of Pittsburgh, PA, the California Supreme Court may be poised to answer this question under California law, which could have wide-ranging effects on companies seeking CGL coverage for Telephone Consumer Protection Act (TCPA) claims.
The stopwatch is running. Companies are scrambling to figure out how the EU’s General Data Protection Regulation (GDPR)—due to go into effect on May 25, 2018—will affect how they do business. Uncertainty and speculation abound; no one knows exactly how the law will be enforced, particularly with respect to companies domiciled outside the EU, with no EU footprint, who process and hold the personal data of EU residents. But while publications are awash with advice regarding compliance, few tackle the question whether your business is protected against loss in the event of a data breach or other unintentional failure to comply. We strongly suggest that your due diligence include a review of your insurance coverage for GDPR non-compliance, especially for fines, penalties and lawsuits (individual or class action). Qualified coverage counsel should assist in the review, but key areas of focus include:
Coverage for Costs of Compliance
Many costs that companies will incur to comply with GDPR simply will not be covered by any insurance. Insurance is designed to respond to fortuitous loss or liability, not ordinary costs of doing business. Thus, for example, coverage likely is unavailable for expenses to adopt and implement data security measures, maintain required records, respond to individuals’ requests to access or delete their data, or hire a Data Protection Officer.
One thing is for certain: cyberattacks have become the norm, not the exception. Not even the NSA is capable of completely warding off security breaches. Major banking and retail institutions, as well as the government, are not surprisingly the most likely targets because of the amount of sensitive and private data they control. Still, other companies outside these sectors must heed the warnings and not become the next cyber victim. Protecting against cyber vulnerability is not merely a domestic issue. Rather, multinational companies are prime targets, and are currently undergoing institutional changes to navigate the EU General Data Protection Regulation (GDPR) that goes into effect May 2018.
Every single industry or business in this day and age has either been the victim of a cyber attack or is concerned they will be next. A few examples from the last couple of months show how widespread the problem is. In June, a global ransomeware attack quickly spread across 64 countries, impacting organizations from law firms, banks and governments to food producers and hospitals. The attackers demanded $300 in Bitcoin—approximately $977,000 U.S. dollars in total—from each victim to unlock their data. At the annual DefCon computer security conference in late July, hackers took less than 90 minutes to hack voter-ballot machines and at least one hacker even broke into the system wirelessly, suggesting that U.S. computer-ballot boxes may be susceptible to attack.
The costs and penalties associated with a cyber attack or data breach should not be underestimated. For example, NPR recently calculated the average cost of a health care breach at more than $2.2 million, “not to mention the reputation damage.” And the FCC recently ordered AT&T to pay $25 million in connection with the exposure of more than 250,000 U.S. customers’ information.
Cyber insurance continues to be one of the hottest topics in the insurance industry. In the last several years it has evolved from a little-known specialty product to a standard purchase for some corporate risk departments. By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance. Some companies may believe their potential cyber exposure is minimal or simply think that cyber coverage is cost prohibitive. A recent D.C. Circuit decision is a sobering reminder that cyber insurance should at least be considered in connection with a company’s risk management plan, and is probably a “must-have” for companies that maintain records containing a substantial amount of personal information.
In the client alert The “Panama Papers” and the Secret World of Shell Corporations, Insurance attorneys Joseph Jean, Alexander Hardiman and Matthew Putorti along with their colleagues Carolina Fornos, Mark Hellerer, Maria Galeno, William Sullivan, Nancy Fischer, Nora Burke and Danielle Vrabie discuss a leak of 11.5 million documents from a law firm in Panama that may implicate politicians, criminals and celebrities in sheltering of fortunes in offshore tax havens through the use of shell companies. In light of these events, financial institutions and other entities may need to consider whether they are implicated, how to assess the risks, how to minimize exposure, if any, and whether insurance coverage is available.
As more and more companies ranging across a wide spectrum of industries have been exposed to network and data security breaches, the market for insurance products to cover cyber risks has grown just as fast. With policies sold under names like “cyberinsurance,” “privacy breach insurance,” “media liability insurance” and “network security insurance,” the market is chaotic. Premiums and terms vary dramatically from one insurer to the next. And because cyber policies are far from uniform, it’s crucial to understand not only what you’re being offered, but also how to negotiate coverage for the risks inherent in your business. This post contains five of my top ten recommendations. (The remaining five tips are in Part 2.) Continue reading →