06/29/2009 01:55:05 PM EST
Insurance Coverage for Data Security Breaches
Data security breaches are a real threat in today’s computer-dependent work environment. Security breaches via hacking, unauthorized internal access, and the inadvertent disclosure of personal information, are all circumstances that can create cost and legal exposure. Chances are, a company’s existing insurance policies may provide some coverage in the event of a data security breach, but there are additional coverages that may be worth exploring and evaluating.
There are three basic types of insurance policies that may provide some coverage for data security breaches:
First party coverage: Includes loss or damage to own property. Lost or damaged data may be covered, but there are a number of exclusions to consider.
Third party coverage: Coverage provided to a company when it is sued. Commercial General Liability (CGL) insurance is an example of third-party coverage that virtually all businesses have. There are provisions in CGL policies that do provide coverage for data security breaches.
Errors and Omissions (E&O) coverage: Possible coverage for data security breaches may be available in an E&O policy.
One newer policy type to consider is network risk insurance. It blends first and third party coverages and can provide broader insurance than a typical policy would otherwise cover. For example, under a CGL policy, a company may have advertising injury coverage that could extend into data breaches. But in a network risk policy, a company could also secure first party coverage (e.g. theft or damage to data), business interruption coverage and perhaps cyberextortion, crisis management costs, public relations response and identity theft coverages. Policies can also include third party coverages such as professional services, content or media liability, network and security cost insurance. Coverage for basic privacy liabilities such as inadvertent or unintended disclosures of confidential information may also be available.
What to do now
Companies should have their existing insurance coverage reviewed to better understand what may or may not be covered. This is not a costly exercise, and would provide a sense as to whether your company has sufficient coverage.
In the case of an actual data security breach, or other unintended disclosure of private information, it is critical to provide prompt notice of loss to the insurance company. Also, don’t assume that there is a lack of coverage without a professional evaluation of your policy. This is a largely new area of insurance law, and you should not assume that a company’s in-house risk management department or your insurance broker will know the answer of whether coverage exists. Chances are there is little or no case law analyzing coverage in this newly developing area. As such, it is important to have the coverage evaluated in the event of a data security breach.
* * *
Pillsbury's insurance recovery practice is one of the first in the United States, dating back to the Great San Francisco Earthquake of 1906, when we helped California businesses work with their insurers in order to rebuild. From the enormous business interruption losses arising from the terrorist attacks in September 2001, to some of the largest environmental cleanup cases in the country, Pillsbury’s insurance recovery and advisory attorneys are at the forefront of efforts to secure insurance coverage for its clients.