Ransomware is one of the rising scourges of the business world, with approximately 50% of U.S. companies reporting being hit with a ransomware attack in the past year, according to a recent study. According to the FBI, a 2016 ransomware type that uses unbreakable key-based cryptography compromised an estimated 100,000 computers a day. New ransomware variants are appearing constantly, and companies need to prepare for the possibility of being victimized by this particular type of cyber-attack. The FBI, as well as other security professionals, has recommended a widely accepted, multifaceted preparation strategy—which includes having key insurance coverage in place—that reduces risks and decreases recovery time. Please click here to read an overview of this strategy that appeared in Law360, authored by Orrick’s Darren Teshima and Aravind Swaminathan.
A version of this article originally appeared in Law360 on August 25, 2016.
Technology services and software companies frequently face insurance issues when negotiating their intellectual property license or other services agreements, particularly in this era of data breaches and cloud computing. Numerous questions present themselves. Which party bears the risk in the event of a data breach? Does the company providing the indemnities have insurance to stand behind them? Whether your company is providing a service, engaging a vendor or negotiating a license agreement, keeping these five insurance issues top of mind can help safeguard your continued success.
Insurance as an Indemnity Backstop
Indemnification provisions are standard in commercial agreements, and these provisions frequently include boilerplate language that may be overlooked by a party. While such a provision will serve as the primary risk transfer mechanism in the agreement, insurance can provide an important backstop. If your company is providing the indemnity, you will want to check your policies to see if they provide coverage for the potential liabilities at issue. Many policies, including commercial general liability (CGL) policies, exclude coverage for liabilities assumed under a contract. For example, the Insurance Services Office (ISO) standard CGL form includes an exclusion barring coverage for bodily injury or property damage the policyholder is obligated to pay “by reason of the assumption of liability in a contract or agreement.” The exceptions to this are if the policyholder has the liability absent the contract or if the contract was previously identified as a covered “insured contract.” Other policies, however, such as technology errors and omissions (tech E&O) policies, do not include this limitation. Some tech E&O policies state that a breach of contract exclusion does not apply (and thus the policy provides coverage for) liability “assumed in any hold harmless or indemnity agreement.” If your company is being indemnified by the counterparty party, you will want to know whether that company has the financial resources, including insurance coverage, to stand behind the indemnity.
Many non-cyber policies include data breach exclusions, but few cases have addressed their scope. In a recent case, a federal district court rejected an insurer’s broad interpretation of the term “data” as it was used in data breach exclusions in a multimedia liability policy. In Ellicott City Cable, the insurer contended that satellite television programming was “data” within the meaning of the exclusions. The court found the term ambiguous, construed the ambiguity against the insurer, and ruled that the underlying lawsuit triggered the insurer’s duty to defend. While the case did not involve a data breach, the decision demonstrates that data breach exclusions should be narrowly construed and also offers helpful guidance about interpreting the term “data” if it is undefined in a policy.
The underlying case involved a distribution arrangement between Ellicott City Cable and DirecTV, whereby Ellicott City Cable distributed satellite television programming to its customers. Apparently Ellicott City Cable was overzealous in serving its customers and allegedly distributed DirecTV’s programming beyond the scope of the contracts. DirecTV sued Ellicott City Cable, alleging that Ellicott City Cable fraudulently obtained and distributed DirecTV’s programming.
In one of the first court decisions to consider the scope of cyber insurance and whether it covers credit card brand fraud recovery assessments, the policyholder, PF Chang’s, came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, MasterCard levied a $1.9 million fraud recovery charge against the restaurant chain. PF Chang’s tendered those charges to its cyber insurer but Federal refused to provide coverage. Coverage litigation followed and last week a federal judge in Arizona handed down a decision in favor of Federal. For a discussion of the case and its implication for cyber insurance policyholders—or those considering it—you can read the full article by Russell Cohen and Darren Teshima at Orrick’s Trust Anchor blog.
This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.
The policyholder, Portal Healthcare Solutions, under a contract with a New York hospital for the storage and maintenance of its patients’ confidential medical records, arranged to store the records electronically. The records were allegedly not stored in a secure manner. Two patients discovered that their hospital records were publicly viewable through the first link returned by a Google search on their names. In 2013, the patients brought a class action suit in New York against Portal for negligent storage of confidential medical records.
Portal had coverage under the personal or advertising injury provisions of its commercial general liability policy for damages arising from “the electronic publication of material” that “gives unreasonable publicity to a person’s private life” or that “discloses information about a person’s private life.” In a declaratory judgment action initiated by the insurer, the Eastern District of Virginia granted summary judgment to Portal, holding that the insurer had a duty to defend Portal against the class action.
The Fourth Circuit affirmed the district court’s judgment on its reasoning. Portal’s alleged conduct of exposing medical records to online searching of a patient’s name fell within the plain meaning of “publication”: “to place before the public.” The court rejected the insurer’s arguments that (i) there was no publication, because Portal never intended to expose the records and (ii) there was no allegation that any unauthorized person actually accessed any of the records.
This week’s decision contrasts with an earlier decision of the Connecticut Supreme Court in Recall Total Information Management v. Federal Insurance Company, which we discussed last year. In that case, the Connecticut high court found no CGL coverage for claims arising from computer tapes containing employees’ personal information that fell off a van and were apparently taken by an unknown person. The district court in Portal Healthcare Solutions distinguished a single thief’s accessing the tapes in Recall from the posting of information on the internet before three billion people in Portal.
We have long asserted that there is coverage for certain data breach claims under the personal and advertising injury provisions of CGL policies. And while the Fourth Circuit’s decision validates that view, its impact may be limited. First, insurers will certainly argue that the facts of this unpublished decision—the posting of unsecured information on the internet—is different from situations in which hackers gain unauthorized entry to protected information. And, second, fewer and fewer policyholders are relying on CGL policies for coverage of data breach and cyber risks. For years now, insurers have marketed specialized cyber policies, in part by persuading policyholders that their CGL policies did not cover such risks, and by adding cyber exclusions to CGL policies. But even so, Portal may make a meaningful difference for insureds who do not have a cyber exclusion on their CGL policy if they don’t have any cyber insurance at all or if data breach litigation exhausts their cyber policy limits.
Last May, we told you that the “waiting has ended“ for courts to start weighing in on cyber insurance policies, as the District of Utah issued one of the first federal court decisions construing such a policy in Travelers Property Casualty, et al. v. Federal Recovery Services, Inc., et al., No. 2:14-CV-170. Although the claims at issue were not the sort of data breach and cybersecurity liability claims for which policyholders eagerly anticipate guidance, it was, as we noted, an important step in understanding how a court may approach these policies. In the first weeks of 2016, the Travelers court revisited the May 2015 decision, and affirmed its prior findings in favor of the insurer.
In the May decision, the court had found that under the cyber policy at issue, the insurer had no duty to defend its insured, a payment and account processing company, against tort claims alleging that the insured improperly—and intentionally—withheld customer payment and account data from the plaintiff, a gym network, the plaintiff had entrusted to it.
The policy at issue was a Travelers CyberFirst Technology Errors and Omissions Liability Form Policy. Under the policy, the duty to defend attaches when the plaintiff’s suit alleges an action by the insured that, if true, would constitute a covered claim under the policy. The insured sought coverage through an E&O module that provided coverage for “any error, omission, or negligent act.” The plaintiff alleged, however, that the insured acted with “knowledge, willfulness, and malice.” The court held that because the complaint alleged intentional, instead of negligent misconduct, the insurer did not have a duty to defend.
Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
Data breaches and cyberattacks occur across all sectors. In the past year there have been highly publicized mega-breaches of technology companies, entertainment companies, retailers, financial services companies, health insurers, manufacturers, and the federal government’s Office of Personnel Management. Even the most sophisticated systems are vulnerable to a data breach. And companies with any potential exposure—which includes any company that maintains employee information—are increasingly looking to cyber insurance as one way to manage the cost of a data breach.
Our article “Cyber Insurance: An Overview of an Evolving Coverage” provides an overview of cyber insurance. The first section (What Is Cyber Insurance?) describes the risks faced by companies and the coverage offered by cyber insurance. The second section (The Development of Cyber Insurance) describes the development of cyber insurance as a specialized coverage, the impact on cyber insurance development of breach notification laws, and the limits of coverage of existing insurance. The third section (Where Is Cyber Insurance Heading?) discusses the key coverage and exclusion battlegrounds in these policies, the emergence of cyber insurance litigation, and the challenges presented by the Internet of Things. We hope that companies will benefit from a better understanding of the scope and value of cyber insurance in making decisions about its value as one among different means of proactively enhancing their IT Security posture.
What’s a risk manager to do? The “cyber” insurance marketplace can seem like an impenetrable thicket filled with a baffling array of disparate, disconnected coverages, a lack of any uniformity in policy wording, vast disparities in cost, and little available guidance. Comparing the quality and cost-effectiveness of competing products is a daunting task. It’s enough to make a risk manager’s headache: How do I choose among the products the broker has presented to me? Am I buying the right types of coverage, in the right amounts, and at the right price? How can I demonstrate to my management that I am making the right choice?
The challenge is often compounded because the company approaches the purchasing decision from the wrong direction. When a company decides it needs cyber coverage, it generally starts by asking its broker: What’s available in the marketplace? What’s the broadest coverage I can get at the best price? The broker then collects basic information about the company’s business and finds some insurers willing to quote. The broker comes back to the company with several proposals—each consisting of a policy form, a schedule of coverage limits the insurer is willing to offer, and the corresponding premiums at which the insurer is willing to sell. Although the policy forms are not standard vis-à-vis one another, each one is standard for that insurer. Consequently, each insurer’s receptiveness to changes to the form may range from minimal to non-existent. The package may include a few endorsements designed to address issues specific to the individual company, but the policy as a whole can hardly be said to be tailor-made.
All too frequently, the company doesn’t start by asking itself the most important questions: Why do we need cyber coverage? What is our risk in relation to cyber events? Without knowing the answers to these questions, selecting from among the often widely differing options becomes an even more bewildering process. The result can be a cyber package including a hodgepodge of coverages, many of which are not responsive to the company’s risk profile—providing unnecessary coverages for which the company nevertheless must pay premiums, and leaving important gaps in coverage.
By contrast, the more rigorous the company is in analyzing its own risk factors before approaching the marketplace, the better job the broker can do in identifying the right insurers with the right policy forms, the better job the insurers can do in assessing the risk and pricing the coverage, and the better job the risk manager can do in evaluating the products being offered.
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
The Safe Harbor program has been in place since 2000 and was meant to bridge the gap between the regulatory requirements for handling of personal data in the EU and U.S. The Safe Harbor created a self-certification mechanism by which companies in the U.S. could opt into a set of rules governing the handling of EU personal information in order to meet EU privacy law requirements. If a company opted in, it was then able to receive data transfers from the EU to the U.S. without further approval.
The Schrems ruling, explained in detail here by our privacy team, found that the Safe Harbor protections afforded were in fact not adequate. The CJEU noted that the protections required to meet Safe Harbor obligations could actually be disregarded for a number of reasons, including at the request of certain government entities or where preempted by U.S. law. The CJEU held that a company’s decision to opt into the Safe Harbor therefore does not necessarily protect the personal data of EU citizens and it would no longer consider such Safe Harbor participation by a U.S. company sufficient to meet the requirements of EU privacy laws.
Although the sharing of information between the EU and U.S. will not be immediately halted – the ruling allows an EU nation’s supervisory authorities to evaluate the treatment of data in a particular case – if no resolution is reached by January, there is a possibility (discussed here) that at least some EU nations will follow the CJEU’s lead and commence regulatory investigations and proceedings to evaluate specific data transfers to U.S. companies. For companies that once relied on the Safe Harbor program, there may be implications for their purchase or renewal of cyber insurance.
October ordinarily brings the return of crisp air, fall foliage, and Halloween. This year, for the first time, it also brings National Cyber Security Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).