Ransomware is one of the rising scourges of the business world, with approximately 50% of U.S. companies reporting being hit with a ransomware attack in the past year, according to a recent study. According to the FBI, a 2016 ransomware type that uses unbreakable key-based cryptography compromised an estimated 100,000 computers a day. New ransomware variants are appearing constantly, and companies need to prepare for the possibility of being victimized by this particular type of cyber-attack. The FBI, as well as other security professionals, has recommended a widely accepted, multifaceted preparation strategy—which includes having key insurance coverage in place—that reduces risks and decreases recovery time. Please click here to read an overview of this strategy that appeared in Law360, authored by Orrick’s Darren Teshima and Aravind Swaminathan.
In one of the first court decisions to consider the scope of cyber insurance and whether it covers credit card brand fraud recovery assessments, the policyholder, PF Chang’s, came up short. Following a 2014 data breach in which hackers accessed and posted online 60,000 credit card numbers belonging to PF Chang’s customers, MasterCard levied a $1.9 million fraud recovery charge against the restaurant chain. PF Chang’s tendered those charges to its cyber insurer but Federal refused to provide coverage. Coverage litigation followed and last week a federal judge in Arizona handed down a decision in favor of Federal. For a discussion of the case and its implication for cyber insurance policyholders—or those considering it—you can read the full article by Russell Cohen and Darren Teshima at Orrick’s Trust Anchor blog.
Last May, we told you that the “waiting has ended“ for courts to start weighing in on cyber insurance policies, as the District of Utah issued one of the first federal court decisions construing such a policy in Travelers Property Casualty, et al. v. Federal Recovery Services, Inc., et al., No. 2:14-CV-170. Although the claims at issue were not the sort of data breach and cybersecurity liability claims for which policyholders eagerly anticipate guidance, it was, as we noted, an important step in understanding how a court may approach these policies. In the first weeks of 2016, the Travelers court revisited the May 2015 decision, and affirmed its prior findings in favor of the insurer.
In the May decision, the court had found that under the cyber policy at issue, the insurer had no duty to defend its insured, a payment and account processing company, against tort claims alleging that the insured improperly—and intentionally—withheld customer payment and account data from the plaintiff, a gym network, the plaintiff had entrusted to it.
The policy at issue was a Travelers CyberFirst Technology Errors and Omissions Liability Form Policy. Under the policy, the duty to defend attaches when the plaintiff’s suit alleges an action by the insured that, if true, would constitute a covered claim under the policy. The insured sought coverage through an E&O module that provided coverage for “any error, omission, or negligent act.” The plaintiff alleged, however, that the insured acted with “knowledge, willfulness, and malice.” The court held that because the complaint alleged intentional, instead of negligent misconduct, the insurer did not have a duty to defend.
Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
Data breaches and cyberattacks occur across all sectors. In the past year there have been highly publicized mega-breaches of technology companies, entertainment companies, retailers, financial services companies, health insurers, manufacturers, and the federal government’s Office of Personnel Management. Even the most sophisticated systems are vulnerable to a data breach. And companies with any potential exposure—which includes any company that maintains employee information—are increasingly looking to cyber insurance as one way to manage the cost of a data breach.
Our article “Cyber Insurance: An Overview of an Evolving Coverage” provides an overview of cyber insurance. The first section (What Is Cyber Insurance?) describes the risks faced by companies and the coverage offered by cyber insurance. The second section (The Development of Cyber Insurance) describes the development of cyber insurance as a specialized coverage, the impact on cyber insurance development of breach notification laws, and the limits of coverage of existing insurance. The third section (Where Is Cyber Insurance Heading?) discusses the key coverage and exclusion battlegrounds in these policies, the emergence of cyber insurance litigation, and the challenges presented by the Internet of Things. We hope that companies will benefit from a better understanding of the scope and value of cyber insurance in making decisions about its value as one among different means of proactively enhancing their IT Security posture.
There has been no recent shortage of high-profile cyberattacks and data breaches leaving businesses with millions of dollars in losses. Verizon’s 2015 Data Breach Investigations Report counted 79,790 security incidents (including 2,122 confirmed data breaches) in the last year alone. If you’re a business that stores information electronically—that is, if you’re any business at all—you’re probably sufficiently worried about cyber threats just by reading the news. But if you haven’t fully appreciated the seriousness of the problem yet, the insurance industry is happy to help. As one insurer warns in its marketing materials, “many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when.” Sufficiently terrified of cyber threats? Don’t worry—these same insurers will let you know they offer coverage that will help mitigate your risk. As one insurer puts it, “when a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.”