Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
Alison Roffi is Orrick's Deputy Chief Legal Officer and is located in the New York Office.
Alison is responsible for providing counsel on the firm's global legal affairs, including matters related to corporate governance, litigation, contracts, insurance, ethics and risk management.
In addition to her firm responsibilities, Alison represents clients in litigation and pro bono matters.
Posts by: Alison Roffi
Data breach here, date breach there, data breach everywhere? Every day we are learning about the importance of and risks associated with cybersecurity. Those risks are not limited to big corporations or even the private sector. Schools, of all levels, are increasingly faced with cybersecurity-related questions and potential for liability, and they are beginning to seek coverage for those risks. But educational institutions as policyholders have issues in addition to those affecting large, company-wide databases that are usually considered when procuring cyberinsurance policies. Educational institutions as policyholders must ensure that any coverage they procure covers these risks. READ MORE
As previously discussed, the question of whether Commercial General Liability (“CGL”) coverage applies to cyber-attacks or data breaches is a hot point of contention between policyholders and insurers. One of our cases to watch in 2015—Zurich American Insurance Company v. Sony Corporation of America—may resolve this question in New York shortly.
On February 25, 2015, a hearing was held in a closely-watched New York appeal involving coverage under CGL policies for privacy claims filed in the wake of a data breach.Zurich American Insurance Company v. Sony Corporation of America is pending in the New York Supreme Court Appellate Division. The Sony parties are represented by Richard DeNatale and Steve Foresta of Orrick’s Insurance group. They are seeking coverage under a clause that appears in all standard CGL policies and covers claims for “publication, in any manner, of material that violates a person’s right of privacy.” The lower court ruled that there was no duty to defend because the alleged publication of information was perpetrated by the hackers rather than by the policyholder. In their appeal, the Sony parties argue that this ruling is contrary to the plain language of the insurance policies. The hearing on February 25 lasted about 30 minutes, with active questioning from the panel of five justices. A decision from the Appellate Division is pending.