I gave a presentation last week to the New Jersey Institute for Continuing Legal Education on the topic of insurance coverage for cyberliability. (I know, I know, that and four bucks will get me a latte at Starbucks.) The dangers of data breach are quite the hot topic lately (NSA, Snowden, Target, and on and on). The FBI says, in fact, that cyberattacks are the gravest domestic threat we face, even more serious than violent terrorism.
And the scams never end. The FBI recently issued a new warning about an email scam aimed at US businesses. The scam works through a criminal getting in the middle of your email traffic. The fraudster intercepts legitimate emails, and then creates a fake email address that’s nearly identical to that of one of your frequent correspondents. You don’t notice the new (but fake) email in the exchange, and pretty soon, you’re communicating with a criminal without knowing it. At some point, the fraudster issues instructions for payment, usually by wire transfer, and the funds go offshore and are long gone. This seems too simple to work, but apparently, according to the FBI, very sophisticated businesspeople have been falling for it.
The insurance industry is selling various products to deal with cyberliability risks. In fact, as of this writing, there are about 30 cyberliability insurance programs on the market, but no standard form. As I noted in an earlier post, despite the grave threat, many businesses aren’t buying the coverage, even though it’s reasonably priced. As an example of the potential financial consequences, the average cost of remediation is $194 per record. When you consider that the recent breach at Target apparently struck over 120 million records, you can see that we’re not exactly talking about chump change.
Some companies may believe that adequate coverage already exists under their crime or property policies. But under traditional coverage, you’re in for a fight, partly because of ISO’s data breach exclusions (and new ones are coming out in May 2014, aimed largely at removing coverage under the “invasion of privacy” provisions of Coverage B).
An example of a case that didn’t go so well for the policyholder is the recent Connecticut decision in Recall Total Information Management v. Federal Insurance. The fact pattern will leave you shaking your head. IBM (you know, the gigantic computer company) hires a contractor to transport and store its electronic data media. The contractor hires a subcontractor. While the subcontractor’s van is rolling down the highway, the data tapes go rolling out the back door of the van. That’s not good, because the tapes contain employment-related data, including social security numbers, for some 500,000 past and present IBM employees. Someone – no one knows who – picks up the tapes from the highway. (By the way, here’s exclusive footage of the contractors transporting the tapes.)
IBM spends over $6 million fixing the problem. The remediation measures include notification to potentially affected employees and the establishment of a call center to answer questions regarding the lost data. IBM also provides those persons affected by the loss with one year of credit monitoring to protect against identity theft. (These are all items that would likely be covered under the new generation of cyberliability policies.)
IBM brings a claim against the contractor for the $6 million, and the contractor tenders the claim to its general liability carrier under Coverage B of its general liability coverage (personal injury/invasion of privacy). Federal denies coverage, and the denial is upheld by the Connecticut court. Why? Because under the policy, “invasion of privacy” requires the “publication” of the data, and there’s no proof that anyone ever downloaded the information from the tapes.
The Court writes: “There is nothing in the record suggesting that the information on the tapes was ever accessed by anyone. A letter from IBM to the affected employees …stated: ‘We have no indication that the personal information on the missing tapes, which are not the type that can be read by a personal computer, has been accessed or has been used for any improper purpose.’ Moreover, because the parties stipulated that none of the IBM employees have suffered injury as a result of the tapes being lost, we are unable to infer that there has been a publication. As there is no genuine issue of material fact that there was publication, we agree with the trial court that the settlement … was not covered under the policy’s personal injury provision.”
Sometimes trying to fit a data breach issue into the traditional coverage is like trying to pound a square peg into a round hole. Lesson: Do yourself a favor and talk with your broker about cyberliability coverage, if you haven’t already.