The struggle to identify appropriate policy limits continues to frustrate many in the market for cyberinsurance.  So does the difficulty involved with comparing premiums across policies offering coverage terms with a lot of variation.  But publicly available data continues to improve, and this piece from the folks at Cyber Data Risk Managers is particularly interesting.  CDRM shared data on 34 actual clients’ premiums and limits based on industry and annual revenue.  Among the highlights:

Highest Revenue: A pharmaceutical benefits management company with annual revenues of $4B bought a policy with a $5M limit for a premium of $84,000.

Highest Limits:  A data storage center with annual revenues of $15M bought a policy with a $20M limit for a premium of $120,000.

If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you.  The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016.  There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program.  Do you want the high-level overview?  Of course you do.  Here is what Privacy Shield compliance will probably entail:

  1.  Revise your privacy policy to comply with the new requirements/language.
  2. Select a third-party dispute mechanism to handle complaints from EU data subjects.

Here is how it is supposed to work.  Something bad happens.  You’re insurance company pays for it.  Then, your carrier sues the bad guy who harmed you.  That’s subrogation.

In the data breach context, this timeless construct presents numerous challenges.  The most notable is the difficulty associated with finding the bad guys.  But that isn’t your problem.

The contract you have with your data hosting service, credit card processor or other vendor, on the other hand, might very much be your problem.  You probably pay a monthly fee.  Depending on the size of your company, that fee is probably a modest amount.  For smaller organizations, it might only be $20 or so per month.  Now, consider what this vendor is holding – all of your data.  Yikes.

Cyberinsurance policies typically provide first and third party coverage.  First party coverage relates to an insured’s own expenses in investigating and remediating a data breach, and recovering the insured’s data and other information assets.  Third party coverage kicks in when customers and regulators seek to hold the insured accountable for the breach.

But we know this already, right?

We also know that underwriters started with commercial general liability (CGL) forms when they started writing cyber policies because, well, it was the closest thing they had on file and nobody likes to start from scratch.  I’ve previously discussed how this has led to some CGL provisions spilling into cyber policies even though they really don’t belong.  The contractual liability exclusion, the acts of war/terror exclusions, etc.

On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy.  Ouch.  Let’s back up.

In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet.  P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium.  Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.

Really?  Yes, really.

Those new, old-school Air Jordans are retro cool (and I have them).  Those new cyberinsurance retroactive dates – eh.

I blogged about retroactive dates here.  Reminder: an insurance policy retroactive date is the day prior to which otherwise covered occurrences are not covered.  In the first policy placed with a particular carrier, this will usually be the policy’s inception date as well.  In my prior post, I discussed the problem of data breaches that occur prior to the retroactive date, but which are not discovered (and litigated, regulated, remediated etc.) until after that date.  Since many data breaches are not immediately discovered, this sequence could seriously impact coverage, particularly for new entrants to the market.

Here’s another twist.  What about the alleged “wrongful act” that purportedly caused the breach (the “occurrence” if you want to get technical about it)?  A plaintiff or regulator may contend that the “wrongful act” was the failure to implement particular security measures, and that may have occurred years before the breach.  If the policy ties the retroactive date to not only the “occurrence,” but also the”wrongful act” that did or allegedly caused it, double whammy.  And because the wrongful act could be at least alleged to have occurred at any time, this language could be placing coverage determinations in the hands of plaintiffs and regulators.  Dangerous.

FYI, NBD is “internet slang” for “no big deal.”  “Internet slang” is what my little brother uses in text messages.

Anyway.

Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission.  The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute.  In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end.  There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.

You probably are not.  The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams.  A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company.  The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.

Whoa.

Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences?  The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’  Without “unauthorized access,” coverage may be hard to come by.  But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam.  In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.

On April 28, 2016, Angie Singer Keating (CEO of IT security firm Reclamere), Renee Martin (my colleague at Dilworth and a true HIPAA expert) and little old me will be presenting the first of a three-part series on data breach preparedness, response and mitigation for companies that maintain personal health information.  It’s a breakfast series, so we’ll start early, with bagels and coffee (and something healthy I’m sure) at 7:30 AM and the presentation going from 8 AM – 9 AM.  Location is Dilworth Paxson, 1500 Market Street, Suite 3500E, Philadelphia, PA.

To get the nitty-gritty details and RSVP, follow this link.  Hope to see you there!

Contact Information