“When Retro Isn’t Cool”

Those new, old-school Air Jordans are retro cool (and I have them).  Those new cyberinsurance retroactive dates – eh.

I blogged about retroactive dates here.  Reminder: an insurance policy retroactive date is the day prior to which otherwise covered occurrences are not covered.  In the first policy placed with a particular carrier, this will usually be the policy’s inception date as well.  In my prior post, I discussed the problem of data breaches that occur prior to the retroactive date, but which are not discovered (and litigated, regulated, remediated etc.) until after that date.  Since many data breaches are not immediately discovered, this sequence could seriously impact coverage, particularly for new entrants to the market.

Here’s another twist.  What about the alleged “wrongful act” that purportedly caused the breach (the “occurrence” if you want to get technical about it)?  A plaintiff or regulator may contend that the “wrongful act” was the failure to implement particular security measures, and that may have occurred years before the breach.  If the policy ties the retroactive date to not only the “occurrence,” but also the”wrongful act” that did or allegedly caused it, double whammy.  And because the wrongful act could be at least alleged to have occurred at any time, this language could be placing coverage determinations in the hands of plaintiffs and regulators.  Dangerous.

As with many cyberinsurance provisions, some tweaking is needed.  I doubt that it is most carriers’ intent to disclaim coverage because a firewall was not in place three years ago.  But clear language is the best evidence of intent that money can buy.  Scrutinize retroactive date language, both with respect to “occurrences” and “wrongful acts” to ensure that you are buying a policy truly takes effect at least on the date that it is purchased.