Articles Posted in Policy Terms

Stand-alone cyberinsurance is a critical component of enterprise risk management.  But even companies with traditional and cyber coverage may, and usually do, have gaps in coverage created by what I’ve referred to as the ‘hot potato’ problem.  This is when neither the cyber policy nor the relevant traditional coverage is truly designed for a relatively new kind of risk.

One example is physical damage caused by cyber events.  Particularly as the Internet of Things increases the connectivity of physical devices, cyber attacks can hurt people and property.  Cyberinsurance likely covers network security failures and unauthorized access to these devices, but ‘standard’ cyber policies typically exclude coverage when these events result in physical damage.  And property and casualty policies that would otherwise cover physical harm generally exclude damages arising out of cyber events.  Rock, meet hard place.

Gap, meet AIG’s Cyber Edge products.  These products are designed to fill this gap by, in addition to covering the relatively standard range of cyber risks, including the ability to add coverage for cyber events that cause physical damage to people or property.

This article was first published in the Fall 2016 issue of “The Bulletin,” a quarterly newsletter published by Kessler Topaz Meltzer & Check, a renowned law firm representing institutional investors and classes in securities, shareholder and other complex litigation.  I’ve included the full publication on my Resources page.

Find me a centralized repository of personal, financial and health information, and I will find you millions of attempts per day to access, steal or corrupt it. Even absent a malicious actor, there is an increasing likelihood that private data will be inadvertently made public.  This is our world.

First, I have to say that Paul Stockman at McGuireWoods has beaten me to the punch in his article, “Cyber Risk ‘IRL’.”  So, read that.

Stockman addresses a coverage issue I’ve noted in cyber policies across carriers.  They tend to say something like: “The Company shall not be liable for Loss on account of any Claim or for any Expense…for bodily injury…or damage to or destruction of any tangible property.”  Carrier’s position: If the data breach or malware attack causes an explosion, that’s on somebody else.  My take – well, it would depend on the facts, the policy wording and the state of the law in the relevant jurisdiction.  Of course.

It’s now clear, however, that cyber attacks can do more than corrupt and steal electronic data.  Cyber attacks can also result in machine malfunctions that cause physical harm ‘IRL,” or “in real life.”  Consider a hacker taking control of an HVAC system, or a car or a nuclear centrifuge (it separates uranium isotopes to make nuclear bombs).  The result: IRL, broken stuff, injured people damage.

Here is how it is supposed to work.  Something bad happens.  You’re insurance company pays for it.  Then, your carrier sues the bad guy who harmed you.  That’s subrogation.

In the data breach context, this timeless construct presents numerous challenges.  The most notable is the difficulty associated with finding the bad guys.  But that isn’t your problem.

The contract you have with your data hosting service, credit card processor or other vendor, on the other hand, might very much be your problem.  You probably pay a monthly fee.  Depending on the size of your company, that fee is probably a modest amount.  For smaller organizations, it might only be $20 or so per month.  Now, consider what this vendor is holding – all of your data.  Yikes.

Cyberinsurance policies typically provide first and third party coverage.  First party coverage relates to an insured’s own expenses in investigating and remediating a data breach, and recovering the insured’s data and other information assets.  Third party coverage kicks in when customers and regulators seek to hold the insured accountable for the breach.

But we know this already, right?

We also know that underwriters started with commercial general liability (CGL) forms when they started writing cyber policies because, well, it was the closest thing they had on file and nobody likes to start from scratch.  I’ve previously discussed how this has led to some CGL provisions spilling into cyber policies even though they really don’t belong.  The contractual liability exclusion, the acts of war/terror exclusions, etc.

On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy.  Ouch.  Let’s back up.

In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet.  P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium.  Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.

Really?  Yes, really.

Those new, old-school Air Jordans are retro cool (and I have them).  Those new cyberinsurance retroactive dates – eh.

I blogged about retroactive dates here.  Reminder: an insurance policy retroactive date is the day prior to which otherwise covered occurrences are not covered.  In the first policy placed with a particular carrier, this will usually be the policy’s inception date as well.  In my prior post, I discussed the problem of data breaches that occur prior to the retroactive date, but which are not discovered (and litigated, regulated, remediated etc.) until after that date.  Since many data breaches are not immediately discovered, this sequence could seriously impact coverage, particularly for new entrants to the market.

Here’s another twist.  What about the alleged “wrongful act” that purportedly caused the breach (the “occurrence” if you want to get technical about it)?  A plaintiff or regulator may contend that the “wrongful act” was the failure to implement particular security measures, and that may have occurred years before the breach.  If the policy ties the retroactive date to not only the “occurrence,” but also the”wrongful act” that did or allegedly caused it, double whammy.  And because the wrongful act could be at least alleged to have occurred at any time, this language could be placing coverage determinations in the hands of plaintiffs and regulators.  Dangerous.

FYI, NBD is “internet slang” for “no big deal.”  “Internet slang” is what my little brother uses in text messages.

Anyway.

Last week, the Fourth Circuit affirmed an Eastern District of Virginia ruling that Travelers had a duty to defend Portal Healthcare Solutions with respect to a class action data breach lawsuit filed after patients found their medical records online, sans permission.  The opinion analyzed a commercial general liability policy (CGL), specifically the “publication” issue that was also at the forefront in the 2015 Sony Playstation coverage dispute.  In Sony, a New York City trial court held that CGL carriers had no duty to defend a data breach class action, a ruling many saw as a sign that the days of finding data breach coverage in CGL policies was coming to an end.  There have therefore been a number of commentators suggesting that Travelers is a pendulum swing in the other direction, a sign that the viability of data breach coverage under CGL policies remains.

You probably are not.  The FBI, however, is reporting that an increasing number of cybercriminals are running “business e-mail compromise” scams.  A “B.E.C.” is when someone misuses social media or electronic credentials to assume the identity of a high level executive or trusted employee/consultant and then, posing as that person, requests fraudulent wire transfers from others inside the company.  The FBI reports that law enforcement has received reports of this activity in every state, that in the past three years there have been an estimated 17,642 victims and that the cost of these scams likely exceeds $2.3 billion over that span.

Whoa.

Now, remember when I told you that some of these fake e-mails scams were not being treated as covered occurrences?  The treatment of a claim like this sometimes depends on whether the sender of funds is an authorized user, and whether the loss is therefore not the result of a ‘network security failure’ or ‘unauthorized network access.’  Without “unauthorized access,” coverage may be hard to come by.  But the B.E.C. is an interesting twist on the familiar ‘fake e-mail from real bank customer’ scam.  In the context of a B.E.C., there arguably is an unauthorized use or entry – the assumption of an internal figure’s identity to cause another internal figure to aid the fraud.

Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach.  On February 5, 2016, hackers froze the hospital out of its electronic patient records.  Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later.  Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland.  The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk.  It is one, however, that a cyberinsurance can cover.

“Can.”  Not necessarily “does.”

Policies have drawn a distinction between cyber extortion and other types of network security breaches.  At the most general level, there seems to be little difference.  It all starts with unauthorized access.  A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records.  Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.