In light of the well-publicized losses of customer data in the retail and banking industries, it should come as no surprise that insurance addressing this risk is already a rapidly growing niche market and is expected to become a major product for the insurance industry in the future. Loss of property in the form of data has been an inconvenience faced by many insureds since the beginning of the data processing era. Third-party liability losses or significant business interruption as a result of data loss, caused by a security breach or attack, are less common but are quickly becoming major risks for most insureds (and are notoriously underreported).
The network security, or "cyber liability," insurance market is new and rapidly evolving. There is little commonality among the various policy forms, threshold triggers of coverage or major exclusions. Even the basic structure of the product can vary greatly from insurer to insurer.
Data corruption or loss of data owned by an insured which results in a loss of use of the insured's system can trigger coverage under most first-party network security policies. However, the "location" of the property insured, i.e. the data, must be clear for the first-party policy to be triggered. Data which is owned by the insured but residing on a third party's system would, absent specific policy wording, not trigger a covered loss of property. This would be the case despite the fact that the data lost or corrupted may have been accessed through the insured's system or through the insured's internet site, which was made available to the public.
Determining the exact location of electronic data in the age of outsourcing and "cloud computing" is not always obvious but is an important prerequisite to first-party coverage, and with good reason. Risk assessment for insurers offering this kind of coverage is difficult if the data is not directly controlled by the insured and access, security and quality control procedures are not subject to disclosure during the underwriting process.
The nature and extent of the damage to the insured's data can also be an issue after a claim has been submitted. Data loss or degradation can be difficult to establish. If an older or less complete version of the data is available, damage to a discrete part of the data may not result in a direct loss to the insured of functionality or access.
Ascertaining the value of the first-party loss will invariably become an important part of the claim. The cost of "remediation" (that is, restoring or recovering the data) is the typical measure, but raises issues of whether the insured suffered an ultimate net loss in the first place. If the data is recovered from another part of the insured's own system (for example, from backup tapes or legacy systems), it is unclear if it was damaged or destroyed in the first place. Also, internal costs of recovery should be specifically included in the coverage part or by endorsement. Otherwise, out-of-pocket costs and the cost of replacement media will be the measure of the damages.
Loss itself may not be defined clearly enough. First-party policies should distinguish between direct loss and a loss as a result of a claim by a third party which does not involve legal liability. The most obvious example would be privacy notification costs. These ordinarily would be incurred only with respect to a potential third-party liability claim and do not involve a direct loss to the insured. Many states, however, now require notification and some form of remediation to customers even absent a claim. This must be included in the definition of loss for first-party coverage to attach.
First-party policies typically provide coverage for the interruption, suspension or degradation of the insured's system which results in loss of business income or extra expense. These types of losses can be large and, especially in the case of degradation of the insured's system, difficult to establish directly. Insurers should be careful to investigate "down time" claims for businesses other than retail and securities which very often involve primarily the insured's administrative systems and do not result in actual lost sales or revenue.
An insured's potential liability to third parties typically arises when the insured loses or allows unauthorized access to its customers' private information, such as social security numbers, banking or credit card information or passwords. Actual loss suffered by a particular customer as the proximate result of the loss of their private data, however, is still rare and should be vigorously contested by defense counsel appointed by the insurer. This has not stopped attorneys from being creative in asking for class action compensation, such as credit monitoring, identity theft insurance and vouchers to compensate for alleged "lost time" as a result of the security breach. See for example: www.tjxsettlement.com/Documents.aspx.
Coverage for third-party liability as a result of any loss of data, however, is not certain. Many third-party liability policies limit the coverage to liability for loss of private data of "customers" of the insured. Claims for indemnity or direct loss from other third parties (for example, banks or credit card companies) in the chain of payment may not be covered. Also, some policies require that the loss occur over the Internet or a network. Thus, direct loss of the data (for example, by the theft or misplacing of a laptop) would not be included, unless specifically endorsed. Insurers and their counsel should pay particular attention to these issues when adjusting a claim.
Liability coverage can also include damage caused by the transmission of a virus from the insured's system to a customer, or if the insured's system allows an "attack," such as a denial of service, to cripple a third party's system. Again, this type of claim should be carefully examined to determine if the attack originated from or took advantage of a flaw in the insured's network, or if the access was facilitated merely because the insured's system is Internet-based.
The identity of the persons involved in any loss must be considered. Most insurers exclude employee theft as well as if the loss involved the provision of professional services by any insured. Determining the identity of the actor involved in a cyber attack is clearly not easy. Liability for fines and penalties is typically included in most network security policies but usually subject to a lower sub-limit. The insurer should make clear that sanctions for the loss of evidence in litigation does not equate with damages or a fine/penalty.
Because of the increasing number of cases involving computer crime and electronic data loss it is all but certain that demand for network security insurance will continue to increase. Lack of standardization in policy language, the underwriting process and claims handling is sure to result in many interesting issues for insurers, insureds and their counsel.
John P. Scordo is a Partner practicing in the area of commercial litigation in state and federal courts, primarily involving insurance, contract disputes, mass tort, securities, and real estate-related matters. He regularly counsels clients on issues involving electronic discovery. Mr. Scordo's experience includes the handling of complex litigation and the negotiation of claims/ coverages under various types of insurance. He works in the New Jersey office of Day Pitney.