4/29/2021

Ask Our VP of Compliance: April 2021

Cybersecurity and Insurance
 

Ok, so imagine you’ve been breached and there is your customers’ information flying all around the internet, and not a darn thing you can do about it. Even worse, there is a lawsuit against your company for the breach and it is not looking good. Thankfully, you had the good sense to get good commercial liability insurance. 

You’d probably imagine that your company may yet weather this storm that is coming. You’re covered, right?

Well, you’re probably wrong. Or, at least very possibly wrong. No company should be relying on their general liability insurance for cybersecurity matters, especially not New-York based companies. 
 
When companies seek to get claims from their general liability insurance policies they usually point to a section of the contract that specifies something along the lines of an insurance company’s promise to pay “personal and advertising injury” which the policy will define to be something along the lines of “oral or written publication, in any manner, of material that violates a person’s right to privacy.” But does this apply to data breaches? You can be pretty sure that your insurance company will say no. 

But what will the court say?

The answer is that it depends on the court. And it will all ride on what the court considers a “publication.” Some courts will say that a data breach is a “publication” even though it is unintentional. These courts focus on how the result is the same regardless of whether the company had a hand in the publication or not and that the insurance must pay. Other courts, including one in New York, will say that “publication” requires an affirmative act by the breached company, and so the insurance does not have to pay.

It’s all unresolved at this point, largely because cybersecurity is such a new field, and its opaqueness is not good for companies who need reliable and discernable outcomes. 

Adding to the problem is potential exclusion language in an insurance contract that states your insurance company is not liable for cybersecurity-related damages or other expenses. 

So what should you do? You need to find an insurer that offers supplemental cybersecurity insurance. And not only that, you need to read the policy closely and ensure that all the necessary protections are in place (they will have exclusions and you need to be careful). 

Here are some helpful questions to ask when looking for cybersecurity insurance:

  1. What if any cybersecurity incidents are already covered by my general liability insurance?
  2. Does the cybersecurity policy place a cap on hourly fees for forensics experts and lawyers?
  3. Does the insurance only cover data breaches, or does it cover other types of attacks like DOS attacks?
  4. Does the policy cover disruption to business and reputational damage?
  5. Does the policy cover credit monitoring services for customers?
  6. Does the policy apply to IP-related risks?
  7. Does the policy cover fees from credit card companies and other business partners that result from data breaches?
  8. Would it be a better option to just put money aside for cybersecurity breaches and self insure?

You should know that Digital Edge has experience working with insurance companies and will be happy to assist you in answering any questions you may have.

Keith J. Barry, Esq.
VP of Compliance

Keith J. Barry joined Digital Edge in 2013. Keith possesses a BA in Computer Science, a Juris Doctor degree from Brooklyn Law School, as well as several industry certifications including AWS Cloud Architect, CompTIA Network+, and CompTIA Server+. His career has mirrored his diverse interests, and Keith has experience on the technical side as a senior systems administrator, and on the legal/business side as an attorney and cybersecurity compliance officer.