Guidance on Insurance Coverage for Cyber Attacks

February 6, 2014

Insurance LawThe widely-reported breach of Target Corporation’s computers by cyber thieves, resulting in the loss of private financial information from more than 100 million customers, is just the most recent example of the vulnerability of private data once it enters cyber space. Over the past couple of years, hackers have breached a large organization’s computer firewalls and obtained access to customers’ social security numbers, passwords, credit card numbers, and other private personal identification information on a weekly, if not daily, basis.

The Privacy Rights Clearinghouse reports that, as of January 28, 2014, 663,182,386 records have been breached by 4,164 attacks made public since 2005. In reality, the number is much larger.  Moreover, the attacks are not limited to data breaches. Large organizations, particularly financial and health care institutions, face an escalating number of cyber extortion attempts, denial of service attacks, and invasions of malicious software designed to corrupt and destroy data.

As the incidence of cyber attacks grows, so have the resulting costs. The Ponemon Institute’s 2013 Cost of Data Breach Study places the average organization costs associated with data breaches and other cyber attacks at $5,403,644, and this figure excludes the costs of large data breaches affecting more than 100,000 records, such as the recent breach affecting Target Corporation, because such breaches “are not representative of most data breaches and to include them in the study would skew the results.”

Usually within days of a significant data breach, the organization whose computer security was compromised finds itself defending expensive class action lawsuits seeking damages for the invasion of customers’ privacy rights. In addition, organizations will incur costs notifying customers, responding to governmental and regulatory investigations, hiring forensic computer experts, curtailing loss of customer good will by, for example, providing credit monitoring, and repairing damage to computer networks and data. See National Conference of State Legislatures, “State Security Breach Notification Laws,” January 21, 2014.  Companies also may experience periods of business interruption if on-line websites and payment systems are disabled.

While specialty cyber risk insurance policies are now available, most organizations that have been victimized by computer data breaches have sought insurance coverage for these costs under standard property and commercial general liability (CGL) policies. This is the first in a series of posts on insurance coverage for cyber attacks derived from a comprehensive article on the subject in Insurance Litigation Reporter.  My next post will discuss the first coverage organizations turn to when faced with liability to customers stemming from a data breach: The “Advertising and Personal Injury” provisions of the CGL policy, also known as Coverage B.