Insurance Recovery: Can Your Company Handle a Data Breach and Are You Insured?

Hackers and organized criminals target sensitive and proprietary information, from credit card numbers to intellectual property. Companies that handle sensitive and personal information, particularly those in retail, healthcare, finance and technology, must insure themselves against data security and privacy claims and related government investigations.  The risk of an attack or breach can no longer be viewed simply as an IT issue but rather as an organization risk. Companies should ensure that their insurance policies provide cyber and privacy coverages that will minimize the financial impacts associated with a breach or attack. There are policies now that provide coverage for some or all of the following losses associated with data security breaches:

• Legal expenses incurred as a result of the breach
• Third-party lawsuits by people whose data has been compromised
• Business interruption losses, i.e., coverage for profits lost due to a breach
• Damage to online systems or data losses
• Statutory violations, government investigations and fines
• Costs of complying with consumer notification laws
• Costs associated with investigating a breach
• Breach of contract and negligence claims arising out of disclosure of credit card information, including coverage for breach of a merchant agreement and coverage for Payment Card Industry Data Security Standard (PCI DSS) fines
• Costs of providing credit monitoring, including postage and advertising costs
• Loss of intellectual property

How to Handle Data Breaches

What should your company do if it becomes a victim of data or privacy breach? Following these six steps will ensure your chances of maximizing available insurance coverage and your ability to run a successful business during the traumatic event.

Step One: Create a Control Group

Data breaches may lead to significant liabilities and require coordination among several corporate departments: risk management, IT, corporate finance and most important, legal. All resources— inside and potentially outside ones—should be brought together to address the issues as a group. Like all crisis planning, this group should be put in place before there is a crisis so the company can respond quickly, efficiently and properly should a breach take place.

Step Two: Gather and Review All Potentially Applicable Insurance Policies

To determine whether insurance coverage is available, first gather and review all of the company’s insurance policies. Data breach losses can trigger many types of coverage, and a company’s entire insurance portfolio should be reviewed. Never assume you know or remember the types of coverage you may have. This review should also include policies where the company is an additional insured under a vendor’s policy to the extent that vendor or the contract is involved. We suggest that this process take place on an annual basis and in advance of any incident. Perkins Coie conducts these audits at a company’s request to prepare for potential claims as well as to assist the risk management department in obtaining language that addresses special concerns of the company. Depending upon the facts, the policyholder could even be covered under an employee theft or fidelity policy or as an additional insured under a vendor’s policy.

Step Three: Watch Your Words

What you say, to whom you say it and how you say it may make the difference between whether a claim is covered or uncovered. Policyholders should be careful in the initial stages when characterizing their claims or discussing coverage with their insurance companies, their brokers, any outside consultants, news organizations or investors and shareholders. To maintain a single cohesive message, a policyholder should identify one point person in the company who will communicate about the breach or attack. That person needs to work carefully with counsel and the risk insurance manager to not inadvertently jeopardize insurance coverage. One cautionary note: conversations with brokers are not privileged.

Step Four: Provide Prompt Notice

The policyholder should provide prompt notice of a claim or circumstances to relevant insurance carriers. Failure to abide by the policies’ specific notice provisions may bar coverage in many jurisdictions. Most cyber-liability policies are “claims-made” policies that require that notice be given during the policy period or an extended discovery period. Consequently, notice must be provided promptly, even if only in form of a potential claim, sometimes called a “ change in circumstances” in insurance parlance.

Step Five: Demand that Insurers Fulfill Their Coverage Obligations

Policyholders must demand that their insurance companies promptly meet all contractual obligations. A reservation of rights letter without an agreement to provide coverage is tantamount to a denial. Further written communication with the insurance carrier must be pursued to obtain a commitment to provide coverage. Where the company has been sued as a result of the breach, immediate agreement from the insurance company to defend and/or pay defense costs is critical. With regard to defense, the primary insurance carrier is obligated to provide that defense, or to pay for it, if the claim is only potentially covered. The company does not have to prove coverage at this stage. A denial is often the beginning of a time-consuming dance with an insurance carrier. If a policyholder needs to file suit or to arbitrate against the insurer, it should review the policies with counsel and determine what steps must be initiated.

Step Six: Follow Underlying Cases and All Criminal Investigations, Update Insurance Carriers Regularly

Identify one individual in the legal or risk management department to follow all of the underlying cases and related criminal investigations. Having a single point of contact will allow the company to present the claim in the manner that maximizes coverage.