Coverage Implications Related to a Data Breach
Despite dedicated cyber risk policies, a security breach can trigger a variety of claims and coverages, security experts said at a recent conference exploring privacy issues.
Panelists at the Privacy Xchange Forum held in Scottsdale, Ariz., earlier this month, discussed the various policies – cyber, general liability, directors and officers and errors and omissions – that can be triggered after a breach. Once a breach has occurred, it is likely that more than one policy will be triggered and different aspects and costs related to the breach could be paid out under different policies.
Personal and advertising injury is often triggered in a GL policy. According to Eduard Goodman, chief privacy officer for IDT911, claims made under the GL policy often allege that the right of privacy was violated as a result of oral or written publication.
Eric Dolden, a founding partner with the Canada-based firm of Dolden Wallace Folick, said that D & O policies can be triggered when shareholders file complaints. Shareholder complaints may allege that because a cyber policy did not cover a loss, a company may have to dip into corporate income to cover a loss. Another example is when a shareholder claims a personal loss due to a material change in the company’s affairs, i.e., share prices dropped as a result of a breach and the shareholder claims lost stock value.
Despite the potential trigger of E & O, D & O and GL policies, Timothy Francis, second vice president for bond and financial products for Travelers said insurers will still challenge coverage.
The panelists said that as more companies look to cyber risk policies, they experience a wakeup call of sorts as they go through the underwriting process. Panelists agreed that the trend of cyber security has become more of a C-Suite issue.
Francis said that during the underwriting process insurers are looking at a company’s contractual arrangements, whether a company has a plan for managing a data breach and whether a company has conducted any tabletop exercises that simulate a response after a data breach.
Besides the various policies that might respond to data breach claims, the panelists discussed the effectiveness of contractual indemnity in transferring cyber risk and recommended companies get indemnity when it covers direct and vicarious liability (like employees and other vendors) and to use with limitation of liability clauses. They also recommended indemnifying for all new cyber-related legislation.
Goodman said that contractual indemnification agreements shouldn’t be relied upon, rather it’s just one of many layers of protection.
Dolden recommended that every possible basis for a claim should be identified in advance of creating a contractual indemnification agreement.