Today, it seems hardly a month passes without a report of another business falling victim to a data breach. Over the past few years, some of the largest and well-known companies such as Equifax, Target, Home Depot, TJ Maxx, Anthem, Sony Pictures, and Uber, have been affected by data breaches. These companies have experienced significant losses, totaling millions of dollars.
While larger companies may possess the resources to absorb these losses, many small to medium-sized businesses may be unable to recover from a data breach. Even a small data breach affecting only a few thousand records could expose a business to significant losses with devastating impact, and may even cause a business to close. According to a 2017 study by the Ponemon Institute, although the average cost per record lost or stolen decreased from $158 in 2016 to $141 in 2017, the average size of data breaches increased to more than 24,000 records with a global average cost of $3.62 million.
Recently, insurance companies have begun offering customers cyber liability policies specific to cyber risks, including those risks associated with data breaches. These policies can vary in terms of their coverages and exclusions. In general, these policies typically offer both first-party and third-party coverages.
These policies and their levels of coverage vary by insurer, so it is important to review any policy and its exclusions prior to purchase, to understand the potential limitations in coverage. Failure to do so can lead to uncertainty and can expose a business to coverage disputes, frequently at worst possible time — after a breach has already occurred.
For example, in P.F. Chang’s China Bistro v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 2016), Chang’s sought reimbursement from Federal under its cyber liability policy for $1.9 million it paid in assessments to its payment card processing company, Bank of America Merchant Services (BAMS). The assessments were based on data breach in 2014 in which hackers obtained and posted on the Internet the credit card numbers of approximately 60,000 of Chang’s customers. Under its Master Services Agreement (MSA) with BAMS, Chang’s agreed to reimburse BAMS for any “fees,” “fines,” “penalties,” or “assessments” imposed by the credit card associations because of a breach.
In granting summary judgment in favor of Federal, the Court held that the cyber policy’s “Privacy Injury” coverage did not apply to BAMS’ claim for reimbursement from Chang’s because the records that were compromised were not BAMS’ records, but those of the issuing banks. The Court also held that the policy language also barred coverage for claims arising out of any liabilities or obligations assumed by Chang’s, including those assumed under any contract or agreement like the MSA between Chang’s and BAMS.
In a case still pending, Columbia Casualty Co. v. Cottage Health System No. 2:16-cv-03759 (C.D. Cal. Complaint Filed May 31, 2016), an insurer (Columbia) filed suit seeking to deny coverage under the cyber liability policy it issued to Cottage Health System (Cottage). Cottage, which operates a network of hospitals, suffered a data breach in 2013 in which the confidential electronic medical records of approximately 32,500 of its patients stored on its servers were made available to the public on the Internet.
Columbia argues, among other things, that coverage is barred based on the policy’s “Failure to Follow Minimum Required Practices” exclusion that precludes coverage for the “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application…” as well as the policy’s “Minimum Required Practices” condition which provides that, as a condition precedent to coverage, Cottage warranted that it would “maintain all risk controls” identified in its application. Columbia also claims that the policy should be rescinded because Cottage’s responses to its application contained misrepresentations and/or omissions of material fact upon which Columbia relied when issuing the policy.
Given the current state of cyber risk, cyber liability insurance is increasingly becoming an essential element in the overall risk management strategy for many businesses. However, the language used in these policies can be complex, and it may not be easy for businesses to identify and understand potential gaps in coverage. These cases highlight the importance for businesses to have a thorough understanding of their risk profile when applying for coverage as well as considering cyber liability policy limits and exclusions prior to purchasing cyber liability insurance.