Dissecting the Anatomy of Cyber Risk: Part 1 of 4
Why Your Existing Business Insurance May Leave You Bare
Welcome to Cybersaurus Lex, a weekly blog devoted to our reader's education on cyber risk and data breach. In this our launch edition, we will dissect the typical business insurance policies and why each may leave your business unclothed in the event of a cyber-invasion.
Comprehensive General Liability Policies
Under CGL policies, "damages" have been interpreted to mean money recovered by a party as compensation for loss or detriment suffered because of the wrongful acts of another. In the context of cyber liability claims, Plaintiffs frequently seek relief in the form of statutory penalties, injunctive relief, restitution and attorneys' fees in addition to traditional monetary damages. Whether these additional forms of relief amount to "damages" impact an insurer's duty to defend and indemnify. Likewise, "property damage" has traditionally included "physical injury to tangible property" and "loss of use of tangible property that has not been physically injured." Is electronic data "tangible property"? Does it matter whether "physical injury" to the property exists? Does the impairment or breach of computer data and software amount to "property damage" such that coverage is triggered? These are issues that are being addressed in courts across the country.
Other traditional policies may offer businesses a place to turn in an effort to secure coverage for data breaches, cyber liability to customers and other related claims. These include business interruption, directors and officers, errors and omissions and crime polices. Each has its corresponding limitations though.
Business Interruption Polices
These policies typically provide coverage for "risks of direct physical loss or damage" but is the loss of computer data covered as a "physical loss"? At least one court has said no.[1] A California Court found that the loss of electronically stored data, without loss or damage to the storage media, was not a covered "physical loss", noting that the insured did not lose tangible material but stored information. Other courts, including at least one Appellate Court in Texas have found to the contrary, citing "physical damage" is not restricted to physical destruction to the computer's circuitry but also includes loss of access, loss of use and loss of functionality.[2]
Directors and Officers Liability Policies
These policies generally provide coverage for the wrongful acts, negligence or errors in business judgment by the officers and directors of organizations. Directors and officers may be able to seek coverage for their failure to implement any cyber security measures, or even adequate ones, but these issues have not yet been tested in the Courts. The anticipated claim against the insured is that it failed to implement industry standard protections which may be a bootstrap to claims against the insured's directors and officers. Time will tell.
Error and Omissions Polices
These policies generally provide coverage for the negligent acts, errors and omissions in the performance of the insured's professional services. Many policies limit coverage to acts that are no more than negligent and specifically exclude any intentional wrongful acts.
Crime Policies
These policies afford coverage for theft of money, securities or property but often exclude theft of information, trade secrets and other confidential information. Even cyber-crime riders are typically limited to theft of information and do not cover invasions of privacy as a consequence of the theft.
Cyber risk is a species all to itself and so too must be our approach to dissecting the anatomy of cyber risk and insuring our businesses and industries against this unique risk. In Part 2, we will explore the business case for Cyber Insurance. Stay tuned for that and more.
----------
[1] In Ward General Insurance v. Employers Fire Ins. Co., 114 Cal. App. 4th 548 (2003).
[2] See American Guarantee & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 U.S. Dist. Lexis 7299 (D. Ariz. Apr. 18, 2000); Lambrecht & Assoc., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003); Southeast Mental Health Center Inc. v. Pacific Ins. Co. Ltd., 439 F.Supp.2d 831 (W.D. Tenn. 2006); NMS Servs. v. The Hartford, 62 Fed. Appx. 511, 515 (4th Cir. 2003).