Skip to main content

On the Fourth Day of Privacy, My Insurance Carrier Gave to Me.....

gaps in my cyber liability coverage.................

Written by Heidi Lawson and Danny Harary

What can companies and insurers expect in the new year when it comes to cyber liability insurance coverage?  While we wait for some court decisions interpreting these new stand-alone cyber liability insurance policies that are being heavily pushed in the market, there are some steps a company can take now to make sure the scope of their insurance coverage is consistent with their expectations.

With many insurers now entering the market looking to make a profit on this new coverage, the question is: how broad is this new coverage – really?

For example, did you know that a frequent gap in coverage associated with these new stand-alone cyber liability insurance policies relates to dispersal of sensitive data through acts of company employees?  If the employee's actions are intentional, many policies expressly exclude employee breaches, and otherwise, an insurer may be able to assert that coverage is precluded on account of the conduct exclusion, which typically excludes intentional or dishonest conduct. However, what if the employee's release of the sensitive information (whether belonging to the company or a third-party) is accidental? Many policies only cover the costs associated with the unauthorized acquisition or access. In this scenario the employee was authorized – just negligent. Therefore, the insurer can likely maintain that coverage is simply not triggered because the employee was authorized to access the information in question.  Since many breaches are due to employee error, unless the policy language is specifically changed to address this scenario, there is potentially no coverage.

Putting aside the more obvious gaps in protection, these new wave of stand-alone cyber liability insurance policies leave the door open for interpretation.   Given the novelty of the risk and these new policies, as evidenced by the absence of any cases construing these new insurance products, both insurers and companies should try to inject as much certainty as they can into the policy language. Clearly defined terms and conditions allow both the company and the insurer to avoid at least some of the inevitable conflicts that devolve into litigation regarding the meaning of ambiguous wording.  It also gives both insurers and companies an opportunity to harmonize coverage between various lines of business, lessening the number of gaps in coverage and unhappy insureds.  We published an article this month in the New York Law Journal commenting on how these new stand-alone cyber liability insurance products might be interpreted by a court and ways to bring more certainty to this new policy language.  See the article here.

What can you do on this Fourth Day of Privacy?  Let the buyer beware.  Read your policy and pay particular attention to the scope of the definitions and exclusions.  Do this now - before you are faced with a breach.

 

Don't forget to come back on Monday for the continuation of the Twelve Days of Privacy!

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.