Reports of massive data breaches are becoming an everyday event. The costs associated with a data breach can be staggering. Target, for example, reportedly incurred $61 million in expenses related to its data breach. Fortunately for Target, insurance is expected to pick up $44 million of the costs.
As with Target, many companies that have experienced data breaches are looking to their insurers to help shoulder the costs. There are any number of pending disputes over whether traditional insurance policies cover privacy and cyber-related losses. As a result, the insurance industry has added new limitations and exclusions purporting to narrow or cut off coverage for such claims.
Many insurers use policy forms and endorsements issued by the Insurance Services Office (ISO) or model their own forms based on the ISO forms. Recently, ISO introduced a series of new endorsements entitled “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability.” These exclusions are designed for use with both business owners’ and general liability/umbrella policies. These endorsements purport to preclude coverage for damages arising out of:
The exclusions apply “even if damages are claimed for notification costs, credit monitoring expense, forensic expenses, or any other loss, cost, or expense incurred” by the insured or others.
The new ISO exclusions are effective May 1, 2014. That means that individual insurers who license ISO forms can start using these exclusions starting in May 2014. Some insurers may already be using similar or manuscript exclusions. It’s not clear how the courts will interpret or apply these exclusions. But policyholders should anticipate that insurers will be aggressive in resisting claims, including HIPAA-related exposures under the new Omnibus Rule.
Now more than ever, policyholders need to carefully consider some form of cyber insurance. Unfortunately, many companies (particularly small to mid-sized companies) do not fully appreciate the risks and costs associated with a cyber attack or the potential benefits of these specialized policies. There are numerous specialty cyber products on the market and the scope of coverage varies considerably. Some cybersecurity policies cover direct losses arising from a data breach such as business interruption, destruction of data or property, and reputational harm. Other policies provide coverage for civil, administrative and regulatory investigations, fines and penalties, and remediation coverage to address the costs associated with a security breach. Moreover, certain insurers now offer health care policies that provide coverage for HIPAA investigations and claimed violations. Some policies apply to a failure to comply with the privacy provisions of HIPAA and cover civil monetary penalties imposed on the insured for a violation of the privacy provisions of HIPAA. Because of the varying nature of these policies and the risks they are intended to cover, proper placement requires a careful evaluation and a coordinated approach.
The new ISO exclusions represent a continuing effort by the insurers to limit damages for cyber- and privacy-related losses under traditional insurance policies. Businesses need to carefully consider management of their financial exposure, including cybersecurity coverage.
If you have questions about these new ISO exclusions and how to protect your business' cyber privacy, contact Nick Nierengarten at firstname.lastname@example.org or 612.632.3040 or Tim Johnson at email@example.com or 612.632.3208.
This article is provided for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You are urged to consult a lawyer concerning any specific legal questions you may have.
Gray Plant Mooty is recognized as one of the leading corporate law firms in Minnesota and one of the top franchise firms in the world. Our roots go back to 1866. Today, we are a full-service firm with nearly 180 attorneys and offices in Minneapolis and St. Cloud, Minnesota; Washington, D.C.; and Fargo, North Dakota.