Insurance Coverage for Data Security Breaches
LexisNexis Insurance Law Center
Robert L. Wallan
Data security breaches are a real threat in today’s computer-dependent work environment. Security breaches via hacking, unauthorized internal access, and the inadvertent disclosure of personal information, are all circumstances that can create cost and legal exposure. Chances are, a company’s existing insurance policies may provide some coverage in the event of a data security breach, but there are additional coverages that may be worth exploring and evaluating.
There are three basic types of insurance policies that may provide some coverage for data security breaches:
- First party coverage: Includes loss or damage to own property. Lost or damaged data may be covered, but there are a number of exclusions to consider.
- Third party coverage: Coverage provided to a company when it is sued. Commercial General Liability (CGL) insurance is an example of third-party coverage that virtually all businesses have. There are provisions in CGL policies that do provide coverage for data security breaches.
- Errors and Omissions (E&O) coverage: Possible coverage for data security breaches may be available in an E&O policy.
One newer policy type to consider is network risk insurance. It blends first and third party coverages and can provide broader insurance than a typical policy would otherwise cover. For example, under a CGL policy, a company may have advertising injury coverage that could extend into data breaches. But in a network risk policy, a company could also secure first party coverage (e.g. theft or damage to data), business interruption coverage and perhaps cyberextortion, crisis management costs, public relations response and identity theft coverages. Policies can also include third party coverages such as professional services, content or media liability, network and security cost insurance. Coverage for basic privacy liabilities such as inadvertent or unintended disclosures of confidential information may also be available.
What to do now
Companies should have their existing insurance coverage reviewed to better understand what may or may not be covered. This is not a costly exercise, and would provide a sense as to whether your company has sufficient coverage.
In the case of an actual data security breach, or other unintended disclosure of private information, it is critical to provide prompt notice of loss to the insurance company. Also, don’t assume that there is a lack of coverage without a professional evaluation of your policy. This is a largely new area of insurance law, and you should not assume that a company’s in-house risk management department or your insurance broker will know the answer of whether coverage exists. Chances are there is little or no case law analyzing coverage in this newly developing area. As such, it is important to have the coverage evaluated in the event of a data security breach.
This article first appeared on the LexisNexis Insurance Law Center, June 29, 2009.