1 / 11

Cyber Liability and Insurance Coverage

Cyber Liability and Insurance Coverage. Matthew L. Jacobs Partner, Jenner & Block LLP. Data Breach: A Minefield of Liability. First-Party Expenses Response Costs: Investigation, Notification, Correction Business Interruption Losses Costs to Restore Reputation: Defamation, Loss of Faith

marnie
Download Presentation

Cyber Liability and Insurance Coverage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Liability and Insurance Coverage Matthew L. Jacobs Partner, Jenner & Block LLP

  2. Data Breach: A Minefield of Liability • First-Party Expenses • Response Costs: Investigation, Notification, Correction • Business Interruption Losses • Costs to Restore Reputation: Defamation, Loss of Faith • Cyber Extortion Threats • Third-Party Liability • Regulatory Fines & Penalties • Legal Liability (Customers, Vendors, Business Partners)

  3. A Growing Body of Regulation • Federal Statutes and Regulations • Data Protection Statutes • E.g. Regulation S-K (disclosure of data security risks); Gramm-Leach-Bliley (financial data); Health Insurance Portability and Accountability Act (HIPAA) • EO 13,636 (2013) • Minimum security standards for critical infrastructure industries (voluntary) • Sharing of threat information between public and private sectors • State Statutes and Regulations • Breach Notification Statutes (most states) • Encryption/Security Mandates (e.g. NY, CA, MA) • International Regulation • E.U. Data Protection Directive

  4. A Gap Left by Existing Products • Uncertain success in pursuing coverage under more traditional policies for cyber loss • First-Party Property Policies • Claims may fail absent some indication of physical damage • Commercial General Liability Policies – Third-Party Claims • Courts may find electronic data is not tangible property • Fines & penalties for cyber-loss may not fall within scope of covered damages • Exclusions and definitions tightened to limit exposure • Revised specifically to exclude coverage for electronic data

  5. Types of Cyber Coverage:Security and Privacy Liability Coverage • Theft, misappropriation, or other unintentional disclosure of confidential, private, or personal information • Failure adequately to protect confidential, private, or personal information • Failure to disclose, or notify victims of, a breach incident • Associated violations of federal, state, local, or foreign laws governing protection of confidential, private, or personal information • Potential Issue: Electronic data may not included in definition of property damage

  6. Types of Cyber Coverage:Security and Privacy Incident Management Coverage • Costs associated with detection and investigation following an incident, including forensic or other expert analysis • Repair, restoration, or replacement costs for affected data and systems • Disclosure and/or notification costs in response to an incident • Remedial measures to protect affected consumers (e.g. identity theft education, credit monitoring, etc.) • Public relations costs to preserve corporate image and reputation • Potential Issue: Incurred costs subject to consent or reasonableness standard?

  7. Types of Cyber Coverage:Information Asset Coverage • Loss of information assets resulting from system security failures in response to a cyber attack (e.g., viruses, unauthorized access, etc.). • Information assets include electronic data such as customer information, financial data, and corporate proprietary information. • Information assets also include the system’s functionality and capacity, including memory, bandwidth, and processing time. • Costs to restore or re-collect the impacted information assets • Potential Issue: May raise complex valuation issues

  8. Types of Cyber Coverage:Business Interruption Coverage • Business interruption costs sustained during period of recovery following a material interruption to systems or service, including: • Income Loss • Extra Expense • ConingentBusiness Interruption Loss • Extended Business Interruption Loss • Material interruption must be caused by system security failures • Potential Issue: How is loss is measured – hours or days?

  9. Types of Cyber Coverage:Cyber Extortion Coverage • Security threats against the company’s network systems, including hardware, software, data storage, etc. • Can include costs paid by the company in response to such threats, such as “extortion” or “ransom” payments • Can include investigation costs following an incident • Potential Issue: Raises trigger of coverage issues as to seriousness and/or credibility of the threat required to justify payment

  10. Types of Cyber Coverage:Technology Errors & Omissions Coverage • Acts, errors, and omissions in connection with performance of technology-related services, including: • Systems analysis and programming • Data processing • System integration • Outsourcing development and design • Network and systems maintenance and repair • Product training • Consulting services • Acts, errors, and omissions in connection with creation, development, manufacture, distribution, licensing, sale of technology-related products, including: • Computer hardware, firmware, or software • Related products, equipment, or devices

  11. Key Provisions To Consider • Claims-made coverage versus occurrence-based coverage • Sufficiency of limits of liability and sub-limits • Retentions in the event multiple coverages apply • Broad definition of “Claim,” “Privacy Event,” and “Security Failure” • Broad scope of “Loss,” including statutory and regulatory fines and penalties where insurable • Narrow the scope of any exclusions • Bodily Injury or property damage • Intellectual property violations, products liability claims • Misconduct committed by employees • Infrastructure failures • Unlawfully collected personal information • Liability based on content created by third parties • Review scope of any causation or “relatedness” language

More Related