Below are some important talking points when discussing Cyber/Privacy Liability Insurance with clients.
1. Breach Response Team and Breach Coach
The Breach Coach (law firm) should always hire the forensics team and not the insured. The reason is that if the law firm hires the forensics team, any reports and findings are privileged and not discoverable.
2. Pay on Behalf of
Similar to other insurance policies, Cyber/Privacy policies can be a “duty to defend” or “pay on behalf of” policy. This is important since it will determine whether the insurance company pays directly for the defense and indemnity or whether the insured has to arrange for and pay for their own, investigation, forensics and defense and then seek reimbursement from the carrier. Further, there may be parts of a policy that are paid directly by the carrier and other parts that must be paid by the insured first. Often business interruption and the first party costs are going to be “pay on behalf of” even if the rest of the policy is a “duty to defend” policy.
3. Primary and Non Contributory
4. PCI Fines and Penalties
PCI fines and penalties can be assessed by credit card companies for failure to have proper safeguards which can cause the credit card companies a financial loss. The fine and penalty can be included in the contract with the credit card company and therefore in the event of an assessment, the payment can be looked at as a contractual obligation rather than a covered liability. Further, as noted above, the liability may be deemed an “Assessment” which is neither a fine nor penalty. Some of these fines can be very hefty; as in the millions. Many of the newer policy forms will have full policy limits for PCI fines and penalties. The wording of a policy may not define an “assessment” as a fine or penalty.
5. Other Regulatory Fines and Penalties
The actual cost of a breach and unauthorized disclosure of confidential information can be significant even for small breaches. Additionally, many regulatory agencies can impose their own fines and penalties. Some carriers attempt to limit coverage for these fines and penalties since they are punitive in nature. If the data is Healthcare related, the fines can be even more significant. For example: HIPAA fines can be from $100 to $50,000 per record. Where the policy lists multiple acts such as HIPAA, ACA, etc., it should also include the words “or similar local, state or federal statute or regulation.”
6. Third Party Cloud Data and Breaches
7. First Party Costs
The major costs in a breach continue to be first party payments. Carriers try to mitigate this exposure by providing sub limits, limiting the number of records, or in other creative ways. Additionally, some carriers will provide these limits both inside and outside the limit of liability. These are the most important aspects of the coverage and where you will incur the most costs in the event of a breach. Data forensics is one of the largest costs as those professionals charge between $500-$1,000 per hour for their services. Keep in mind, your Breach Coach (attorney) should hire them so that their work is not discoverable.
8. Business Interruption
In most cyber policies, the definition of the cyber business interruption is similar to the ISO standard time element definition: net profit (or loss) + ongoing expenses, during the period of restoration. Salaries may or may not be included. Some provide only a 30 day period of restoration, some up to 120 days. Some will also extend time element to an attack of a dependent provider network.
Carriers have varying requirements as it relates to encryption (full disk, mobile device, standing data, cloud data, etc.) The carrier may require that all mobile devices be encrypted. The term mobile device may apply to laptops, cell phones and tablets, but may also apply to flash drives and portable hard drives, etc. Most insureds don’t encrypt flash drives and cell phones. They may be password protected, but most are not encrypted. One issue relates to standing data. This means are backups encrypted, are servers encrypted and are all desktop units encrypted? You need to ask yourself these questions as the policy may be void as to any mobile device or standing device that is not encrypted as defined in the policy.
10. Social Engineering
11. Other Issues of Note
- Class Action Exclusions
- Bodily Injury/Personal Injury Exclusions
- Media Liability
- Loss Sustained versus Loss Discovered