Date: Sep 02, 2011
If your company collects credit cards, financial data or other personal information from consumers online, make sure you review your insurance portfolio to ensure your company is covered in the event of a "cyber attack." While virtually all companies have third-party comprehensive general liability and first-party property insurance in place, these policies are unlikely to cover cyber attacks unless the company paid additional premiums to lock such coverage in place. Other companies have purchased separate cyber insurance policies.
In the recent past, a typical property insurance policy would often compensate a company to the extent its financial or business records were destroyed, and this coverage would also extend to cover loss of some online financial data. However, that was before cyber attack claims against insurers reached into the billions of dollars. Now, like other behemoth claims, cyber attacks and their resulting damage to your company, including through class action lawsuits from affected individuals whose personal data was compromised, are typically excluded from your company's general liability policies. Thus, scope of coverage for various losses due to cyber attacks should be carefully reviewed. Even where coverage exists, you should anticipate potential disputes with your insurer.
For example, in a coverage case brought by Zurich Insurance against Sony on July 20, 2011 in New York State Court, Zurich takes the position that cyber attacks and data breaches are not covered under the company's comprehensive general liability policy. This is because, Zurich contends, the personal and advertising injury liability coverage is meant only to cover bodily injury and property damage, not financial or other type of damage. Data breaches within the Sony computer network are estimated to affect over 100 million individuals, and could have resulted in over 12 million credit cards being exposed. This alone has resulted in over 50 putative class-action lawsuits against Sony.
The significant increase in privacy and security lawsuits illustrates the need to adopt strategic defensive approaches to the issue by managing the information you collect carefully, adopting security procedures appropriate for the sensitivity of the data you collect, and deleting and de-identifying outdated data. A careful review of your insurance coverage is another essential part of this strategy in a world where threats of cyber attacks are likely to grow.
For more information on privacy and data security enforcement and e-commerce, contact Sheila A. Millar at 202-434-4143 or via e-mail at firstname.lastname@example.org, or Tracy P. Marshall at 202-434-4234 or via e-mail at email@example.com. For more information on insurance coverage questions, contact Art S. Garrett at 202-434-4248 or via e-mail at firstname.lastname@example.org.