You have likely read in the media about computer security breaches that wreaked havoc on businesses, schools, banks, and non-profit organizations. Sensitive, personal and proprietary information is imbedded in computers and electronic storage sites in every industry. When breaches in security occur, whether caused by intentional acts like hacking, or simply by carelessness, there are potentially huge costs incurred by the entity whose system was breached in the form of direct, out-of-pocket expenses and claims by injured third parties.
Different kinds of liability exposures exist. One type is technology liability. This pertains to companies and organizations in the business of providing hardware, software, and technology services. While technology liability is important to these kinds of businesses, cyber risks exist for all businesses and organizations that possess private, proprietary and personal information in their electronic storage systems.
Let's begin with the term "cyber liability." Essentially, it is the liability exposure an entity has to third parties for causing or allowing unauthorized access to personal information. That information can be as varied as credit card or social security numbers, health information protected by HIPAA, intellectual property and trade secrets. The unauthorized access could be the result of negligence (e.g. leaving a company laptop open to third-party access), hacking, or viruses and inadequate firewalls that allow data theft. These breaches could end up resulting in the disclosure of confidential information and could also lead to identity theft.
It is important to remember that a Commercial General Liability (CGL) Policy affords no protection for these exposures. CGL policies require a coverage trigger of bodily injury, property damage, or personal injury. None are considered to be present in cyber liability claims. In the case of such claims, a third party has sustained economic damages - be they actual or potential - as a result of the compromise in electronic data storage.
There are insurance policies which afford cyber liability coverage; they are known as "Privacy Protection", "Data Privacy", and "Security Liability", among others. Each insurance carrier has its own term. The policies can include all or some of the following coverage grants, depending on the client's needs:
- Network Security: claims arising from a computer attack on the insured's network
- Identity Theft: claims arising from the theft of personal information of employees or customers
- Web Content Liability: claims arising out of the display of materials on websites
- Regulatory Defense Costs
For all of the above, the coverage extends to damages and defense costs.
Additionally, cyber liability policies can cover "First Party" losses (direct losses by the Insured). Examples of First Party costs are:
- Business Interruption
- Notification Costs
- Credit Monitoring Costs
- Extra Expense Costs associated with computer forensics to determine how the security breach occurred
- Remediation Costs
- Crisis Management costs: Public Relations assistance
- Cyber Extortion
- Cyber Terrorism
The exponential growth in technology and the multifarious attendant risks in possessing the confidential and/or personal information of others require all organizations to consider purchasing a cyber liability policy. Many leading carriers sell this product and we stand ready to assist you.
John D. Bouchard, ESQ.
Brown & Brown, Inc.