This blog presents Metropolitan Engineering Consulting & Forensics (MEC&F) claim management and claim investigation analyses of some of the typical claims we handle
Tuesday, February 17, 2015
Developments in Data Breach Liability Coverage and Reputational Insurance
With major data breaches again making news, it is important for corporate policyholders to keep abreast of insurance developments in this emerging and fast-moving area. In this update, we provide some thoughts on cyber liability and reputational insurance trends to watch in the months ahead. We recommend that our clients with cyber exposure keep these issues in mind both in connection with their internal risk management programs and in renewal discussions with their brokers and insurers.
Continuing Developments in Data Breach Liability Coverage
Cyber and data breach liability coverage will continue to be an important topic for policyholders and insurers in 2015, especially in the aftermath of high-profile data breaches such as the recent attacks on large enterprises (e.g., Anthem and Sony), and more generally with the continuing increase in the number of reported data breaches. Recognizing the potentially significant exposures presented by data breaches, insurers are seeking to eliminate such breaches from CGL coverage entirely, and move liability coverage for data breaches to separately purchased endorsements or stand-alone cyber policies. Significantly, in May 2014 the Insurance Services Office (ISO) added a data breach exclusion to its standard CGL form. This exclusion purports to exclude from coverage injury and losses resulting from data breaches, including the costs associated with addressing the breach (such as forensic expenses and notification or credit monitoring costs). As policyholders continue to experience data breaches, the scope, meaning, and effectiveness of the new exclusion will no doubt be litigated, and it remains to be seen how courts will interpret the exclusion. In the meantime, however, businesses with potential data breach exposures should carefully review their liability insurance programs (as well as their property insurance programs) to determine whether they are adequately covered in the event of a data breach.
Potential D&O Insurance Implications From Data Breaches
Another cyber-related insurance development that bears watching concerns shareholder plaintiffs’ attempts to bring derivative litigation against policyholders’ board members and executives as a result of data breaches. The viability of such claims is currently being addressed by the courts: a derivative suit against Wyndham executives was recently dismissed, while derivative suits arising out of Target’s highly publicized data breach remain pending. Such lawsuits have clear implications for corporate D&O coverage, and many D&O policies do not contain data breach exclusions. Coverage issues arising from such lawsuits may well be a developing trend over the coming year.
Reputational Insurance in the Spotlight
Of course, data breaches are not the only technology-related threat against which companies seek insurance protection. Another area to watch involves various forms of reputational injury—the fall-out from bad news (true or alleged) about a company or its representatives that now travels with lightning speed over the internet and through social media. Policies have been available for some time that cover the fallout from bad press about a company’s own operations. Now, another wrinkle has been added: companies may now purchase insurance against the results of negative publicity that target their celebrity endorsers. The coverage is generally triggered by “significant news media coverage” of an endorser’s criminal or otherwise unsavory conduct. Such coverage is quite broad once it is triggered, and it covers product recall costs as well as the removal and destruction of packaging and marketing materials. With news—or celebrity gossip—traveling quickly these days, it will be interesting to see whether there is demand for this new product, how coverage issues that arise are addressed, and whether other, similar insurance products focused on reputational risk will emerge.
Conclusion
As we have noted, cyber liability and reputational insurance are developing areas of insurance coverage that involve novel exposures in an ever-evolving technological environment.