Cyber Liability Insurance Coverage — the Basics
Leading Insurance Law Firm in Miami, FL
In today’s technologically-driven world, cybersecurity has become an increasingly critical concern for businesses that store, manage, and distribute consumer data — sensitive and otherwise.
Over the past decade, a number of significant data breaches — including the infamous “Sony hack” and the “Equifax incident” — have disseminated the data of hundreds of millions of customers to the world, exposing said customers to both privacy violations and potential personal/financial risks.
Though companies are increasingly developing internal mechanisms to prevent large-scale breaches (and subsequent cyber liability), they are also taking steps to insure themselves against liability should another event occur.
Unfortunately — as is typical of insurance coverage — companies are finding that their policies may not be as comprehensive as they originally thought. In many cases, insurers are denying claims on the basis of complicated policy exceptions and ambiguous coverage language.
Here at Ver Ploeg & Marino, P.A., our team of attorneys works closely with policyholders who have submitted claims and were unfairly denied or who received a payout that is less than expected under their policy. We encourage you to contact our Miami insurance law firm directly to learn more about how we can assist your business.
Commercial General Liability (CGL) Policies and Cyber Liability
Most companies do not have specific cyber insurance policies and instead rely on patchwork CGL and E&O coverage. This can lead to several challenges, as insurers may deny claims due to certain coverage ambiguities built into the plan.
Personal and Advertising Injury Coverage
Many CGL policies include language that extends coverage to clients who are liable for damages linked to personal and advertising injures.
What does this mean?
“Personal and advertising” injuries are those arising out of the publication of material that violates an individual’s privacy. If you operate a private messaging website, for example, and the information in those private chats are leaked during a cyber attack, then that would very likely qualify as a “personal and advertising” injury.
Notably, however, CGL insurers frequently deny cyber claims on the basis that there was no actual publication of the private data. In other words, they argue that: a) the data was not widely disclosed and therefore was not actually “published,” or b) that the coverage does not extend to the policyholder’s failure to protect the information from being published.
As the case law is not settled, there is room for effective, persuasive argument should the insurer choose to deny the claim on these bases.
Confidential Data Exception
Generally speaking, most CGL policies include ban exception that precludes coverage for personal and advertising-related injuries arising out of access to or disclosure of confidential information. “Confidential” information, in this case, may refer to sensitive personal data (i.e., credit card information, health information, etc.) or sensitive business information (i.e., intellectual property information, such as a recipe).
As insurers may aggressively attempt to deny the claim, where possible, they have a tendency to label information as “nonpublic” and “confidential” when in fact it was available to the public already. For example, if a customer’s client list was already leaked online prior to your data breach, then the data breach could not be considered a leak of nonpublic information — you might, therefore, be entitled to coverage under the CGL policy.
Coverage Under a Highly-Specific Cyber Insurance Policy
Due to issues with the patchwork nature of CGL and E&O policies (for the purpose of covering cyber liability claims), many insurers have been offering highly-specific cyber insurance coverage as an alternative. These policies tend to be more aligned with the realities of a data breach, as they cover the loss of data that has not necessarily been publicly disseminated following such loss.
Cyber insurance policies can be quite diverse in the way that they are constructed, but as a general rule, they tend to cover two types of risk: private (confidential information) and operational.
Privacy risks are linked to customer data. If the customer’s credit card information is leaked as a result of a data breach, for example, then that would quite clearly constitute a violation of privacy. Should the customer(s) sue the policyholder for negligence related to the data breach, then the policyholder would likely be entitled to coverage under their cyber insurance plan.
By contrast, operational risks are linked to the business itself and whether it can continue to operate in the wake of a breach. For example, if hackers shut down a media streaming company’s servers, then they cannot serve their customers until the servers are “back up” and operational. The losses associated with the interruption in business operations would ostensibly be covered by a cyber insurance plan (that accounts for operational risks as a result of breach).
Contact VPM Law for Assistance with Cyber Insurance Litigation
If you’re planning on submitting a cyber liability claim — first-party or third-party — or alternatively, if you’ve already submitted a claim for benefits that was denied or underpaid, then the team here at VPM Law can help. We routinely assist clients in challenging the adverse decisions of insurers and work tirelessly to secure the benefits they are rightfully entitled to under their policy.
VPM Law is a Miami insurance law firm with a deep bench of litigators, including those who have extensive experience handling cybersecurity-related disputes. We understand the unique challenges facing policyholders who are dealing with a major data breach — both from a business perspective and a legal perspective.
If you’d like to connect to an experienced attorney at our Miami insurance law firm, contact us to request a consultation.
Share
