Hacker Liability: How at Risk is Your Company?

From MasterCard and Twitter to TJMaxx and Sony, companies of all sizes are under attack from hackers. The threat of these attacks has escalated to such a degree that many cybersecurity professionals will admit it is almost impossible to prevent them 100% of the time.

According to Verizon’s 2011 Data Breach Investigations Report, small to medium-sized businesses have become hackers’ main targets. Organized crime views such companies as high-reward and low-risk targets, and with automated means for stealing data, they can steal as much (or more) data as from larger organizations.

These attacks are often costly and can cause significant financial stress for small and medium companies. In Symantec’s 2010 SMB Information Protection Survey, companies reported that the average annual cost of cyber attacks for small and medium organizations was $188,242.

As a result, companies of all sizes need to realize there is a significant likelihood that their networks, Web sites and databases will get hacked. There is no such thing as perfect security, and many believe that breaches are a matter of when and how bad at this point.

What liabilities would your company face if it was hacked? What costs would the organization have to incur to provide notice and credit monitoring to thousands or millions of potential victims?

It is critical for every type of business - from sole proprietor to multinational corporation - to fully understand and appreciate the types of expenses and liabilities it may face if its computer networks are breached. Getting hacked is doubly damning - there is the actual initial damage caused by the hacker, the cost to provide notice and credit monitoring if personal information is involved, as well as the secondary liability costs and defense expenses associated with actions by vendors, credit card payment processors, customers and regulators. There’s also the cost of cleanup.

Cyber liability coverage is a relatively new area of the insurance industry - and it is one that many companies should examine closely. Major companies like Chartis, ACE, Beazley and Hiscox have been in the market for some time and have focused on large companies.  Other cyber insurance providers include Arch Insurance Group, Digital Risk Resources, Navigators and Travelers. Most of the companies in the market are now offering cyber insurance coverage tailored to small and medium companies.

The specifics of the coverage are addressed below, but first, here are two things to remember:

Most carriers take the position that neither commercial general liability policies nor traditional property policies cover security or privacy breaches.

Unless a cyber insurance endorsement was purchased, most carriers will not provide coverage under a general commercial liability policy for breach notice costs (attorney fees, forensic expenses, mailings, call center, credit monitoring) or professional or cyber liability coverage (coverage for liability due to an act, error or omission of a professional service provider like a Web hosting provider). In fact, there are several cases that have found that commercial general liability policies and property policies do not cover certain data security and privacy risks. Of course, there may be arguments in favor of coverage under certain general commercial policies or property policies, but it may not be clear cut and it may require expensive litigation to obtain that coverage. It is also possible that these policies have endorsements providing more than the traditional coverage (and ultimately the specific wording is what will matter).

Insure your own company directly.

Unless your company has its own cyber insurance coverage, you will have to make the difficult argument (in the case of a hack) that it should be the beneficiary of insurance purchased by a service provider, such as the Web host provider. This argument will be extremely difficult, costly and time consuming to win in court - and chances of victory are not guaranteed.

It is becoming increasing clear that most companies need some type of cyber liability coverage. But what type should you get? What liabilities do you need to be covered for? Here is a brief overview of the types of coverage a cyber insurance policy may include:

1. Breach Notice Costs. Coverage now exists for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring services. These costs involve a multiplier effect. For example, credit monitoring can cost anywhere from $10 to $200 per year, per person impacted by a breach. If one million individuals are at issue, costs could run in the millions of dollars. These costs also include attorney fees and forensic investigation expenses to determine the cause of a breach and whether notice is required under law.

2. Damages and Defense Costs. Provides coverage for information security and privacy breaches and technology professional liability. This element of the insurance plan is specifically designed to provide coverage for damages and defense costs arising out of lawsuits or claims resulting from a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Some cyber policies will also protect your business against the cost of regulatory investigations or actions due to a security or privacy breach.

3. Service Provider Breach.With more companies outsourcing their data processing to third parties or the “cloud,” it is important that a cyber policy provides coverage if the security breach happens to one of the insured’s service providers. That will protect your company against many types of expenses. However, these policies are unlikely to provide any coverage for the personnel hours expended internally to address the breach.

4. Crisis Management, Business Interruption and Data Restoration. This insurance can also help cover the costs for getting the network back up and running and restoring lost data. Public relations services may also be included to help restore the company’s reputation.

5. Denial-of-Service Attack. If your company or a service provider, such as a web host, is shut down by a denial-of-service attack or other type of hack, some insurance policies will cover lost income and the costs of repairing the network.

6. Cyber Extortion. In a case where a hacker decides to hijack your website, network or database, and demands money to restore it, a cyber extortion clause in an insurance policy can help to cover the settlement and the cost of hiring a security firm to track down the hacker.

Today’s modern and technology-driven business environment provides the potential for enormous opportunities – as well as significant risks.  Just as companies have long bought insurance to cover fire or flood loss related to their buildings, organizations now should also consider insuring their most valuable asset: their data.

David Navetta, partner at InfoLawGroup LLP, is a 14-year legal veteran whose current practice focuses on cyber liability insurance, privacy and data security, PCI compliance and breach response. He is a Certified Information Privacy Professional (CIPP) and has drafted some of the top cyber insurance policies being sold today.