• FAQ: Purchasing a Cyber Liability Insurance Policy
  • April 18, 2016 | Author: Richard D. Milone
  • Law Firm: Jones Day - Washington Office
  • There is a saying making its way through the insurance marketplace that there are two types of companies—those that already have purchased a cyber liability policy, and those that will soon wish they had.

    This is probably more true with respect to companies in the world of digital health than in practically any other industry. The potential costs associated with a data security breach are well known, and they have potential to spiral out of control. These costs include liability for actual damages caused to customers and other parties; forensic and investigative expenses; notification costs; credit monitoring and similar preventative costs provided to potentially affected parties; fines and penalties assessed by state and federal enforcement authorities; and fees for lawyers and for technical, public relations, and other professionals—the list of potential costs flowing from a breach event continues almost without end.

    In addition to these direct financial costs, health care companies that fall victim to a breach may suffer harm to their reputation and goodwill. These risks are enhanced in the digital health field because not only are companies entrusted with customers' credit cards, Social Security numbers, and other information exposing individuals to identity theft and similar financial crimes, but also customers' most private and sensitive health-related information is put at risk as well.

    In light of the high costs associated with a data breach and the practical inevitability that most companies will be victimized by cyber criminals at some point, an increasing number of companies are purchasing cyber liability policies. These policies—which vary widely in terms of what exactly they cover—bill themselves as protection against both first-party costs (i.e., costs of investigating and fixing the problem, and lost revenue), and third-party costs (i.e., liability to customers and other third parties, and to government entities). Currently, approximately one-third of U.S. companies have purchased cyber policies, and the number is increasing at a steady pace. There are approximately a dozen major property and casualty insurers in the United States and London markets competing for market share, and therefore pricing is reasonable and conditions are generally favorable for policyholders in the marketplace. Those conditions are likely to change as more companies purchase policies, and as insurers begin booking large claim payments. Therefore, now is a good time for those companies that have not yet purchased cyber policies to consider doing so.

    There are two structures emerging for companies looking to purchase cyber policies. Small to mid-sized companies will typically be offered stand-alone policies with limits anywhere from $1 million to $20 million, and they are likely to find relatively customer-friendly underwriting on the part of insurers who are anxious to compete for their business. Larger companies, on the other hand, will likely need to craft layered programs resembling their directors and officers ("D&O") and general liability towers (i.e., several excess policies stacked above a primary policy), providing upwards of $100 million in limits.

    The current trend is for underwriters to delve deeply into a company's security measures and cyber preparedness as part of the application process. Obviously, companies should present themselves in the best light that they can in connection with this process, and indeed it may be worthwhile to update security policies and implement appropriate procedures in conjunction with the application process. Companies that present more favorable risk profiles can often obtain better terms and pricing on cyber policies.

    When preparing applications, companies should bear in mind that the application is not a privileged document and may be discoverable in a lawsuit or investigation following a breach, and therefore it should be prepared with that possibility in mind. It is critical, however, to make absolutely sure that all statements on the application are truthful and complete. Insurers might not investigate the information particularly closely during the sales process, but after a claim is made, they frequently take a much closer look and may seek to rescind the policy if they believe that an argument can be made that there was fraud or misleading conduct in the application process. The risk for policyholders is heightened by new terms that are starting to appear in some cyber policies requiring companies to warrant their security protocols or excluding coverage when companies depart from those protocols.

    As a case in point, a coverage dispute involving a health care company was briefly in the public eye during 2015, and it illustrates two arguments that potentially can be asserted by insurers to deny coverage. Cottage Health Systems paid $4.1 million to settle a class action lawsuit alleging that patients' medical records were compromised as a result of a data breach. Its insurer, Continental Casualty Company, initially funded the settlement but then filed a declaratory judgment action against Cottage Health, seeking a ruling that the matter was not covered and seeking return of the settlement funds. Columbia Casualty Company vs. Cottage Health System, USDC Case No. 2:15-cv-03432 (C.D. Cal.) (filed May 7, 2015).

    Columbia Casualty argued that Cottage Health failed to comply with Minimum Required Practices as required by the insurance policy, because it stored patients' medical records on an unsecure server, without encryption or other security measures. In addition, Columbia Casualty asserted that Cottage Health answered questions inaccurately on the insurance application concerning the measures it had taken to protect its patients' data.

    Shortly after the suit was filed, Cottage Health moved to dismiss the case in favor of arbitration on the grounds that Columbia Casualty had filed the suit in violation of a mandatory arbitration provision, and shortly afterward, the suit was referred to arbitration. The dispute will therefore be decided in a confidential proceeding but offers a brief glimpse into the coverage issues that may be asserted under cyber policies.

    When purchasing a cyber policy, the analysis needs to go beyond the basic economic terms such as price, retention (i.e., deductible), and limits of coverage, and must focus on the wording of the contract itself. Companies should ask their broker to obtain quotes from multiple companies and should carefully compare the terms of the policies to determine exactly what they are purchasing. Unfortunately, this task is made more difficult by the current state of the cyber insurance market. Cyber policies are extremely complex; standard forms have not yet emerged, and the forms currently on the market vary widely in terms of scope of coverage. It may be prudent, therefore, to seek help from insurance coverage attorneys with experience pursuing cyber claims to help identify problematic features of the policy and to recommend improvements to the wording. Due to most insurers' willingness to negotiate and manuscript changes to their forms, a few hours of review and negotiation can make a world of difference in the value of the policy obtained.

    Cyber policies frequently contain alternative dispute resolution clauses requiring coverage disputes to be submitted to binding, confidential arbitration, rather than litigation in federal or state courts. A byproduct of confidential arbitration is a lack of published court decisions interpreting cyber insurance policies. This makes it all the more important to consult with coverage counsel experienced in cyber and data breach claims, who can explain how insurers interpret cyber policies, what arguments they are likely to make, and which provisions matter most in the event of a breach.

    Once a policy has been purchased, if a claim arises, it is important to give prompt notice, and to comply with other requirements in the policy. Seeking prompt approval of attorneys and other vendors is helpful to making sure that their fees will be reimbursed, and compliance with consent and cooperation provisions in the policies increase the likelihood of favorable claims treatment.

    Before long, cyber policies will be as standard for businesses as general liability or D&O insurance. In the meantime, any company handling large quantities of confidential health data and other sensitive personal information would be well served to be ahead of the curve and have this important protection in place.