Washington Policyholders, Check Your Cyber Policy as Data BreachNotification Law Moves Forward

Washington has moved a step closer to bringing its data-breach notification law in line with the laws of many states (including Oregon) that require notification in the majority of scenarios, closing what some viewed as loopholes in the law and mandating notification within 45 days, rather than the prior "as soon as possible" requirement.  (Oregon law still lacks a specific presumptive deadline).  In particular, the new Washington bill removes the exemption for lost or stolen data that is "encrypted," in recognition of the fact that "encryption" can fail if the technology used was old or if the encryption key was also stolen.  The Washington bill has passed the House and it set for hearings in the Senate later this week, and is expected to pass.

What does this mean from an insurance standpoint?  Cyber insurance policies typically provide "first-party" coverage for the costs of data breach notification, but often contain very low sub-limits on that coverage.  In a state like Washington with a weak data breach notification law a business could in theory get away with a low sub-limit because only in a rare set circumstances would broad-based notification be required.  That will no longer be the case and so those sub-limits, and any other restrictions placed on notification coverage, need to be re-examined.  And of course if your business lacks cyber coverage entirely, it is time to explore your options.  The most recent data on the cost of data breaches indicates that the cost of notification is the fourth-biggest category of impact from a data breach (after lost reputation; lost time/productivity; cost of new technology).  By comparison the cost of regulatory fines and lawsuits was tenth in the ranking of impacts on businesses experiencing a breach.   The conventional wisdom is that a business should expect to spend at least $188 per record  on notification and similar first-party response-related costs.  With the number of records routinely stored by businesses, particularly those in the online retail or cloud computing sector, it is easy to see why low sub-limits could be a huge problem if a breach occurs.  So check your policies, and call your insurance advisers, to get ahead of these changes in the law in Washington.

ps.  Speaking of Washington, not 48 hours after news broke this week of a major data breach at Premera in Washington a class action was filed. But the cause of action -- breach of contract -- may cause coverage problems. The liability portions of cyber policies often exclude breach of contract actions. One more reason to check those policies.

Update April 22: The bill has passed and is now awaiting signature by the Governor.

Cyber Coverage No Longer a Novelty But Many Concerns Remain

That is the message that I took away from last week's annual conference of the ABA's Insurance Coverage Litigation Committee in Tucson, Arizona.  Gone was the "gee whiz" discussion of the technology and its risks, and most presenters avoided the scare tactics all too commonly used in the industry to drum up sales.  (Not that there isn't reason to be scared - but the horror stories are so widely reported it hardly seems necessary to dwell on them at a conference of insurance coverage pros).

One particularly useful panel  took a deep dive into problematic policy language and the limitations of the products currently offered.  This is critically important because although cyber coverage is no longer new, the language of the policies is not yet standardized.  A few of the many things to look out for are:

- long "waiting periods" for business interruption coverage.  Business interruption coverage is "time loss" cover in that the loss amount is calculated (generally speaking) as average sales per hour multiplied by the number of hours of downtime due the covered event.  However, some chunk of time (the "waiting period") is routinely excluded as a kind of deductible.  Some cyber insurers default to a 24 hour waiting period (an eternity for an many businesses and particularly online retailers) putting the burden on the policyholder to ask for a more reasonable period.  According to the panel (and my own experience has shown this to be true) carriers will agree to 12 hours or less - sometimes 8 hours.  If your business relies on closing sales around the clock, cutting down the waiting period could mean hundreds of thousands of dollars more in business interruption coverage.

-  liability coverage limited to liability for the insured's own wrongful acts. Because so much electronic data is now routinely hosted, handled or safeguarded in some manner by vendors, any kind of strict limitation with regard to who made the "oops" may result in no coverage, even though the insured may be held liable as the owner of the data. The panel discussed several recent data breach incidents in which the error that allowed confidential data to be stolen was committed by one entity, but liability was imposed on another entity (e.g. the Target hack, where intruders gained access through a "phishing" scam on Target's HVAC contractor).  Companies need to pay careful attention to the language of their policies and candidly assess their risks associated with vendors and consultants, particularly in the retail and healthcare sectors.

- coverage for fines and penalties.  The number of regulatory bodies (state and federal) that are being given authority to issues fines and penalties for data breach violations is growing at a fast clip.  Some policies strictly exclude coverage for any kind of fine or penalty, while some do not.  Policyholders should examine their current coverage and evaluate whether their current and future coverage needs are being met, depending on the regulatory environment in which they operate.

The upside of the fact that cyber coverage is still issued largely on a "manuscript" basis (that is, without relying on industry-wide forms) is that insurers are sometimes willing to negotiate on policy language even for relatively small accounts, and oftentimes mid-period if circumstances have changed.  Careful attention to  evolving risks from "cyber" events combined with close examination of your policy language  can lead to productive conversations with your broker and carrier and needn't wait until renewal.

* Update: This morning Apple is experiencing a major outage in its iTunes store, among other services.  Some are estimating that the six-hour outage has cost Apple $7 million - now that's a serious cyber-business interruption loss (if covered).