This is the second in my series of occasional posts covering the basics of cyber insurance. You can find the first one here. This time I’ll talk about breach event cost coverage.
Of the four coverages available in a “plain vanilla” cyber policy (see graphic below) this is the one that people often think of first when they think about cyber insurance.
Unlike the other coverages in a basic cyber policy, breach event cost coverage is first party coverage that pays a company’s costs to investigate and respond to a data privacy or security breach. These typically fall into six different categories.
When a company has a breach it is essential to get legal advice about what its obligations are under applicable federal, state, local, and increasingly, foreign laws. Privacy counsel will often spearhead a company’s response to a breach, and is sometimes referred to as the “breach coach”. Ideally, a breach coach is someone the company has worked with in the past to formulate their incident response plan.
A lot of law firms will say that they are experts in the areas of privacy law and breach response. This is something cyber insurers view skeptically. They are unlikely to agree to allow a company to use a firm that doesn’t have a track record with data and system security breaches. This is due to unfortunate past experience with firms that have made strategic (and sometimes even legal) mistakes resulting from their relative lack of knowledge and expertise. I strongly recommend that companies vet their firms with insurers before any breach happens. A company needs to be able to move quickly when a breach happens, and they don’t have the luxury of time to wait for the insurer’s approval of their chosen legal counsel.
When a company discovers a breach it needs to retain outside vendors to determine what happened and what information was exposed. Forensic investigators will examine a company’s systems and data, and will issue a detailed report on what happened. This report will be used to determine what steps the company must take to cure the breach and to notify affected individuals.
Forensic cost coverage does not include costs incurred to determine how to prevent future breaches. Companies that have had a breach will often try to determine what steps they need to take to prevent future similar breaches. Sometimes the answer will be obvious once a company understands what happened. It isn’t unusual though for additional forensic work to be needed to figure out how to harden systems. The cost of that work won’t be covered under a typical cyber policy.
47 states in the US require companies to notify affected individuals of a data breach. Companies may also be required notify regulators and law enforcement. With respect to a healthcare data breach HIPAA requires notice to be given to individuals, and under certain circumstances, to the Office of Civil Rights (OCR) of the federal Department of Health and Human Services and to the media. While notification laws are less common outside the US, as the recent EU General Data Protection Regulation demonstrates, their number is growing. Even where notification isn’t required, regulators around the world often encourage companies to voluntarily notify individuals affected by a breach.
Notification cost coverage covers the cost of giving such notices. A good cyber policy will also cover voluntary notices that aren’t legally required.
Most cyber policies will pay notification costs from the policy’s overall aggregate limit of liability, or from a sublimit if applicable. Some policies will cover notification costs outside the policy limit. That coverage will be limited to a specified number of individuals though.
When a significant breach occurs it is often advisable to set up a call center to answer questions from affected individuals. Call centers typically are run by third party vendors with experience in that area. Breach event cost coverage will cover call center costs.
Credit and Identity Monitoring
When personally identifiable information (PII), payment card information (PCI), or protected health information (PHI) is breached it is common to offer affected individuals credit, and sometimes identity, monitoring services. These services are also provided by third party vendors, and the cost is covered by cyber policies.
Crisis Management Costs
Think of crisis management costs as public relations expenses incurred to avoid damage (or further damage) to a company’s reputation as a result of a breach. PR vendors will help a company manage its communications with the public and the media. Crisis management costs do not include the economic loss resulting from a damaged reputation, nor do they include the cost to rehabilitate a damaged reputation.
As you would expect, insurers take different approaches to providing breach event cost coverage. Some will insist that companies select breach response vendors from an approved panel. The vendors on the panels typically are excellent, so this may not create as big a hardship as you might think. Other insurers will allow companies to choose any vendor they like, subject to the insurer’s consent. Insurers will not hesitate to withhold consent if they don’t believe the vendor has sufficient experience, or if the rates they will charge are unusually high.
The key to ensuring that breach event cost coverage works well is to plan ahead. Companies should build relationships with key providers such as privacy counsel well before a breach takes place. If they do that, and if they involve their insurers in the process, it is very likely that a cyber policy can be structured to allow the company to manage a breach event according to its preferences.
One last thought: Some companies may still think their other policies (errors and omissions, general liability, directors and officers liability, crime, etc.) may cover breach event costs. As I’ve discussed in earlier posts, don’t count on it. No policy will cover the breach event costs I mentioned above. (Ok, there was one case in 2012 that covered breach costs under a crime policy, but I would not count on that being repeated.) While other policies might conceivably cover liabilities arising from a breach, none of them will cover first party costs. If a company wants insurance coverage for breach event costs, a cyber policy is the only sure way to go.