With the frequency of high-profile network attacks increasing, in-house general counsel and their risk management counterparts are spending more time being preoccupied with issues of cyber security and crisis management planning for potential failures of that security than ever before. With good reason.
I remember having to change my password on LinkedIn in 2012 because hackers had stolen the passwords of nearly 6.5 million users. Hackers have targeted financial institutions worldwide stealing millions and millions of dollars. In 2013, 50 million customers of LivingSocial were affected by a cyber-intrusion. The hack of Target that became public during the holiday shopping season of 2013 is known by virtually everyone and drove customers away during the most lucrative time of year for retailers. And, just a few weeks ago personal and racy photos of celebrities were stolen by hackers accessing their accounts on Apple’s iCloud.
Last week Home Depot acknowledged a hack of its data, possibly reaching back to April of 2014, that affects customers who used credit and debit cards at nearly 2,200 of its U.S. and Canadian stores.
“[T]hese threats target the core of global business, posing risks to customers, suppliers, trade secrets and the delivery of critical services.” (Cybersecurity: How CEOs Are Planning to Fight Back, Liz Gasster, CNBC.com, Feb. 26, 2013 (http://www.cnbc.com/id/100492122).) The threat is not limited to large retailers and online social sites. Any company that collects information from customers or employees is at risk. Mid-market and small businesses face comparable risk due to the expense of keeping up with the pace and complexity of network security, and therefore their security may be less sophisticated and offer easier access as targets.
Cyber Crime is costly to business.
Responding to cyber-attacks results in actual costs for:
- Giving notice to customers, whether triggered by law or otherwise;
- Investigating the cause of and fixing the breach;
- Defending lawsuits from customers; and
- Defending investigation and lawsuits by the Federal Trade Commission and other government agencies.
Different sources report a wide range in the financial cost to business for losses associated with cyber-crime but most agree it is in the millions.
- According to the 2013 Ponemon Instituted report on Cyber Crime in the United States, the “average annualized cost of cybercrime for [the] 60 organizations in our study is $11.6 million per year, with a range of $1.3 million to $58 million.” (Ponemon Institute© Research Report, “2013 Cost of Cyber Crime Study: United States,” Oct. 2013 (Sponsored by HP Enterprise Security and independently conducted by Ponemon Instituted LLC).)
- According to the PricewaterhouseCooper’s 2014 Global Economic Crime Survey, released in February 2014 and measuring damages from 2011-2013, seven percent of U.S. organizations lost $1 million or more, and 19 percent of U.S. organizations lost between $50,000 and $1 million. (http://www.cnbc.com/id/101429224)
- According to Techinsurance.com, the average court costs for disputes over technology transactions is $475,000 and the “annual out-of-pocket cost of lawsuits for small businesses” is $35 Billion. (http://www.techinsurance.com/resources/)
I think it has best been said by Carl A. Salisbury: “When corporations face these kinds of costs and liabilities, in-house counsel should be asking themselves and their staff two questions, in this order and in rapid succession: (1) how do we fix the breach and protect ourselves and our customers against further harm; and (2) can the company’s insurance coverage defray the costs?” (http://bit.ly/1xUH49r)
Traditional business insurance policies offer coverage for property damage, and for other types of “Personal and Advertising” liabilities that arise from defamation, libel, slander, invasions of privacy, and copyright infringement. However, court decisions have eroded the breadth and applicability of these coverages to cyber security failures. Instead, new cyber policies are products on the market professing to shift the risks cyber-attacks. These are new products and, as a result, are still being tweaked. They are also, if historic industry patterns repeat, at their broadest level of coverage right now.
Cyber policies are available and offer coverage for:
- Costs associated with responding to a cyber-attack, including crisis management and public relations.
- Costs to respond to regulatory and law enforcement agencies.
- Losses associated with internet, networks and information assets.
- First and Third party e-business risks and claims of damages.
- Losses from virus transmission.
- Broader coverage for claims traditionally falling under CGL Personal and Advertising coverage (i.e., privacy and intellectual property claims).
What can be done about the failure of network and cyber security?
When a failure in security occurs and in-house counsel and risk managers have to answer the question, “Can the company’s insurance coverage defray the costs?” then working with experienced and knowledgeable policyholder attorneys can help to effectively position a claim. Coverage attorneys consider these questions and more:
- Is there coverage for defense costs and payment of damages under a Cyber Policy?
- Is there coverage under a Commercial General Liability Policy? To what extent?
- Is there coverage under an Errors and Omissions Policy? To what extent?
- Can a claim be made as an Additional insured?
- How will the “other insurance” clause affect the claim?
- Can defense costs be obtained?
Working with coverage counsel to analyze these could save your business thousands and, according to the many reports, even millions of dollars.