You have probably been hearing more about the concept of cyber liability from your insurance broker. Your construction firm is not likely selling products or services over the Internet, so you may be wondering why you would need cyber liability insurance.
Consider some examples from high-profiles companies. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million settlement for penalties under the HITECH act for a breach of more than 1 million patient records after the theft of hard drives containing unencrypted health information.
In late 2010, MasterCard stopped processing donations made to WikiLeaks after the U.S. criticized the latter’s release of sensitive diplomatic cables. In response, advocates of WikiLeaks shut down MasterCard’s website for a day with a denial-of-service attack.
If it can happen to these companies, it can happen to you.
Definition of Cyber Liability
The term “cyber liability” encompasses an array of liability exposures that are not necessarily tied only to businesses selling products or services over the Internet. A bit of a misnomer, a cyber liability policy can cover a wide range of exposures, including failure to protect confidential corporate information or an individual’s identifiable information—even when the data was stored in paper files.
Some of these exposures include the following:
- Information security and privacy liability for failure to protect personal or corporate information (such as confidential architectural or engineering drawings) held on computer systems, smartphones, laptops, paper files or even the systems of entrusted third-party vendors
- Cost to notify individuals that personal information has been breached, as required by law
- Other costs associated with data breaches, such as public relations and investigative costs
- Loss of business income when a hacker prevents your customers from accessing your website
- Loss of business income when your service provider’s systems are affected by a hacker
- Personal injury (such as libel) that may result from the use of blogs on your website or other social media
- Liability for customers’ business interruption suffered because a hacker prevented their access to your website or systems
Limits of Traditional Policies
Traditional insurance policies were not designed to cover these types of exposures, so any cyber liability-like coverage found under your general liability, professional liability, crime or property policies or even a directors and officers liability policy will be either very limited or simply accidental. Some carriers might offer an endorsement to provide coverage for a specific component of your cyber liability exposure, but it is usually not as comprehensive as a separate policy.
Here are several reasons why your traditional insurance policies might not respond to a cyber liability claim:
- General liability policies do not respond to claims for damage to intangible property.
- General liability policies typically exclude claims arising out of blogs you own or host.
- Property policies provide loss of business income coverage only if there was direct physical damage caused to your property (not caused by hackers or rogue employees who shut down your website, your computer systems or the systems of a service provider you rely upon to conduct your business).
- Crime policies do not respond to claims for damage to intangible property (there is also typically a specific exclusion for loss of confidential information).
- Private company directors and officers liability policies typically exclude claims arising out of bodily injury (including emotional distress), property damage and specific types of personal injury.
- No traditional insurance policy currently provides coverage for the expense to notify individuals when their identifiable financial or medical information was breached while in your custody.
Privacy Breach Costs
Occasionally it is possible to find coverage for some cyber liability claims under traditional policies; some carriers have not yet added specific exclusions for these types of claims. However, they have been generally successful relying on current policy definitions and exclusions to protect them.
The exception to this is privacy-breach notification cost, the most significant claims the insurance industry has seen so far. Lawsuits are being filed with allegations of negligence and invasion of privacy as well as claims of emotional distress. Damages for these lawsuits are still difficult to prove, but if established (and especially in the case of class-action lawsuits), financial damages add up quickly. Plaintiffs’ lawyers have been more successful seeking statutory damages fines & penalties under acts like HIPAA, HITECH and the Stored Communications Act.
Generally, all of these privacy breach costs and claims have been uninsured under traditional policies. They would, however, be insured under a cyber liability policy, which provides an affirmative coverage grant for new and evolving exposures.
The Evolution
Cyber liability is an evolving insurance product. If you feel you might have one of the exposures described above, it is recommended that you explore the product. Talk it through with your insurance broker to make an informed decision.
One caveat: There is currently little consistency among policy forms, so a thorough analysis of coverages should be conducted. Further, since the policies cover such an array of exposures that may or may not be applicable, you should tailor the insurance policy to fit your needs.