By Roland Hung | Canadian tech law blog
A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act (“PIPEDA”) has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.
As data breach incidents continue to rise, and legislative regimes provide more and more stringent regulation of data breaches, including the proliferation of mandatory breach notification provisions, the expense associated with data breaches also rises. Estimated costs of dealing with a data breach, even to resolve a potential attack, or an attempted breach, have been as high as $600 000. Costs can be incurred as a result of forensic and investigative activities, assessment and audit services, crisis team management, and the necessary internal and external communications. As these incidents increase in number, scope, and impact, organizations are looking to transfer the risk associated with informational security breaches.
The most common way of transferring risk is by obtaining insurance policies: if the risk is insurable, the risk is transferable. Cyber and privacy insurance has been available on the market for the last decade, covering organizations’ liability for a data breach in which the organization’s or customers’ information is lost or stolen. Marsh Inc., a global insurance broker, said that the number of organizations that purchased cyber insurance in the US increased by 33% from 2011 to 2012, and that cyber insurance is currently the fastest growing area of commercial insurance in the world. Policies vary, with cyber insurance offered as an add-on or included in more generally policies, or sold as a distinct product. Marsh Inc. also noted that the lesser growth of cyber insurance in Canada compared to the US is likely due to the higher number of mandatory breach reporting regimes in the US.
An important preliminary note on cyber insurance is that cyber insurance is often confused with technology errors and omissions insurance (commonly called “Tech E&O” insurance). Tech E&O insurance protectsproviders of technology services or products, such as software designers and manufacturers, whereas cyber insurance protects consumers of those products and services.
Generally, cyber insurance is divided into first party coverage protecting the policyholder, and third party coverage protecting from third party claims against the policyholder. First party policies may cover:
(a) The costs associated with determining the scope of the breach and taking steps to stop the breach;
(b) The costs of providing notice to individuals whose identifying information was compromised;
(c) Public relations services to counteract the negative publicity that can be associated with a data investigation;
(d) The costs of responding to government investigations;
(e) The costs of replacing damaged hardware or software;
(f) The costs of responding to parties vandalizing the company’s electronic data; and
(g) Business interruption costs.
Third party policies may cover:
(a) Liability for permitting access to identifying information of customers;
(b) Transmitting a computer virus or malware to a third-party customer or business partner;
(c) Failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and
(d) Potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.
Cyber insurance can also cover specifically the crisis stage of a data breach. This could include any expenses related to the management of the incident, such as investigation, remedial steps, required notifications, call and public relations management, credit checks for the subjects of the data, and any legal costs including fines or the costs of running a suit.
Limitations of Coverage: Relevant Considerations
It is important to determine the extent to which your organization’s cyber insurance policy will protect against liability for breaches. Because all insurance policy coverage is dependent on the particular terms and conditions in the policy at issue, organizations looking to obtain cyber insurance should consider a number of questions, including those detailed below. In general, organizations should ensure that their response plan to a potential or actual breach is consistent with their insurance policy.