Despite the events of 2020 further thrusting the world into a digital economy, few businesses have prepared for the risks associated with this digital setting. Whole businesses pivoted to a virtual environment filled with email and video-conferenced meetings. Often, a business’s data, invoicing, schedules, payroll, employee files, and payments are hosted in the cloud. However, surprisingly few businesses have prepared for service interruptions, whether accidental or intentional.
Many businesses, including law firms, do not have insurance coverage to respond to a cyber breach, loss, or interruption. Many business owners mistakenly think that cyber insurance is only necessary for large companies that deal with sensitive client information or that their standard business property insurance addresses cyber exposures. Business lawyers can proactively encourage their clients to institute key risk management controls and avoid delivering the bad news that comes from reading insurance policies for the first time after a loss. The potential for a data breach is no longer a question of if – it is only a question of when.
This article identifies common gaps in clients’ insurance coverage and outlines a proactive solution any attorney would be wise to recommend and implement. Cyber insurance is not one size fits all; rather there are different risks for different businesses based on how they use technology. This article highlights the importance of explaining potential risks to clients so they can correctly assess their exposure and their need for cyber coverage.
Different Exposures Created by New Technologies
Scenario 1: Ransomware Attack. An employee unwittingly clicks a link downloading a virus or malware into the company’s server, which immediately or over time exposes the employee’s or company’s data or causes the loss of data, or the entire system is held hostage.
Lora L. LoCoco, Marquette 2011, practices with Rose & deJong SC, Milwaukee. Her practice focuses on complex commercial litigation in various areas, including commercial contract disputes, mergers and acquisitions and shareholder disputes, contested insurance coverage, and intellectual property litigation.
David Princeton, CPCU, AMIM, AIC, CSRP, is the principal consultant of AdvocateClaimService.com, an expert witness, and contributing author of Be Intentional: Culture. He attends Marquette University Law School and previously served as a director of corporate risk and as a lead claim specialist.
Scenario 2: Spearphishing. An incoming email to an employee appears to be a request from a top-level executive to wire $25,000 to close a deal, but the sender is actually a cybercriminal looking to abscond with the funds from the fraudulently created beneficiary bank account.
Scenario 3: Hardware Failure. A third-party cloud provider hosts all data of a business, and the cloud provider’s data center has a power surge resulting in the physical loss of hardware and data loss resulting in several days without access to the data. Or worse – the data is gone entirely.
Common coverages, such as a standard property or a general liability policy, are highly unlikely to provide coverage for any of these events. In fact, many of these policies specifically exclude coverage for cyber events or, if the policy holder is fortunate, define a narrow coverage scope with a very small sublimit. As a result, businesses that experience one of the above events face potentially catastrophic losses with little or no avenue for recovery.
For those relying on luck, the plaintiff’s insurance litigation bar has seen some success in establishing “silent cyber” coverage under these ill-fitted policies. But why leave the fate of clients’ businesses to an ambiguity? Additionally, insurance carriers have been steadily endorsing policies with specific exclusions, eliminating the “silence” and channeling the savvy directly into cyber insurance coverage.
Lawyers, therefore, should encourage their business clients to purchase coverage that will protect them for the aforementioned scenarios. Possibilities include cyber insurance policies, supplementary endorsements, and crime policies.
Cyber Insurance: What Does It Cover?
There are five general insuring agreements under the umbrella of cyber insurance: 1) network (information) security and data breach coverage; 2) network business interruption; 3) privacy liability; 4) media liability; and 5) technology errors and omissions.
Network (Information) Security and Data Breach Coverage. This coverage protects a business’s privacy and information against network security failures. It reimburses first-party costs including data breach, consulting services, legal expenses, IT forensics, negotiation and payment of ransomware demands, data restoration, breach notification to consumers, setting up a call center, public relations, and credit monitoring. This coverage would benefit the business in scenario 1, through negotiation and payment of ransomware demands, payment of costs to repair lost data, or compliance with post-data breach requirements. Most businesses would benefit from, and should seriously consider, this coverage.
Network Business Interruption. This coverage part evaluates the income lost as a result of an interruption of service after a cyber event. When a business’s network goes down, this coverage can be used for fixed expenses, lost profits, and extra costs accruing during the time the network is down. This coverage is also essential for any business whose successful operation relies on technology. It could help the business in scenario 1, by covering business losses incurred through the network security failure.
Dependent-contingent business interruption is an additional coverage or endorsement that may help the business owner in scenario 3 when a business owner using a third-party provider suffers operational downtime and financial losses because of the service interruption. These systems include cloud platforms, data storage, and other data-processing platforms. Many business owners mistakenly think that the data-hosting service bears these risks, but often that is not the case under the contract. These providers shift the risks of data loss or operational losses back to the business owner in their user agreements or master terms of service. Further, even if the risk is not contractually shifted back to the business owner, these hosting platforms might not have the proper insurance coverage or limits to deal with a catastrophic loss on their systems.
Privacy Liability. This insurance covers liability from a third-party claim arising from a data breach or compromise event. This coverage is essential for companies that maintain highly sensitive employee and customer information because it will cover liability, including class-action liability and damages, arising from a breach.
Media Liability. This insurance provides coverage for intellectual property infringement (not including patents) arising from the insured’s advertisements. This will cover both traditional print advertisements as well as online and social media advertising.
Technology Errors and Omissions. This coverage is generally for providers of technology services (for example, data-hosting or cloud-service providers). Businesses are only going to be interested in these coverages if they provide technology services. However, businesses using third-party hosting and technology services will want to negotiate to have their technology service providers maintain this coverage because it may cover losses incurred by the business owner if the provider’s services fail.
While cyber insurance brings real solutions to digital world problems, some common cyber-related events can be added to more traditional insurance products. Scenario 2, a spearphishing scheme in which a fraudulent actor poses as a key employee and convinces the unknowing employee to wire funds or release financial or other sensitive information, is one example. Coverage for these sorts of situations can be found in endorsements to a business owner’s property, casualty, or crime policy. However, clients need to be aware that this coverage is not standard and might need to be purchased separately.
Crime Policy or Additional Endorsement Under the Property Policy
Computer Fraud and Electronic Funds Transfer Fraud Coverage. Many businesses purchase employee theft coverage found within a crime policy but do not obtain additional coverage under that policy. However, businesses should consider computer fraud coverage and electronic funds transfer fraud coverage, which will pick up losses caused by theft arising from the use of a computer to fraudulently cause the transfer of property to an unauthorized person. This coverage helps the business in scenario 2. The electronic funds transfer coverage will pick up losses arising from theft of money relating to use of fraudulent instructions. However, special attention needs to be paid to any “covered premises” limitation. In today’s work-from-home world, the definition of “covered premises” can mean the difference between coverage or a denial.
Social-engineering Fraud Endorsements. Some insurance companies offer special endorsements for social-engineering fraud or deception, which would help cover losses resulting from phishing and other social-engineering frauds. However, business owners should diligently review these coverages because they often come with lower, often insufficient, limits and arguably defeat attempts to shoehorn the loss into the computer fraud portion of a crime policy, which often has higher limits.
Unfortunately, it is possible that a purchaser of insurance, even a business owner, will not read a policy before buying the insurance. Often, the only time a policyholder reads their policy is after a loss. To better assess corporate risk, it is a good practice to review vital contracts side by side with the insurance policy. Your attorney and your insurance broker should be on a first-name basis. Only good things can come from having a zealous advocate talking to an agent of the insurance company.
» Cite this article: 94 Wis. Law. 43-45 (April 2021).
Meet Our Contributors
How did you find your way to your current position?
By becoming comfortable with being uncomfortable. Growth happens when one is beyond their norm. Actively seek opportunities to ask questions, expand your network, and engage with people you admire. Especially in 2020, it feels like people are always willing to share their experiences or talk about something they have accomplished, and all it takes is a genuine interest.
Genuine interest has led to a meaningful connection with Lora LoCoco, becoming a contributing author in the Be Intentional series of books, and interviewing a personal hero – Bill Wilson, the author of When Words Collide. Despite feeling nervous initially, you can have a lot of fun once you decide to chase dreams while you are wide awake.
David Princeton, AdvocateClaimService.com.
What is one of the biggest challenges you face in your position?
Business and commercial litigation cases are often the most interesting and intellectually stimulating. It is easy to become passionate and want to fight to the very end so that clients can be vindicated and obtain the remedy they deserve. However, these cases also have extremely voluminous discovery and document production, lengthy historical background, myriad complex legal issues, and numerous parties and witnesses. This often leads to a lot of legal work over the course of years, even in cases with relatively modest amounts in controversy and for which there is no mechanism to shift legal fees.
There always needs to be a difficult discussion early on and throughout the course of the litigation about whether going to trial or continuing the case is cost-effective, even in instances when the facts and law are primarily in my client’s favor. This can frequently make the legal process feel unfair or unjust to many, and while a decision to settle a case makes the most sense on the books, it is sometimes hard to accept when together the client and I are so mentally and emotionally invested in the case. However, the more it is discussed and is a constant consideration at each stage of litigation, the better everyone’s expectations match reality, and the client’s overall long-term well-being stays at the forefront throughout the process.
Lora L. LoCoco, Rose & deJong SC, Milwaukee.
Become a contributor! Are you working on an interesting case? Have a practice tip to share? There are several ways to contribute to Wisconsin Lawyer. To discuss a topic idea, contact Managing Editor Karlé Lester at (800) 444-9404, ext. 6127, or email firstname.lastname@example.org. Check out our writing and submission guidelines.