This author has previously discussed the inevitability of security hacks and attempts to require companies holding third-party data to pay some type of damages to the alleged victims of a hack. Even though damage from such hacks is often hard to prove, those who claim to have been victimized and their lawyers, who often operate on contingencies, will continue to file lawsuits that often result in the imposition of at least defense costs and, at times, of some indemnity payments. Hacked companies also suffer actual damage from loss of customers when the hacks are reported as required by multiple laws. Companies should thus take reasonable precautions against data breaches. But if a company takes such reasonable precautions, it should be able to buy insurance for the inevitable hack that actually provides coverage for resulting defense expenses, indemnity payments, and loss of business income.
As discussed in previous columns, there is a project called Cyber Catalyst whereby insurance companies, brokers, and tech companies are trying to set up some type of certification for security products, which seems necessary if insurance companies are going to insist that insureds take reasonable precautions. [https://www.wsj.com/articles/insurers-creating-a-consumer-ratings-service-for-cybersecurity-industry-11553592600] Thus, an insured who follows the certified procedures and also buys a cyber policy should receive coverage for a security hack without any real questions from the carrier. The coverage should include reimbursements for damages from loss of reputation and business because of the hack, which may well be more than any actual damage award payable to those whose information was compromised. Yet, most cyber policies contain the following exclusion for statutory violations and governmental actions:
This insurance does not apply to any damages, loss, cost or expense in any way related to any claim made or proceeding brought by or on behalf of any governmental authority.
Given that most hacks cause no real damage, violations of the numerous statutory regulations relating to unauthorized access to private or confidential third-party information, including the European GDPR, the California CCPA, and other similar statutes, constitute the most common claims asserted in lawsuits resulting from hacks. Many of these statutes and regulations impose liability without requiring any showing of negligence or other wrongdoing by the hacked company. This above exclusion thus significantly limits the coverage provided by policies that contain it because the only claims made often are made pursuant to governmental authority. Insureds purchasing cyber coverage therefore should try to have this exclusion deleted, or buy optional coverage such as the following for claims relating to statutory violations and governmental activities.
Subject to all of the terms and conditions of this insurance, we will reimburse the first named insured for civil fines or civil penalties imposed against such insured by order of a regulatory authority having jurisdiction caused by an act that results in a privacy data breach that first occurs during the policy period.
This Additional Coverage applies only if:
• such actual or suspected injury is not excluded under any section of this contract; and
• such fines or penalties are reported to us in writing within 60 days of the date the fines or penalties are imposed.
As evidenced by the numerous lawsuits about the breadth of the exclusion for statutory violations and governmental actions, buying any possible coverage for statutory violations and governmental lawsuits is a must for most businesses. [https://blogs.elon.edu/blj/2016/05/16/demystifying-cyber-liability-insurance-what-businesses-need-to-know]
The more significant actual threat to most insureds is malware such as the WannaCry virus or other forms of attack that incapacitate the company’s or governmental entity’s data. In light of the fact that most companies and many governmental entities are now moving their data to the cloud in order to save on IT costs, coverage for interruption of communication with and access to data stored by third-party providers is becoming an important issue. Experts have also asserted that use of the cloud makes ransomware attacks more likely. Cyber policies do seem to be covering at least some of this risk with the following clause:
Subject to all of the terms and conditions of this insurance, we will reimburse the first named insured for cyber-threat expense:
• for a threat first made directly against such insured during the policy period; and
• paid or incurred by the insured within 60 days after receipt of such threat.
We will pay for the actual:
• electronic data recovery costs;
• business income loss; and
• extra expense,
you incur due to the actual impairment of your operations during the period of recovery of computer service, not to exceed the applicable Limit of Insurance for Impairment Of Computer Services – Outside Attack shown in the Declarations.
We will not pay that part of any business income loss or extra expense you incur to respond to extortion or other similar threat.
These clauses seem to cover at least the expense of restoring data. But this coverage also seems to have some gaps, such as for loss of business income during the outage And now the security companies who created an industry of dubious precautions forced upon all users that generate billions of dollars in revenue, but ultimately achieve less benefit than they cost, have raised a red flag against the simplest and cheapest way of limiting the costs associated with data hacks demanding ransom: paying the ransom demanded to turn on the computer system again. A recent article included quotes from various security experts that insurance companies should not pay ransom demands such as those made against Riviera Beach Florida (which did instruct its insurer to pay) because making payments only provides incentives for further—and repeated—malware attacks, and because even making payments does not guarantee that any, or all, data will be restored. It certainly does seem that, at least if data is properly backed up, there should be an easy and cost-effective way to restart a computer system infected by malware, and if that is not possible, insurers should be able to pay the ransom as the most cost-effective solution to restore use of ransomed computer systems.
Under a theory of pooling of risk and maximizing deterrence, insurance companies or maybe even the government should develop a solution other than paying ransom, but paying still should be allowed if nothing else works. Setting up a fund supported by insurance companies as a group, or a government fund, to compensate for the cost of recreating databases might also solve the problem. This might be similar to the uninsured motorist fund, the vaccine fund, or the wildfire fund recently passed by California, as well as to other no fault methods of compensation. All of these funds pay for damages caused through no fault of the insured, which is really what happens with most of ransomware incursions. Although security companies typically try to blame someone to pad their consulting revenue, malware issues are mostly impossible to avoid and should be covered by some type of insurance or compensation fund.