As the risks associated with cyber liability continue to evolve, so do the insurance products that are theoretically meant to protect against those risks. As the insurance industry attempts to keep pace, the applications that insurers are using to capture the data they believe is necessary to underwriting these risks are also evolving and vary to a large degree. Regardless of whether an application is long or short or seeks information in generalities or in detail, all prospective policyholders must take care in completing these applications, enlisting the help of a data security professional (whether within the organization or a consultant) and possibly of a good broker that specializes in this area. Indeed, a failure to provide accurate information could cause an insurer to resist providing coverage for a claim, or attempt to rescind the policy, on the purported grounds that there was a material misrepresentation in the policy application.
This article first provides an overview of the key categories of information that most cyber-liability insurance applications seek, followed by some of the key principles of which a policyholder should be aware in the event an insurer attempts to deny a claim or rescind a policy based on alleged misrepresentations or omissions in the policy application.
A. The Policy Application: Three Key Information Categories
Regardless of the type of application used, most applications seek data in three key areas: (i) organizational structure with respect to information technology and data security, (ii) nature of the data maintained, and (iii) technology used.
1. Organizational Structure
The insurers want to understand the level of a prospective policyholder’s sophistication with respect to data security. Specifically, they will want to know whether a prospective policyholder has a developed data security team and, in particular, they will want to know which individuals are responsible as first responders in the event a breach were to occur. They also will want to know how the prospective policyholder deals with regulatory compliance and whether it trains its employees with respect to computer-based/electronic risks and threats. Finally, they will want to know about the vendors that handle or otherwise come into contact with the prospective policyholder’s data and information technology systems. Obviously, it is very important to be complete—possibly even over-inclusive if there is any doubt—and to “name names” particularly with respect to vendors. Failure to disclose a vendor that may serve only a minor role in the data security chain could give an insurer a defense if that vendor had some causative link with respect to a breach.
2. Nature of Data Maintained
This is, of course, one of the areas of principal interest to insurers: they want to know the type of data that a prospective policyholder handles or maintains. This is a critical area of any application and may require the prospective policyholder to enumerate whether it maintains or processes such things as the following:
Personal health information (protected by HIPAA);
- Credit card information;
- A customer’s or supplier’s trade secret information;
- Employee benefit information; and
- Other Personally Identifiable Information (PII) that can be monetized, such as social security numbers, email addresses, passport numbers, VINs or property title numbers, and biometric data such as retina scans, among numerous other types of such data.
Not only will insurers want to know the nature of the data maintained, they will also want to know the quantity, i.e., the number of files or records for each. And they will want to know where the data resides and who can access it. Given the complexity in both knowing the nature of the sensitive data that a prospective policyholder maintains, and the quantity thereof, this is a prime area for mistakes or omissions in filling out a policy application. Note: Perkins Coie’s Privacy and Data Security group can help with data mapping to get this right.
3. Technology Used
Policy applications typically will seek to ascertain information about a prospective policyholder’s technology, including information about how a computer network is managed and maintained, how hardware and software updates and patches are handled, and whether systems are in place in to assess vulnerability and mitigate risks. They also may want to know about the technology that any IT vendors use and whether and how vendors are monitored. Needless to say, this is a highly technical area and the individual charged with completing the policy application will certainly need support and input from the IT professionals.
B. Accused of a Misrepresentation or Omission? The Basic Principles Any Policyholder Should Know
Accusations that a policyholder answered policy applications incorrectly or incompletely seem to be on the rise as a standard defense against providing coverage for claims, particularly in the area of data breaches. This may be due to the reality that data breaches themselves are on the rise as hackers become more sophisticated. When the rate of claims rises, insurers tend to push back more, and scrutinizing answers to their policy applications is becoming a standard step in their claims investigation process.
Given the variations in the policy applications, and the complexity of the information sought (as indicated by the above examples), there are numerous pitfalls for prospective policyholders and possibly even for the brokers assisting them. Regardless, if an insurer attempts to deny coverage or even rescind a policy altogether on the premise that the application contained misstatements or omissions, the policyholder should be aware of the following general legal principles:
- Rescission is an extreme measure, especially after a loss has occurred, and a court typically will grant that relief only where the clearest and strongest equity demands it. In other words, if an insurer detects a wrong answer in a policy application before it receives a claim, then the insurer has more leeway.
- But courts do not want insurers to use rescission as a coverage defense as a matter of course.
- To deny coverage or rescind a policy based on a misrepresentation or omission in the application, the insurer has the burden of proving that the misrepresentation or omission was material. This means that an incorrect answer or an omission in and of itself is not enough; the insurer must prove that it would not have sold the insurance policy on the same terms if it had had the correct information. This point is key. For example, if the policyholder made a mistake in stating how it stores PII records, but the cost of responding to any breach with respect to those records would not change, then the incorrect information may not be material; in other words, the insurer would have sold the same policy on the same terms.
- Self-serving or conclusory statements by an insurer’s employees are not sufficient to establish materiality; insurers must support their claims through documents in their underwriting files. In other words, they must show that the incorrect information was considered and that they based an underwriting decision on it.
- The questions in the policy application must be clear and unambiguous; an answer to an ambiguous question cannot support a misrepresentation claim.
If an insurer renews the policy after it became aware that its policyholder may have answered a question in a prior application incorrectly or incompletely, the insurer may be deemed to have waived any right to rescind the policy.
There are other principles as well, but the above are the basic ones of which any policyholder facing a misrepresentation accusation or rescission claim should be aware.
Moral of the story: get help from your IT professionals as well as other appropriate professionals and a broker specializing in cyber coverage when applying for cyber liability insurance and know the legal landscape if your insurer claims you did not fill out its policy application correctly or completely.