Most firms that provide technology services or products have insurance to protect them against the risk that a dissatisfied customer will bring a claim or a lawsuit against them for damages arising out of the company’s products or services. It is very likely that such firms purchase general liability insurance, which is an important product that covers many different risks, including property damage, bodily injury, advertising injury, and other business-related claims. Most importantly, general liability insurance policies often require the insurer to defend the company in the event of litigation, making it a particularly valuable type of insurance. But will general liability insurance protect your tech company in the event of a claim by a client for purely financial damages? The short answer is, probably not. This is the reason for tech firms to consider a Technology Errors and Omissions (Tech E&O) policy as part of their overall coverage program. Using the examples below, this article discusses the coverage such policies can provide.

Example 1: Tech Product

Let’s say your company designs and provides building design software to architecture firms. Due to a problem with your software, several architectural designs for major projects have incorrect specifications, which impact many large projects. As a result, your company’s clients lose revenue because they have to revise the design plans for these projects, which takes additional weeks of architect time. If the architects then sue your company for damages, it will have to defend itself in the lawsuit and possibly pay a settlement or judgment to the architecture firms. 
Continue Reading

As the risks associated with cyber liability continue to evolve, so do the insurance products that are theoretically meant to protect against those risks. As the insurance industry attempts to keep pace, the applications that insurers are using to capture the data they believe is necessary to underwriting these risks are also evolving and vary to a large degree. Regardless of whether an application is long or short or seeks information in generalities or in detail, all prospective policyholders must take care in completing these applications, enlisting the help of a data security professional (whether within the organization or a consultant) and possibly of a good broker that specializes in this area. Indeed, a failure to provide accurate information could cause an insurer to resist providing coverage for a claim, or attempt to rescind the policy, on the purported grounds that there was a material misrepresentation in the policy application.

This article first provides an overview of the key categories of information that most cyber-liability insurance applications seek, followed by some of the key principles of which a policyholder should be aware in the event an insurer attempts to deny a claim or rescind a policy based on alleged misrepresentations or omissions in the policy application. 
Continue Reading

Data breaches are up significantly in 2019, exposing billions of confidential records and costing companies millions of dollars on average per breach. Security experts counsel their clients that data breaches are inevitable as even the largest, most secure systems may be breached. In spite of this environment, many tech companies are woefully unprepared to respond to a cyber intrusion, data breach, or other cyber-related event. Are you ready?

As insurance coverage lawyers, we often work with clients to confront this organization-wide challenge after a breach has occurred. The better approach, however, is to prepare in advance by understanding your risks, building a team, securing and monitoring your data, having a well developed and rehearsed response plan, and tailoring your insurance program to a possible breach. Additionally, having counsel involved throughout the preparation and response process is critical to protect privilege, minimize legal liability, and maximize insurance coverage. 
Continue Reading

This author has previously discussed the inevitability of security hacks and attempts to require companies holding third-party data to pay some type of damages to the alleged victims of a hack. Even though damage from such hacks is often hard to prove, those who claim to have been victimized and their lawyers, who often operate on contingencies, will continue to file lawsuits that often result in the imposition of at least defense costs and, at times, of some indemnity payments. Hacked companies also suffer actual damage from loss of customers when the hacks are reported as required by multiple laws. Companies should thus take reasonable precautions against data breaches. But if a company takes such reasonable precautions, it should be able to buy insurance for the inevitable hack that actually provides coverage for resulting defense expenses, indemnity payments, and loss of business income.
Continue Reading

Companies enter an array of technology transactions with third-parties that allow vendors access to the Company’s source code, customer data, employee information, cybersecurity measures, and other critical data and infrastructure. These relationships inevitably increase the potential of a cyber attack impacting the Company through an attack against the vendor.
Continue Reading

As previously reported here, (Nov. 8, 2017), companies falling victim to electronic impersonation (“spoofing”) schemes have frequently turned to “computer fraud” coverage found in typical crime policies. In this type of fraud, someone impersonates a vendor, contract partner, or company executive via email or other electronic means, and directs the transfer of funds to

I have several times discussed the need for cyber insurance that will actually cover reasonable claims; a need that still seems to exist. The case of Hub Parking Technology USA v. Illinois National Insurance Company (https://www.law360.com/articles/1170778/parking-tech-co-says-aig-must-defend-it-in-privacy-row) that was brought in Pennsylvania District Court in June of this year illustrates this problem. Hub bought security and privacy insurance that was intended to cover security breaches and disclosure of personal data in violation of privacy rules. Hub was then sued in underlying litigation for printing parking receipts at the Cleveland Airport that showed eight digits of credit card numbers instead of the standard last four digits permitted under various state statutes and case law. When Hub submitted the claim to its cyber insurer, the cyber insurer rejected the claim based on its conclusion that there had been no loss of privacy or security information, as well as on several exclusions, such as those for contractually assumed liability and intentional acts. Although the insurer may have had a legitimate complaint that there really was no damage from this alleged violation (and the plaintiffs had not alleged that anyone suffered actual damage or identity theft arising from the parking receipts at issue; they rather relied on an FTC study showing that similar incidents have caused actual damage, so that the potential for damage existed), that should not have prevented the insurer from providing at least a defense.  
Continue Reading

In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.

These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records. 
Continue Reading

The consequences of a data breach can be far-reaching. While the initial issues in the wake of a breach often involve investigation into the cause of the breach and sending notification to those affected (both of which are covered by most cyber insurance policies), coverage for certain types of third-party claims stemming from cyber breaches may be available under Commercial General Liability (“CGL”) insurance policies.

CGL insurance policies provide coverage for claims of “Bodily Injury,” “Property Damage,” and “Personal and Advertising Injury.” Bodily Injury and Property Damage claims are covered under Coverage A of CGL policies, while Personal and Advertising Injury claims are covered under Coverage B. This blog post briefly summarizes the major issues policyholders encounter when seeking coverage for Personal and Advertising Injury (Coverage B) under CGL policies that arise out of a cyber incident. 
Continue Reading

The European Union’s sweeping Global Data Protection Regulation (GDPR), which took effect on May 25, 2018, dramatically expanded the compliance obligations of companies collecting or using European Union citizens’ personal information. It also substantially increased regulatory exposure for companies due to its strict requirements and draconian penalties for non-compliance, including potential fines of greater than 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. See Perkins Coie’s GDPR Resources for an overview of the regulation, and Will Your Cyber Policy Provide Coverage for GDPR Violations? for a discussion of insurance coverage issues arising from the regulation. Yet the new regulatory landscape facing companies that collect, use, or manage consumers’ personal information has expanded far beyond the GDPR, and many United States jurisdictions have enacted or are in the process of enacting regulations governing the collection, storage, and use of consumer information. As a result, any company that handles consumer personal information must have a thorough understanding of these regulations and must make sure that its insurance program aligns with its regulatory exposure in order to effectively manage the risks arising out of burgeoning cybersecurity and privacy regulations.
Continue Reading