Insurance Coverage for Data Breaches
Data breaches are on the rise and the risks are significant. How available insurance can help if your CPA firm experiences a data breach.
December 19, 2011
As the flight attendant closes the cabin door, your worst fear is realized. Your laptop is not in your carry-on bag and instead is sitting in the backseat of a taxi cab. The laptop contains sensitive data belonging to your firm’s largest client. If the data gets into the wrong hands, it could result in the disclosure of the private financial information of thousands of your client’s customers.
Scenes like this are playing out across the country more and more. The U.S. has firmly moved from a manufacturing-based economy to one driven by technology and information. The risks of that data being breached are increasing every day. When such a breach occurs, there are significant ramifications from both the legal and financial perspective. If your CPA firm or its clients become victims of a data breach, insurance coverage may be available to help.
The Costs of a Data Breach
Data breaches are a problem that is not going away and is only likely to grow. In April 2011, hackers accessed Sony’s network and gained access to more than 100 million users of the PlayStation Network. (International Insurance News, Zurich Seeks to Clarify Insurance Coverage of Sony Hack Attack, July 25, 2011.) Sony estimates that the cost of this breach will be $178 million in this fiscal year alone. (Id.)
The risks are not limited to sophisticated hackings. A breach can result from something as simple as a laptop or thumb drive being stolen.
Most states already have laws governing the storage of personal information and providing remedies when that information is jeopardized. The costs of compliance, litigation and regulatory penalties can all be significant. Unlike many risks, a single data breach can result in both first-party and third-party losses. For example, a system hacking may shut down a CPA firm, resulting in the interruption of business and lost profits (a first-party loss) and if the hacking results in the dissemination of clients’ financial information, the firm may face lawsuits from those clients (a third-party loss).
Plaintiffs’ lawyers have latched onto this disturbing new trend and are keeping an eye out for potential lawsuits, which is why CPA firms and their clients also need to keep an eye out for potential security lapses and know what to do if one occurs.
Data Breach Coverage
As the risks of data breaches have become more prevalent, the insurance industry has responded by offering new products to protect against the associated risks. For example, some insurers now offer stand-alone coverage for data breach risks. Data breach insurance can potentially cover a variety of losses, including the following:
Some of the industries these insurers are targeting include professional service firms, healthcare providers, technology companies and retailers or other companies that retain consumer information.
With stand-alone policies, such as data-breach insurance, that are tailored to that specific risk, it is important to be aware of what your firm is purchasing (and more importantly, what is excluded from the coverage). Also be on the lookout for sub-limits that will apply to certain types of data breaches. Be sure to consult with a broker or other insurance consultant familiar with this coverage. Premiums for stand-alone coverage can be expensive and the product you are purchasing (an insurance contract) can vary widely in terms of what it will cover. You may also be able to purchase supplemental coverage for an existing policy (the coverage is typically added via an endorsement, rather than through a separate stand-alone policy) to protect your firm.
What to Do in the Event of a Data Breach
In the event of a data breach, the first step is damage control. Get the appropriate personnel involved to stop the problem and minimize the potential damage. One of your firm’s next steps should be to check insurance policies for potential coverage. This may include professional liability or errors and omissions policies, business-interruption insurance policies, commercial-crime policies and directors' and officers’ liability policies. Obtain the necessary resources to analyze the coverage that may be available. Also, take appropriate action to notify the insurer of any data breach, making sure other necessary steps are taken to secure coverage.
Potential Insurance Coverage Under Existing Policies
When faced with a data breach, first check your existing insurance coverage (of course, this is a step that all CPA firms should take before a breach occurs). In addition to professional liability coverage, most CPA firms will have a property policy and a commercial general liability (CGL) policy. The property policy may cover a first-party loss, i.e., a loss that impacts the firm’s property directly, such as its computer systems or data.
The CGL policies likely provide coverage for third-party claims asserting, among other things, “personal and advertising injury,” which is often defined to include “oral and written publication, in any manner, that violates a person’s right to privacy.” In some jurisdictions, this may suffice to cover certain third-party claims resulting from the disclosure of private information. CGL policies also usually cover “physical injury to tangible property” or “loss of use of tangible property,” which can sometimes trigger coverage, depending on the nature of the damages.
In both the first-party and third-party context, some courts have interpreted these insuring agreements to exclude electronic data. These courts reason that because data stored on a computer cannot be held or touched, it is not “tangible property” or “loss of use of tangible property.” Courts finding coverage under CGL policies have based that determination on third-party allegations, that the computer itself was damaged.
Most modern policy forms contain exclusions for losses arising out of the breach of electronic data. For example, computer data is excluded on the new CGL policy forms. A more thorough discussion of the precise coverage issues is beyond the scope of this column, but other policies, such as directors and officers, errors and omissions or professional liability policies, should also be checked for potential coverage and exclusions.
Technology is constantly evolving and so are the risks of doing business. As these risks evolve, so too will the products insurance companies offer. It is no longer sufficient for CPA firms to simply buy a professional liability or CGL policy. As data breaches evolve and insurance companies continue to challenge coverage under traditional policies and new coverage disputes arise in connection with cyber policies, CPA firms need to evaluate their risk and sources of exposure regularly and make sure their insurance programs keep pace with the risks and realities of today’s business environment.
Jason M. Rosenthal, JD, is the managing partner of and Kristen E. Hudson, JD, is a partner at Schopf & Weiss LLP, a national business litigation firm based in Chicago. They regularly represent corporate policyholders in insurance recovery disputes. For more information, contact Rosenthal or Hudson at 312-701-9300.