Data security issues remain top of mind for c-suite executives, and for good reason. More and more data is being collected, tracked, retained and managed, while cyber-attacks against businesses—large and small—continue to increase in both frequency and sophistication. At the same time, significant data breach liability is being imposed through the European General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and similar state statutes for organizations operating in those jurisdictions. EasyJet was recently the victim of a cyber attack that exposed personal data of nine million customers. The blowback was swift—plaintiffs attorneys commenced a class action lawsuit, quickly drawing over 10,000 plaintiffs from over 50 countries, making it almost instantly the largest data privacy suit in the U.K. Plaintiffs asserting claims under the GDPR need not even demonstrate any financial loss in order to be awarded damages. Mental distress is sufficient. If successful, the lawsuit against EasyJet could result in an $18 billion award.
In the face of this trifecta of risk— more companies possessing more data, increasing cyber attacks, and sky-high statutory liability—what is a business to do? Employing good cybersecurity practices, including robust breach-detection software, employee training and breach response preparation, is a necessity. But these preventative measures are only half of the equation. No matter how strong a company’s cyber program may be, a breach may occur. In this case, the ability to mitigate the loss by making a claim under the right insurance policy can be critical.
Purchasing the right insurance to cover cyber risk and pursuing a claim when a loss occurs are both complex tasks. Among the complicating factors: there is little uniformity in cyber policies, and different types of cyber policies cover different types of events; coverage can sometimes be found in traditional property, liability and crime policies; and the terms employed in filing a claim can be vital.
Cyber insurance is relatively young. Whereas property insurance policies have been around since the 1600s, providing many years of claims to evaluate for underwriting purposes, revisions to policy forms and judicial interpretations, cyber policies have a very short track record. Among other things, this means there is no “standard” cyber insurance policy or uniform interpretation of even the same policy language by courts.....