A recent case in the Northern District of California offers two cautionary tales to policyholders. First, when buying insurance, companies should understand their risks and ensure that the policies they’re buying match those risks as closely as possible. Second, when a claim arises, policyholders must carefully consider all the allegations, not just the formal causes of action, in the complaint to determine whether they might trigger an insurer’s defense obligation. Continue Reading CGL Coverage for False Advertising and Intellectual Property Claims: Sometimes It’s There, but You Need to Know Where to Look for it
Tyler Gerking has a commercial litigation practice focused on recovering money for individual and corporate policyholders under all types of insurance policies, including commercial general liability, directors' and officers' liability, professional errors and omissions liability, employment practices liability and first-party property policies.
The Internet of Things gives rise to many risks and exposures that companies and their insurers were not thinking about as recently as a couple years ago, and probably aren’t fully cognizant of today.
The DDoS attack late last week on internet infrastructure company Dyn should act as a wake-up call. It shows how large and disruptive a cyber attack can become because of all the seemingly benign “things” connected to the internet. And it should cause companies to think about what their risks really are and whether their current risk management approaches address them.
Just one example from this latest attack – I’m reading that one or more of the manufacturers of the devices that were used as bots in this attack must recall a very large number of products because the passwords (which were easily cracked) cannot be changed by the user. The software that runs those products came ready installed on components bought from China, and it is this software that contains the vulnerability. Now that the passwords are known, the devices can no longer be considered secure. Maybe the manufacturers have product recall insurance or maybe they don’t. But they likely never thought they would have to conduct a product recall under these circumstances and whether such a recall might be covered under their current insurance program.
Protect your company by:
- Understanding your company’s IoT exposures.
- Using your company’s broker and coverage counsel to review all insurance policies with IoT exposures in mind and negotiate favorable policy terms.
- Revisiting the policies annually at renewal time because of quickly changing risks and policy terms.
Policyholders should always consider the potential for coverage under their CGL policies if they suffer a data security breach. However, as the cases described in my article for Corporate Counsel, coverage is highly fact-dependent and subject to interpretation by the courts even in the absence of a data-related exclusion. The addition of such an exclusion narrows the policyholder’s options.
As a result, policyholders should carefully consider their insurance programs and the unique risks that their businesses face in light of their own computer systems, third-party computer systems on which they rely and the data they collect and/or hold. They should consider whether technology errors and omissions liability or cyberinsurance would more effectively address their risks. With the help of their insurance brokers and counsel, companies can negotiate and tailor those policies to their risks and exposures relating to computer systems, personally identifiable information and confidential third-party business information. Some businesses may choose to rely exclusively on their CGL policies for protection against data breach lawsuits. But that decision should be made deliberately after understanding all the risks and options.
Read the full article: Data Security Breach Liability: Is Your Business Covered?
Erica Villanueva and Tyler Gerking will be presenting to the Association of Corporate Counsel (ACC) on September 14 (in San Francisco) and 15 (in Palo Alto) about private company D&O liability insurance, also known as management liability insurance. Below is a description of the program, which will touch on hot issues that many companies are dealing with right now. Use the links to view the event details and register online.
Private D&O Insurance: Things You Should Know
Companies are staying private longer and purchasing private company directors’ and officers’ liability (D&O) insurance, sometimes known as “Management Liability” insurance. When it comes to D&O coverage, most private companies focus on two things: obtaining it, and keeping the premium low. When a company faces a claim, however, it discovers there is much more complexity to private D&O insurance, and often broader coverage than a public company D&O policy. Accessing and maximizing the available coverage may require a concerted, strategic effort on the part of the company, its insurance broker, and insurance coverage counsel. This program will cover:
- Key features of management liability policies
- Common exclusions and limitations
- The practical impact of certain clauses – and widely-available coverage enhancements that can mitigate these impacts
- Implications of common pitfalls and mistakes in reporting and managing claims’”
Law firms are important gatekeepers between cybercriminals and clients’ sensitive data. The release of the Panama Papers and several other recent high-profile breaches have brought to light vulnerabilities in law firm cyber security.
I recently participated in a podcast with journalist Ben Hammersley and eSentire’s VP and industry security strategist Mark Sangster. Our discussion focused on cyber risks that law firms face and risk mitigation strategies to protect themselves and the data they hold, including cyber insurance.
In the December post Systemic Cyber Risks And The Internet of Things, we wrote about the increasing risk of cyber attacks on infrastructure and consumer products, and related insurance issues. We noted in that post that, while there have been a few cyber attacks on the Internet of Things (IoT) reported over the past few years, the number of such attacks was certain to grow. It has. Since our December post, several new attacks and developments have been publicly disclosed. These attacks again remind us that companies should evaluate their risks and exposures relating to the IoT and carefully negotiate their insurance policy renewals or purchases. Continue Reading Cyber Attacks on Infrastructure Are Increasing: Review Your Insurance As “Internet of Things” Risks Grow and Change
In the ACC Docket article, Cybersecurity and Data Breaches: How In-House Counsel Can Engage the Board, my fellow partner Carly Alameda and her co-author Olga Mack of ClearSlide correctly observe that cyber insurance may cover costs a company incurs as a result of a data security breach.
I’d emphasize that boards should carefully review proposed policies before they buy one to ensure that they obtain the desired coverage. Cyber insurance policies are not written on standard forms. Policy language and the scope of coverage offered by different insurers can vary, sometimes widely.
I’d suggest that boards first gain an understanding of their own risk profile and then seek to tailor the cyber insurance to address their particular risks. For example, not all cyber insurance policies will cover the insured if the data security breach was caused by an intrusion into a third-party vendor’s system, even though the insured is ultimately responsible for providing notice to consumers and may face lawsuits by consumers, banks and others. Companies that rely on third-party vendors to collect or store PII should make sure that any policy they buy covers losses due to an intrusion into third-parties’ systems.
David Smith and I have recently been writing and speaking about cyber risks and cyber insurance for the wine industry. While many of the high-profile data security breaches in the news involve large public companies, all businesses that accept credit cards for payment and/or have personally identifiable information from employees or customers are at risk of a data security breach. This is the case even if the collection or storage of such information is handled by a third-party vendor. Businesses should carefully consider their cyber risks and whether cyber insurance could help them manage those risks. We’d like to share an article we recently wrote on protecting your wine business against data security breaches and other cyber risks: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks.
Companies’ awareness of “cyber” risks has increased significantly because of large and highly publicized data security breaches, such as Target and Home Depot. Companies are starting to more proactively manage the risk of data security breaches by strengthening their IT defenses and, in many cases, buying cyber insurance. However, many do not realize that data security breaches are just the tip of the cyber-risk iceberg. Because nearly our entire economic system depends on electronic devices, machinery and infrastructure that is connected to the internet (i.e., the “Internet of Things”), the potential exists for much larger scale hacking attacks that could control, damage, destroy or shut down many of the systems on which we rely to conduct business. Some of this risk is covered by cyber insurance, but much of it is not. Proactive and effective “Enterprise Risk Management” will be vital to companies seeking to protect themselves against these growing risks. Businesses should carefully review their unique risk profiles, indemnity contracts and insurance policies (including their non-cyber “traditional” policies) to identify and mitigate their exposures.
We have all heard of the large scale attacks on Target, Home Depot and more recently, Ashley Madison. The news generated by these cyber attacks has contributed to the public’s increasing awareness of the large volumes and types of personal information that companies are holding about their customers. To protect themselves against some of the losses that such data security breaches may cause, many companies have prudently responded by buying “cyber insurance.” Continue Reading Systemic Cyber Risks And The Internet of Things
I enjoyed co-authoring the article Does Your Commercial Crime Policy Cover Loss From an Imposter's Fraud? with John M. Orr of Integro. Policyholders should take a close look at their crime insurance policies to see whether they'd have coverage if an imposter fraudulently caused an employee to transfer company funds.