An oft-repeated mantra in business and technology is that it’s not a question of if a data breach will happen, but when. The average cost of a corporate data breach in the United States is nearly $9.5 million, according to an IBM report published in 2022. Without adequate cybersecurity insurance, companies (and law firms) might find themselves facing a double threat: being the victim of a breach and then having to contend with the denial of their cyber insurance claim. This article addresses the risks of failing to implement and follow all of the policies and procedures required by the cyber insurance policy.
Given the exponential growth in breaches and their high costs, insurance providers are raising premiums and increasingly investigating whether the practices, as represented by the insured when it applied for coverage at the outset, were implemented and regularly tested and updated as needed. Failure to do so has resulted, and will continue to result, in denial of coverage.
The Expanding Litigation Threat
The biggest risk of this kind that businesses face is not from individual plaintiffs asserting damages from a data breach—it’s a class action brought on behalf of all those similarly situated. In the past, Article III standing cases have generally held that plaintiffs could not establish the requisite “injury in fact” based on the mere risk of future harm because their personally identifiable information or protected health information was exposed.
For years, class-action data breach cases have foundered on that basis. However, a growing body of case law provides guidance on what constitutes “concrete harm,” and the number of class-action cases finding a concrete injury is on the rise. For a good summary of the law on this critical issue, see TransUnion LLC v. Ramirez (2021) and Hunstein v. Preferred Collection and Management Services, Inc. (2022).
Loss of Insurance Coverage
Recent reports have shown that an insured party’s perception of its security versus reality often differ greatly. One of the biggest reasons for coverage denial concerns misrepresentations in the company’s application and/or the failure to maintain security practices amid the ever-changing threat environment. Most cyber insurance policies provide broad coverage for cyber extortion, data restoration, public relations, computer fraud, business interruption, regulatory compliance and related elements. However, the coverage under a policy depends on the representations the insured made in its application, and its subsequent compliance with them.
A typical application for cybersecurity insurance will contain a privacy and security liability questionnaire, as well as a portion about information security. Key items insurance providers require for such policies, according to an August 2022 FitchRatings report, include the use of multifactor authentication, employee training on phishing and other types of cyberattacks, strength-of-password requirements, regulatory reporting obligations, an assessment of the quality of one’s incident-response plan and penetration testing. In addition, all 50 states have data-breach notification laws, and law firms or clients must comply with the requirements of each state in which they do business.
Companies must regularly monitor, update and test all cybersecurity requirements mandated in their policy.”
The hole in the cyber insurance net stems from the insured’s potential misrepresentations in its application and its failure to adjust to the changes in the methods by which bad actors gain illegal access to data. Recently, one insured business that suffered an enormous data breach was denied coverage and had its policy rescinded. See Travelers Property Casualty Company v. International Control Services, Inc. (2022).
Travelers’ success was based on the fact that International Control Services, in its policy application, stated (and signed a separate attestation) that it required multifactor authentication to gain administrative access to its data. Upon investigation, Travelers determined that ICS misrepresented the scope of its authentication process, resulting in the breach.
A business’s failure to follow the policies and procedures claimed in its application is dire. In fact, most insurance policies have a specific exclusion that precludes coverage for claims arising from the policyholder’s failure to maintain adequate security standards. Companies must regularly monitor, update and test all cybersecurity requirements mandated in their policy. The same is true for policies regarding cyber extortion and ransomware attacks.
It’s not just insurance companies that require businesses to have solid procedures and policies to prevent and contain data breaches. Banks, corporate clients and a multitude of others require similar assurances from law firms they deal with that the firms have, comply with and regularly test, update and monitor a written information-security policy and incident-response plan.
Takeaways
The increase in data breaches, the costs resulting from them (which can include potential criminal and regulatory liability), the representations required by clients and insurance companies and the need to meet constantly changing threats in this data-driven age demand that law firms and their clients implement and closely monitor cybersecurity policies and practices. To that end:
- Read your cybersecurity insurance policy application and representations to confirm each representation is accurate.
- Update your policies and practices to stay on top of changes and innovations in data security.
- Train and test your employees in data security practices and potential breaches, especially phishing schemes.
- Keep an open line of communication with your insurance provider and follow its recommendations regarding cybersecurity.
- Consider having an outside vendor run penetration tests of your data security systems.
The bottom line: Breaches may be inevitable, but diligence and preparation can mitigate both their financial and reputational impact.
Robert W. Wilkins, a Jones Foster shareholder, and the Litigation & Dispute Resolution Practice Group Chair, is double Board Certified by The Florida Bar in the areas of Business Litigation and Civil Trial. He is Co-Chair of the E-Discovery Subcommittee and the Data Security Subcommittee of the ABA Litigation Sections’ Commercial and Business Litigation Committee. He is also an active member of The Sedona Conference Working Group 1, Electronic Document Retention and Production and Working Group 11, Data Security and Privacy Liability.