By Jose Lorenzo
The Identity Theft Resource Center (ITRC) reports that from 2005 to September 30, 2014, there have been a total of 4,827 recorded data breaches.[i] As cyber infringements become common news, assessing your cyber liability has never been more crucial. Does your current policy cover cyber incidents and does it address unauthorized access to personally identifiable information?
A comprehensive cyber-liability policy can ensure that your business will not directly bear the substantial costs that can arise from a data breach. Having dedicated riders (additional provisions added to a bill under consideration by legislature) addressing privacy infringements and data breaches is beneficial. Older commercial general liability policies (CGLs), though comprehensive, usually addressed personal or advertising injuries but did not address cyber-liability. Newer CGLs preclude coverage for privacy claims, violations of statutes and data breaches. The typical policy excludes incidents of unauthorized access or disclosure of confidential or personal information and data-related liability.
This was a troubling lesson for Interline Brands, Inc. Interline was sued for sending junk faxes in violation of the Telephone Consumer Protection Act (TCPA). Interline then gave notice to its carrier. Its carrier denied coverage because the policy contained an exclusion for liability arising from “violation of statutes in connection with sending, transmitting or communicating any material or information.”
Believing that its carrier was violating the policy by not defending it in the TCPA suit, Interline sued it in district court, but the court determined that the exclusion was valid. The court noted that TCPA is a statute that deals with sending communications and information, and therefore the exclusion applied. On appeal to the 11th Circuit,[ii] the court reviewed the lower court and affirmed the lower court and determined that the exclusion was a good practice in the industry to keep premium costs down. The valuable lesson from Interline’s experience is to not assume that your policy covers cyber-liability.
The following are a few coverage considerations to have addressed in your policy:
- Transmission of malicious code
- Data released by rogue employees or by employees’ innocent mistakes
- Unauthorized access to credit card information
- Expenses related to customers’ claims
- Costs to investigate and restore data
- Inclusion of intentional acts and related fines, penalties and related settlement costs
- Liability assumed under contract and that involving subcontractors
Jose Lorenzo is the founder of Lorenzo Law Firm. For more information on cyber-liability policies, visit his website at www.lorenzolawfirm.com
[ii] Interline Brands, Inc. v. Chartis Specialty Insurance, Co.