February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
Advertisement

February 03, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

SolarWinds and Cyber Liability Insurance – What Businesses Need to Know

The SolarWinds cyber-attack is on everyone’s mind this week, given that most experts believe this cyber-attack will have broad impact across both the public and private sectors. For more details about the SolarWinds attack,  please read this. The sheer breadth of this attack led me to reflect on the role of cyber-liability insurance for businesses and why it is critical to understand key policy terms, coverage, exclusions, retention amounts and deductibles.

The initial work begins for businesses when they are selecting the appropriate cyber-liability insurance coverage. It is critical to think about the type of business it is and the nature of the data it possesses. Does the business handle protected health information, social security numbers, sensitive personal information, or biometric data? If so, these are some of the highest risk types of data that need protection. It is important to align risk with policy coverage and limits.

While there is no “standard” cyber-liability insurance policy, most policies provide coverage for financial losses as a result of a data breach or other unauthorized access or disclosure of personal or protected health information. Data breaches are not the only way a business can be damaged in a cyber-attack, however. Some insurance companies offer additional endorsements or specific policy provisions and coverage for losses caused by various other means such as social engineering (i.e., a breach caused by phishing), specific coverage for credit card losses, and denial-of-service attacks, such as ransomware. As we have noted many times in this blog, ransomware is probably one of the biggest threats to businesses today. Will the policy pay ransomware costs?

It also is important to determine whether the policy covers  costs associated with breach response, including forensic and legal costs. Cyber policies typically cover breach response costs for first-party losses, which are direct financial losses to your business, whereas third-party losses include those losses claimed by others, e.g., vendors, clients, or customers who claim injury as a result of the data breach. The bottom line is to always check with your broker and read the policy language carefully to determine what is covered. It is important to understand the exclusions in a policy as well.

Coverage and retention amounts also are important, as the cost of a data breach can be very high, depending upon how many people are affected, the type of data breached, the number of regulated entities to be notified, the amount of forensic and legal costs, and whether call center and credit-monitoring services are offered. Sometimes a $50,000 coverage amount for social engineering fraud simply will not be sufficient to cover all of these expenses.

If your business is hit with a cyber-attack, depending on the circumstances, it is important to understand the obligations in the policy as you notify your broker and the insurance company. Policies typically have notice provisions, even if you are still gathering all of the facts. Timing is important, so before retaining experts for remediation, you may need to notify the insurance company of the claim or potential claim. Many policies have a breach response team ready to assist you. If you want to retain your  own legal counsel or other experts to assist in your response, you will likely need the insurance company’s approval. Once the breach response experts are in place, they will guide your business along all of the necessary steps with respect to remediation, breach notification to regulators and affected individuals, call center activation, and credit monitoring.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 352
Advertisement
Advertisement
Advertisement

About this Author

Our lawyers are knowledgeable about data collection technology, including the use of cookies. We also understand the value of collecting and using data for marketing and other strategic purposes.

We are well versed in data breach response, remediation, coordination, and litigation, including investigations by the U.S. Office of Civil Rights and state AGs.

We actively attend and speak at FTC, state AG, and industry-sponsored workshops and programs on data privacy and security developments, cases, trends, and agendas. We...

401.709.3353
Advertisement
Advertisement
Advertisement