While a recent Virginia federal appeals court ruling confirmed a Travelers general liability policy (CGL) must cover a data breach on Portal Healthcare Solutions after they were sued over a data breach, experts are warning insurance buyers not to rely on CGL policies when it comes to cyber-attacks and data breaches. In an insurance journal article this week, Andrew Simpson cautions insurance buyers to not “mistake [the ruling] to mean that they do not need a cyber policy if they have a CHL policy and [that] insurers might want to think twice before narrowing their general liability language to guard against cyber claims when the marketplace is clamoring for broader coverage.” The court ruling confirmed that Travelers was obligated to pay damages because due to the breach causing advertising or website injury resulting from an “electronic publication of material that … gives unreasonable publicity to a person’s private life or … discloses information about a person’s private life.” However, some CGL policies might have a specific exclusion for this type of injury, making cyber insurance not a luxury, but a necessity. Additionally, the court decision stated that only defense costs would be covered, not all the other consequences following a data breach – loss in revenue, customer reputation, theft, etc.
Christopher Keegan, cyber and technology risk practice leader with Beecher Carlson cautions that in instances of breaches and cyber-attacks, you do not want pushback from underwriters who had no intention of covering what the insured claims. Keegan questions, “Do you really want that situation? Or in the midst of a breach wouldn’t you rather have an insurer that’s going to be saying, ‘Hey, we’re standing behind you. We’re going to provide some of the services that are provided under the cyber policy,’ and have the underwriters be on your side rather than litigating those issues?” As cyber coverage becomes a normality, which trends are certainly showing, buyers also need to be knowledgeable of the specifics in their policy as many policies have an abundance of exclusions and can be very confusing. Insureds often assume coverage includes all first-party costs of an incident – investigation, notification, credit monitoring, etc. but instead, it may only cover third party claims or lawsuits. Richard Caplin of law firm LeClairRyan warns, “If your cyber coverage only kicks in when a third party makes a claim, then practically speaking you may not have any coverage at all. For now, perhaps the most important thing to do is make sure you do not fall into the category of someone who thinks they are covered when they are not.”