Insurers Deny Coverage for Breach Notice Costs (and why companies should consider cyber insurance coverage and why brokers should offer it)
It was recently reported that an insurance carrier (Colorado Casualty Insurance Co.) denied coverage (and filed a lawsuit) for the $3.3 million in costs the University of Utah incurred to provide notice of a security breach involving the records of 1.7 million patients from the University’s hospitals. You can find a copy of Colorado Casualty's declaratory judgment action complaint here. The University also filed its own counter claim, cross-claim and third party claim. As discussed further below, the University's cross-claim is against Perpetual Storage (the service provider that allegedly lost the data) and its third party claim is against Perpetual Storage’s insurance broker (the broker that placed the insurance coverage with Colorado Casualty).
The parenthetical in the title of this blogpost may seem counter-intuitive perhaps, but it appears that this controversy and the pleadings that have been filed paint a picture of what can potentially go wrong when proper cyber or technology errors and omissions coverage is not in place. It will be interesting to see how this case shakes out (and I make no predictions on what will happen because I lack too much information to analyze the issue), but I guarantee that the players involved are probably wishing they purchased explicit cyber or technology errors and omissions coverage (again, it appears that they may not have, but I don’t have all the information to state that definitively). Instead, they will have to litigate with no guarantees of success (and large hurdles for the University). Ironically, the University may ultimately recover from insurance proceeds, but those proceeds may come from the insurer that provides errors and omissions coverage to Perpetual Storage's insurance broker.**
The following background allegations were taken from the original compliant and the University’s complaint.
It appears that Perpetual Storage contracted with the University to provide data storage services. In June 2008, back-up tapes containing personal information of 1.7 million patients were stolen from a Perpetual Storage employee’s car. 1.1 million of the records included social security numbers. This employee allegedly parked his car while working at a second job, and later in his driveway at home overnight. The tapes were allegedly taken in the middle of the night approximately 8 to 12 hours after they had been picked up.
In response to this incident, as of May 25, 2010 the University had incurred about $3.35 million in costs broken down as follows: $2,483,057 related to credit monitoring expenses (one year for each impacted individual whose social security number had been exposed); $646,149 related to printing and mailing costs for notice to each of the 1.7 million impacted individuals; $81,389 related to phone bank costs (to field more than 11,000 phone calls); and an additional $144,158 in miscellaneous costs. In addition, the University allegedly expended 6,232 personnel hours responding to and mitigating the security breach (and it seeks compensation for that lost time as well).
Colorado Casualty appears to have issued two insurance policies to Perpetual Storage, one described as a “commercial package policy” and the other a “commercial liability umbrella policy.” None of the pleadings mention Perpetual Storage or the University having purchased cyber coverage (i.e. data security or privacy coverage) or errors or omissions coverage.
Procedurally, there is a fair amount going on with this case, including a motion to dismiss by Perpetual Motion. Most relevant, however is the University’s activity. It filed an answer and several claims against various players. First, it filed against Colorado Casualty and attempts to assert that coverage is available. It also filed against Perpetual Storage directly for its acts and errors, including allegations that Perpetual breached its contract with the University. Finally, it filed a claim against Perpetual Storage’s insurance broker, United Insurance Services, alleging that United failed to procure the insurance coverage needed by Perpetual.
This case is interesting for many reasons, some of them outlined below.
Do not rely on a commercial general liability policy or traditional property policy to get coverage for security or privacy breaches.
From experience, unless an endorsement was purchased, it would be unusual for a general commercial liability policy to provide first party coverage for breach notice costs (mailings, call center, credit monitoring) or professional liability coverage (coverage for liability due to an act, error or omission of a professional service provider like Perpetual). In fact, there are several cases that have found that commercial general liability policies and property policies do not cover certain data security and privacy risks. Of course, there may be arguments in favor of coverage under certain general commercial policies or property policies, but it may not be clear cut and it may require expensive litigation to obtain that coverage. It is also possible that these policies had endorsements providing more than the traditional coverage (and ultimately the specific wording is what will matter; for purposes of this blogpost I am assuming that the language is fairly similar to traditional policies I have worked with).
The moral of this story is that there is insurance out there, provided by many carriers (and more and more are providing it) that is specifically intended to provide coverage for information security and privacy breaches and technology professional liability. This insurance is specifically designed to provide coverage for damages and defense costs arising out of a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Moreover, coverage now exists for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring. Having purchased coverage for this specific purpose, companies can have a much much higher level of certainty that the type of data breach described in this case will be covered.
Insure your own company directly.
The University in this case does not appear to have its own cyber insurance coverage (if they did, I am assuming they would have tendered their expenses to their own carrier and this controversy would most likely not exist). Instead they are making the difficult argument that they should be the beneficiaries of insurance purchased by their service provider. All of this could have been avoided if the University had purchased a cyber policy directly insuring the University.
Most cyber insurance companies provide coverage for “breach notice costs,” including mailing costs, credit monitoring and call center expenses. In addition, most cyber policies provide coverage if the security breach happens to one of the insured’s service providers. That coverage would have addressed the vast majority of the expenses incurred by the University (most cyber policies, however, probably would not provide any coverage for the personnel hours expended internally to address the breach). The moral of this story is if you are an organization that handles a lot of personal information (or other sensitive information), regardless of how secure you think you are (and by now everybody knows that there is no such thing as perfect security; breaches are a matter of when and how bad at this point), you should seriously consider cyber insurance in your risk management mix.
It looks as if the University is exercising all its options to try to get reimbursed for the expenses it incurred to address this security breach – it even sued Perpetual Storage’s insurance broker. However, considering there is no direct contract between the University and that broker it may be difficult to recover. Rather, Perpetual Storage is likely in a better position to sue its own broker for breach of contract and/or negligence.
Nonetheless, there is also a moral here for brokers. Here is the reality in 2010: most companies of all shapes, sizes and wealth profiles use information technology and handle sensitive information including personal information and credit card numbers. That means they face potential direct losses due to a data breach (the biggest risk being having to provide notice under breach notice laws and provide credit monitoring/call centers). It also means that most organizations face potential lawsuits and liability arising out of data security and privacy breaches (e.g. consumer lawsuits, employee lawsuits, lawsuits by banks if credit cards are lost, and regulatory actions).
As such, brokers should be aware of the data security and privacy risk their clients face, understand where and how that risk might be covered. Where appropriate brokers should approach the market to obtain cyber insurance for their customers. Unfortunately, cyber policies (due to their technological nature) are often very complex and brokers dealing with general liability insurance may not have the training or expertise to understand where cyber insurance fits in and how it provides coverage. This problem needs to be overcome or we will see a lot more lawsuits against brokers after security breaches.
Last point to make, assuming the University does not have its own policy, I am wondering whether (or when) the University decides to name its own insurance broker as a defendant. I suppose it will depend on whether that broker raised the issue of cyber insurance, and whether the University turned it down or was unable to obtain coverage.
The bottom line is that practically every company in our modern economy has information security and privacy risk. There is no way to completely eliminate it (and it is not cost-effective in most cases to even try). That leaves residual risk that can either be internalized (like the University did) or transferred. Companies that want to transfer that risk would be well-served to get piece of mind and relative predictability by purchasing a cyber policy actually designed to address the risk. Relying on a general liability or property policy to provide the coverage is no longer a wise choice (if it ever was). Of course this does not mean that cyber insurance is the proper decision for every company, cost is always a factor. Nonetheless, with dozens of carriers now offering the coverage on some level competition is fierce both on price and coverage scope, so now is the right time to explore the market.
Final note, many of my observations and much of my analysis above is based on assumptions I am making concerning the nature of the policy and the facts of this case. Depending on what is in that policy, and what really happened in this matter, some of my predictions could be off or not applicable. If the policies are filed in court, we will revisit this matter and dig a little deeper.
**DISCLOSURE: I have several cyber insurance company clients and have assisted with drafting some of the top-selling forms in the marketplace; independent of those relationships, however, I am a huge proponent of risk transfer when it comes to security, privacy and technology risk, and believe that no data security and privacy risk management process is complete without considering cyber insurance.