Unless your business is selling home-grown vegetables out of a truck on the side of the road, you need to seriously consider getting insurance that covers cyber risks. Why? Because most insurance companies will not willingly cover cyber-related losses under their conventional insurance policies.
Trust me, I have fought this battle before! A recent case from the United States Court of Appeals for the Seventh Circuit is yet another example of this point.
The case involved an accountant who worked for an accounting firm that was hired by a pension fund to perform services for the fund. The accountant had a disk containing sensitive personally identifiable information of approximately 30,000 participants and beneficiaries of the fund. She had the disk in her laptop computer which was stolen from her car while the car was parked at her home. Because of the data breach, the pension fund paid approximately $200,000 for credit monitoring for the victims of the breach, along with other expenses. The pension fund sued the accountant and she tendered the defense of the lawsuit to her insurance carrier under her homeowner’s insurance policy. The carrier denied coverage and brought a preemptive declaratory judgment lawsuit against the accountant and the pension fund seeking a declaration that it had no duty to defend or indemnify the accountant. The carrier then obtained summary judgment in its favor and the accountant and pension fund appealed. The Seventh Circuit agreed with the carrier and affirmed the decision of the lower court.
On January 11, 2013, the Seventh Circuit delivered its opinion in Nationwide Ins. Co. v. Central Laborers’ Pension Fund. There were two provisions in the homeowners’ policy that the Court relied on in coming to its decision:
- the Policy does not cover “‘[p]roperty damage’ to property rented to, occupied or used by or in the care of the ‘insured’.”
- the Policy does not cover “‘property damage’ arising out of or in connection with a ‘business’ conducted from an ‘insured location’ or engaged in by an ‘insured’, whether or not the ‘business’ is owned or operated by an ‘insured’ or employs an ‘insured’.”
The reality of the situation here is that neither the accounting firm nor the accountant had the proper insurance policy to provide coverage for a data breach. They should have had an insurance policy that was specifically designed to cover cyber risks such as this. Because they did not, however, they did what any other litigants would do and that is to look to the insurance policies they had available to them and trying to make they best argument they could to get the claim within insurance coverage. It did not work. They were trying to hammer a square peg into a round hole and we all know how that turns out. Do yourself a favor and check into cyber insurance so you do not find yourself and your company in this same situation.
I can see this being a HUGE issue for “legacy” companies lie the one I used to work for, with a shifting from mainframe computer processing to distributed PC networks. Then again, there were a number of times I hand-delivered computer tapes FILLED with personal information including SSNs and birthdates, and I know VERY well the company was way out on a limb letting me do so. The fact that a low-level employee (like me) realised the insurance and cyber-security issues, and multiple levels of my management didn’t, just made the situation that much scarier!