Cyber Insurance, You Need to Know if You Have It, and Your Lawyer Darn Sure Does!

Cyber law, cybersecurity, cyber attacks, and cyber insurance — unless you live under a rock, you’ve heard of it. And, you had better hope your lawyer has also.

I would argue that the minimum standard of care for lawyers practicing in 2015 requires a basic understanding of cyber insurance. In fact, I did make that argument, along with my co-author Katti Smith, a seasoned cyber insurance professional with AIG.

Our recent article, Practical Cyber Law: Why the Standard of Care Requires Lawyers to Have a Basic Understanding of Cyber Insurance, was published in Volume 3: Summer 2015 issue of Circuits, the official publication of the Computer and Technology Section of the State Bar of Texas. Go check it out and let us know what you think.

Cybersecurity Keynote Address at International Association of Insurance Professionals Event

I am really looking forward to delivering the Keynote Address at the International Association of Insurance Professionals IAIP DFW NAIW Week event on May 12, 2015. My address, which will follow 2 hours of CE/CLE education on Cyber Liability, is titled Cyber Risk Reality Check but, the more I think about it, perhaps it should be called Cybersecurity: Mission Impossible?

Here are the materials from the event:



This Is Why Your Business Needs Cyber Insurance Coverage

Unless your business is selling home-grown vegetables out of a truck on the side of the road, you need to seriously consider getting insurance that covers cyber risks. Why? Because most insurance companies will not willingly cover cyber-related losses under their conventional insurance policies.

Square Peg in a Round Hole_0565Trust me, I have fought this battle before! A recent case from the United States Court of Appeals for the Seventh Circuit is yet another example of this point.

The case involved an accountant who worked for an accounting firm that was hired by a pension fund to perform services for the fund. The accountant had a disk containing sensitive personally identifiable information of approximately 30,000 participants and beneficiaries of the fund. She had the disk in her laptop computer which was stolen from her car while the car was parked at her home.  Because of the data breach, the pension fund paid approximately $200,000 for credit monitoring for the victims of the breach, along with other expenses. The pension fund sued the accountant and she tendered the defense of the lawsuit to her insurance carrier under her homeowner’s insurance policy. The carrier denied coverage and brought a preemptive declaratory judgment lawsuit against the accountant and the pension fund seeking a declaration that it had no duty to defend or indemnify the accountant. The carrier then obtained summary judgment in its favor and the accountant and pension fund appealed. The Seventh Circuit agreed with the carrier and affirmed the decision of the lower court.

On January 11, 2013, the Seventh Circuit delivered its opinion in Nationwide Ins. Co. v. Central Laborers’ Pension Fund. There were two provisions in the homeowners’ policy that the Court relied on in coming to its decision:

      • the Policy does not cover “‘[p]roperty damage’ to property rented to, occupied or used by or in the care of the ‘insured’.”
      • the Policy does not cover “‘property damage’ arising out of or in connection with a ‘business’ conducted from an ‘insured location’ or engaged in by an ‘insured’, whether or not the ‘business’ is owned or operated by an ‘insured’ or employs an ‘insured’.”

The reality of the situation here is that neither the accounting firm nor the accountant had the proper insurance policy to provide coverage for a data breach. They should have had an insurance policy that was specifically designed to cover cyber risks such as this. Because they did not, however, they did what any other litigants would do and that is to look to the insurance policies they had available to them and trying to make they best argument they could to get the claim within insurance coverage. It did not work. They were trying to hammer a square peg into a round hole and we all know how that turns out. Do yourself a favor and check into cyber insurance so you do not find yourself and your company in this same situation.