SecureWorld Post: 4 Key Cyber Insurance Takeaways for Companies from Spec’s v. Hanover Lawsuit

In my latest post for SecureWorld, explain 4 key takeaways for businesses from the Spec’s v. Hanover lawsuit regarding cyber insurance. Check it out and let me know what you think:  4 Key Cyber Insurance Takeaways for Companies from Spec’s v. Hanover Lawsuit


Target Data Breach: What Has It Cost? What Has Insurance Covered?

Target, in a recent document filed with the Securities and Exchange Commission, provided updated information on the financial impact of its 2013 data breach:

  • It now estimates paying $264 million in breach-related costs, ranging from litigation claims to the expenses it experienced for fixing systems and sending out information at the time of the attack (previous estimate were $252 million)
  • About $90 million has been covered by ­Target’s insurers

Source: Target: SEC won’t penalize it over 2013 data breach –

Cyber Insurance: Social Engineering Not Covered Under “Computer Fraud” Insurance Provision

Losses stemming from social engineering scams like the business email compromise are not covered by “computer fraud” provisions of commercial crime insurance policies according to the Fifth Circuit Court of Appeals in Apache Corp. v. Great American Insurance Co. Continue reading “Cyber Insurance: Social Engineering Not Covered Under “Computer Fraud” Insurance Provision”

Why Lawyers Need to Understand Cyber Insurance for Their Clients

Texas Bar JournalCybersecurity, data breach, cyber attacks, and cyber insurance. Unless you live under a rock, you have heard of it. You better hope your lawyer has too!

Shawn Tuma argues that the minimum standard of care for lawyers practicing in 2015-16 requires a basic understanding of cyber insurance. He recently explained that argument, along with his co-author Katti Smith, a seasoned cyber insurance professional with AIG.

The Texas Bar Journal published their article, Risky Business: Why lawyers need to understand cyber insurance for their clients, in the December 2015 issue. In the article, they explain what cyber insurance is, what kinds of policies cover cyber liability, key first-party and third-party costs that should be covered by such a policy, as well as key items that are often not covered.

Go check it out and let them know what you think.


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Cyber Insurance, You Need to Know if You Have It, and Your Lawyer Darn Sure Does!

Cyber law, cybersecurity, cyber attacks, and cyber insurance — unless you live under a rock, you’ve heard of it. And, you had better hope your lawyer has also.

I would argue that the minimum standard of care for lawyers practicing in 2015 requires a basic understanding of cyber insurance. In fact, I did make that argument, along with my co-author Katti Smith, a seasoned cyber insurance professional with AIG.

Our recent article, Practical Cyber Law: Why the Standard of Care Requires Lawyers to Have a Basic Understanding of Cyber Insurance, was published in Volume 3: Summer 2015 issue of Circuits, the official publication of the Computer and Technology Section of the State Bar of Texas. Go check it out and let us know what you think.

Cybersecurity Keynote Address at International Association of Insurance Professionals Event

I am really looking forward to delivering the Keynote Address at the International Association of Insurance Professionals IAIP DFW NAIW Week event on May 12, 2015. My address, which will follow 2 hours of CE/CLE education on Cyber Liability, is titled Cyber Risk Reality Check but, the more I think about it, perhaps it should be called Cybersecurity: Mission Impossible?

Here are the materials from the event:



This Is Why Your Business Needs Cyber Insurance Coverage

Unless your business is selling home-grown vegetables out of a truck on the side of the road, you need to seriously consider getting insurance that covers cyber risks. Why? Because most insurance companies will not willingly cover cyber-related losses under their conventional insurance policies.

Square Peg in a Round Hole_0565Trust me, I have fought this battle before! A recent case from the United States Court of Appeals for the Seventh Circuit is yet another example of this point.

The case involved an accountant who worked for an accounting firm that was hired by a pension fund to perform services for the fund. The accountant had a disk containing sensitive personally identifiable information of approximately 30,000 participants and beneficiaries of the fund. She had the disk in her laptop computer which was stolen from her car while the car was parked at her home.  Because of the data breach, the pension fund paid approximately $200,000 for credit monitoring for the victims of the breach, along with other expenses. The pension fund sued the accountant and she tendered the defense of the lawsuit to her insurance carrier under her homeowner’s insurance policy. The carrier denied coverage and brought a preemptive declaratory judgment lawsuit against the accountant and the pension fund seeking a declaration that it had no duty to defend or indemnify the accountant. The carrier then obtained summary judgment in its favor and the accountant and pension fund appealed. The Seventh Circuit agreed with the carrier and affirmed the decision of the lower court.

On January 11, 2013, the Seventh Circuit delivered its opinion in Nationwide Ins. Co. v. Central Laborers’ Pension Fund. There were two provisions in the homeowners’ policy that the Court relied on in coming to its decision:

      • the Policy does not cover “‘[p]roperty damage’ to property rented to, occupied or used by or in the care of the ‘insured’.”
      • the Policy does not cover “‘property damage’ arising out of or in connection with a ‘business’ conducted from an ‘insured location’ or engaged in by an ‘insured’, whether or not the ‘business’ is owned or operated by an ‘insured’ or employs an ‘insured’.”

The reality of the situation here is that neither the accounting firm nor the accountant had the proper insurance policy to provide coverage for a data breach. They should have had an insurance policy that was specifically designed to cover cyber risks such as this. Because they did not, however, they did what any other litigants would do and that is to look to the insurance policies they had available to them and trying to make they best argument they could to get the claim within insurance coverage. It did not work. They were trying to hammer a square peg into a round hole and we all know how that turns out. Do yourself a favor and check into cyber insurance so you do not find yourself and your company in this same situation.