CYBER & PRIVACY LIABILITY INSURANCE GUIDE Author Gamelah Palagonia, Founder CIPM, CIPT, CIPP/US, CIPP/G, ARM, RPLU +
New York Privacy Professionals LLC 5 Hanover Square, 22nd Floor New York, NY 10004
California Privacy Professionals Insurance Services LLC 1460B O’Brien Drive Menlo Park, CA 94025 License No. 0178970
www.privacyprofessionals.com
contact@privacyprofessionals.com
Table of contents 3
What are the most important factors to consider before purchasing Cyber & Privacy Liability Insurance?
4
What is the current state of the Cyber & Privacy Liability Insurance Marketplace?
3
Why do businesses need Cyber & Privacy Liability Insurance?
3
What does Cyber & Privacy Liability Insurance Cover?
3
Why should an organization’s incident response plan be synced to the insurance policy?
3
Why is the application process so important?
3
Policy Terms, Conditions & Exclusions
About US Privacy Professionals LLC and Privacy Professionals Insurance Services LLC (PRIPRO®) is a risk advisory firm that specializes in Cyber & Privacy Risk management and insurance solutions. PRIPRO® was launched in response to the growing demand for businesses to be better protected in reducing and coping with cyber and privacy liability and data breaches. All the members of the PRIPRO® team are Certified Information Privacy Professionals (CIPP) and Cyber & Privacy Liability Insurance experts. PRIPRO® achieved nominations in Advisen’s 2014 Cyber Risk Awards in two categories: Best Cyber Risk Innovation of the Year Best Cyber Risk Team This document includes confidential and proprietary informa-
you may not reproduce this document in whole or in part,
tion of and regarding Privacy Professionals LLC and Privacy
without the prior written consent of PRIPRO®.
Professionals Insurance Services LLC (PRIPRO®). You may not
Copyright © 2013 Privacy Professionals LLC/Privacy Profes-
use this document except for informational purposes, and
sionals Insurance Services LLC (PRIPRO®) All Rights Reserved
What are the most important factors to consider before purchasing Cyber & Privacy Liability Insurance?
The most important factors to consider when purchasing Cyber & Privacy Liability Insurance are the expertise and sophistication of the insurance broker and insurer. Selecting an insurance brokerage with professional liability expertise, cyber and privacy risk competence and risk management service offerings is crucial. Equally important is selecting an insurer with experience managing claims involving data breaches, digital disasters, network security compromises, regulatory actions and third party privacy liability claims. The Cyber & Privacy Liability claims management process needs to begin before a data breach or security incident occurs, which
requires a “partnership� with the insurance broker and insurer. In the wake of a data breach, businesses must be able to quickly determine the nature and scope of the incident, take immediate steps to contain it, ensure that forensic evidence is not accidentally ruined, notify regulators, law enforcement officials and affected individuals, and the impacted users of the compromised data. The essential element of effective incident response planning is building the right team. Developing the necessary relationships with expert third-party partners, including the insurance broker and insurer, prior to an incident occurring is critical to rapidly contain data breaches and security incidents.
3
What is the current state of the Cyber & Privacy Liability Insurance Marketplace? The Cyber & Privacy Liability insurance market has evolved over the past decade but it is still a relatively new market. The current marketplace includes various products that range from stand-alone Cyber Liability policy forms to products that can incorporate other third party liability coverage parts, such as Technology Errors & Omissions, Medical
Malpractice, Managed Care Liability, Professional Liability, Media Liability and Management Liability forms. The marketplace continues to expand in an effort to keep pace with advancing privacy and data security threats, cybercrime and the ever changing regulatory environment.
“Cyber & Privacy Liability Insurance assists in funding potential breach response expenses, defense costs for regaulatory actions and other liabilities that arise in the wake of a data breach or security incident.� 4
Why do businesses need Cyber & Privacy Liability Insurance? Data breaches can be costly disastrous events on par with natural disasters, fires, physical security compromises and terrorist attacks that can strike without notice. Developing Disaster Recovery Plans (DCP) or Business Continuity Plans (BCP) without anticipating exposures to data privacy and security related risks puts the organizational assets and its reputation at harm.
damage, response costs and other financial losses associated with data breaches, depending on the size of the organization, can be significant and may take years to recover from. The organizational trauma can be compounded by lack of a unified data breach incident response plan and the necessary funding.
Considering the financial impact and the swift yet orchestrated response required in managing data breaches and cyber related incidents, an integrated incident response plan must be included in disaster recovery and business continuity planning processes. It should be integral part of the organization’s overall Enterprise Risk Management (ERM) program. Data breaches are traumatic events that can paralyze the entire organization, damage relationships with vendors and partners and severely diminish consumer trust. Brand
5
What does Cyber & Privacy Liability Insurance Cover? Cyber & Privacy Liability Insurance Policies includes Third-Party and First-Party Coverage Parts. This chart represents the major insuring agreements under each coverage part.
Third-Party Coverage Network Security Liability Affords legal defense costs and indemnity for third-party claims alleging failure to protect against transmission of malicious code, denial of service attacks and unauthorized access and/or use of computer systems.
Regulatory Actions Affords legal defense costs for regulatory actions brought by federal regulators such as HIPAA/HITECH, COPPA, FTC or State Attorneys General (SAG).
6
Network Security Liability Affords legal defense costs and indemnity for third-party claims alleging negligent use or disclosure of non-public personally identifiable information including: Protected Health Information Employee Personally Identifiable Information Third-Party Corporate Confidential Information. Internet Media Liability Affords legal defense costs and indemnity for third-party claims alleging wrongful acts in the dissemination of internet content and media.
First-Party Coverage Data Breach Fund/Costs Data Breach Legal Advisor Forensics Investigation Expenses Notification and Call Center Services Public Relations/Crisis Communications Costs Credit Monitoring/Credit-Fraud Remediation Services Regulatory Fines & Penalties Covers monetary fines or penalties resulting from the failure to comply with state or federal laws. PCI DSS Violation Coverage Covers monetary fines or penalties resulting from the failure to comply with PCI DSS requirements
Digital Asset Loss Indemnification for costs to recreate, rebuild or recollect digital information assets that were directly damaged as a result of a network security breach that occurs on the policyholders’ systems. Business Interruption Indemnification for loss of income and incurred extra expenses that arise directly out of a network security breach that occurs on the insured’s systems. Network Extortion Covers extortion monies and associated expenses arising out of a criminal threat to release sensitive information or bring down a network unless such consideration is paid.
7
Why should an organization’s incident response plan be synced to the insurance policy?
Many insurers have pre-arranged incident response services offered as a data breach team, a group of pre-approved vendors that must be utilized in the event of a breach. Other insurers offer their policyholders the choice of vendors with their prior written consent. Failure to properly provide notice of claim to the insurer and gain their prior written consent to utilize response vendors can lead to uninsured claims and compromise coverage. The solution is to sync the incident response plan into the insurance
8
program and gain the insurer’s prior written consent as part of the application process before coverage is purchased. Teamwork A seamless incident response plan incorporates all stakeholders, internal and external, including the insurance broker, insurer and its service providers. The Data Breach or Incident Response Team includes pre-arranged incident response service providers including:
Data Breach Legal Advisor Provides immediate legal triage and direction, typically offered at no retention or deductible.
Forensic Investigator Determines the nature and scope of the incident, take immediate steps to contain it, ensure that forensic evidence is not accidentally ruined.
Public Relations and/or Crisis Management Services Assists with brand damage containment, media communications and press releases.
Notification and Call Center Vendors Assists with providing notice to affected individuals and handle customer service calls from impacted users of the compromised data
Credit Monitoring or Credit-Fraud Remediation Services Provides impacted individuals with Credit Monitoring or Credit Remediation Services.
9
Why is the application process so important?
The application for insurance includes many questions relative to organizational compliance, internal procedures, hiring processes, employee privacy training/awareness programs, physical security, IT security protocols, claims history and many other items. The reasons for including privacy and finance leadership are obvious; however, involvement of all stakeholders including Information Technology, Human Resources, Audit, Compliance and Marketing is necessary.
10
The application becomes part of the insurance contract and in most cases; it is considered a warranty or a guarantee that the statements made by the organization on the application are true and correct. The application serves as the underwriter’s “risk assessment” since the insurer accepts risk based on representations made by the applicant, in exchange for a premium. If the application does not reflect the proper risk or the insured’s representations were not
correct, insurers have the right to deny coverage, rescind the policy or charge additional premium. For example, certain policies may contain the following type of exclusion: “Any Security Breach resulting from the knowing and intentional failure of the Insured to maintain Security Systems equal or superior to those disclosed in the Application for insurance, or the failure of the Insured to use best efforts to install or implement commercially available updates to such Security Systems.”
This exclusion would preclude coverage for any claim that stemmed from just missing one patch or update since the application was completed that resulted in a security breach. Knowing and intentional failure is subjective; it is widely known that most businesses do not immediately patch commercially available updates to their systems. While this type of exclusionary language is becoming obsolete among the major writers of Cyber & Privacy Liability insurance, many policy forms contain similar variations.
“An experienced insurance broker should be capable of running table top breach simulations and data breach drills to illustrate how the insurance policy would respond to breach response costs, notification laws, regulatory actions and other liabilities”
11
Policy Terms, Conditions & Exclusions There is no “one-size fits all” Cyber & Privacy Liability insurance product. A Cyber & Privacy Liability Insurance program should be tailored to the size of the organization, its industry sector and particular compliance requirements.There is presently no industry standard; each Cyber & Privacy Liability insurer has their proprietary policy form. The policy terms, conditions and exclusions can
differ drastically among insurers. That is another reason why the expertise of the insurance broker is so important. An experienced insurance broker should be capable of comparing each insurer’s proposal, policy terms, conditions and exclusions to determine which option is best for their clients’ specific exposures, and data security and privacy compliance requirements.
Take Away Businesses can no longer take the reactive approach to cyber and privacy risk management. In light of escalating cybercrime, privacy threats and evolving legislation, businesses of all sizes should prepare for data breaches in advance and have an executable incident response plan of action in place. Buyers need to be aware of the potential pitfalls of buying insurance “shelf-products” at the lowest premiums, as doing so may lead
to major unanticipated expenses, delays and problems when claims are made and breaches occur. Cyber & Privacy Liability insurance is a specialty product that requires expertise so it is very important to select an insurance broker and insurer that concentrate on cyber and privacy risks with dynamic claims management and risk management service offerings.
12