by Mark Rasch,
Managing Principal, Cybersecurity
You get a call at 2AM from your sysadmin with the four worst words you can hear from a sysadmin. “Oh, by the way…” You have had a breach. A big one. You assemble your internal team. You put into place your data breach, forensics and investigation plan.
Because you had planned ahead for this eventuality, and had a Rapid Response Retainer program from Verizon, you call in their team of investigators, researchers and analysts. You bring in your legal team (in house and outside counsel.) You coordinate your activities with relevant law enforcement agencies. You bring in your HR and crisis communications team. You prepare press releases for your CIO or CISO or CEO or whomever, depending on the scope and scale of the breach. You retain and bring in a data breach notification team to send out the tens of thousands of data breach notification letters or emails. You retain a company to provide credit freeze or credit monitoring for affected customers. You obtain documents and records from the relevant ISPs to track down the bad guys. You monitor the dark web to see whether any purloined information shows up on the black market. You prepare for potential class action lawsuits by shareholders, customers, business partners, credit card issuers, or third party merchants. You prepare for litigation with the FTC or state consumer protection regulators. You prepare your international response; all the things that you prepared for when you retained Verizon’s rapid response team – except one.
One of the things you did (and it is looking pretty smart right now) was purchased cyber insurance. Not general cyber insurance, mind you. But data breach insurance. Exactly what you need. You’ve been paying premiums for a couple of years, and now that investment has paid off. Maybe. Data breach and cyber insurance policies are frequently written in a way that creates ambiguities about what breach costs are covered and which are not. Exclusions for things like criminal activities of insiders may be used to limit coverage when the breach occurs as a result of an employee’s conduct with respect to phishing, and “first party” coverage may limit payments only to your customers, and not to their banks, credit card companies, card brands, or other merchants who are impacted by stolen credit cards. If medical records are breached, you may have a conflict between your breach insurance policy and your publicity policy (that’s your general liability policy that covers breach of privacy or publicity) especially if issued by different carriers. But none of these policies provide any coverage if you don’t notify your insurer.
Insurance policies typically contain at least two duties of the insured as a condition of coverage. A duty to promptly notify of the claim and a duty to cooperate with the insurer with respect to the claim. Policies typically require that the insurer “promptly be notified, in writing, of any casualty loss, third-party liability claim, or occurrence that could give rise to a liability claim.” Seems simple, no? No. What does “in writing” mean? Mail? E-Mail? Text message? Does prompt oral notification suffice for notice? And what is an “occurrence that could give rise to a liability claim?” A breach? A potential breach? An investigation of a potential breach? Oh, and of course, what is “promptly?” It’s so much better to get these terms worked out (at least informally) before a claim than litigated afterwards. All of the costs you incurred before notifying the insurer may end up being for naught if you don’t notify.
The duty to cooperate extends the duty to notify and generally would require the insured to keep the insurance company apprised of all material facts concerning the loss or underlying claim, and to respond fairly to all reasonable insurer requests for information and documentation. Many data breach insurers may insist that you use their data breach investigators, or their counsel, or their forensics teams, or at least teams that have been approved by them as a condition of coverage. If you want to continue to use the team that you know and trust, the one that you have retained in advance, the one with knowledge and awareness of your policies and procedures, networks and devices, then tell your breach insurers that you intend to use your own team and that you have a Rapid Response Retainer service, and get them to buy in. In fact, since such a retainer service can help limit the cost and impact of a breach, your breach insurer is not only likely to let you use your own team, but may reduce your premiums or increase your coverage for having the foresight to have planned for potential breaches. It’s worth a conversation. ‘Cause everyone loves talking about insurance, amirite?