Hardly a week goes by that the national media does not report on another Internet data security breach, denial-of-service attack or other cyber loss affecting Fortune 500 clients and their thousands (or hundreds of thousands) of customers. The costs of simply investigating and responding to these losses -- not to mention the resulting lawsuits and regulatory fines -- can be staggering. For instance, the Ponemon Institute estimates that response costs can be as high as $200 per compromised record. It is not difficult to understand how total costs for a wide breach can quickly escalate well into the millions of dollars.
Enter the insurance industry. Historically, in the face of a third-party claim, one would turn to general liability or other policies. Yet coverage under general liability policies is typically limited to "property damage," which may include physical damage to servers, for example, but probably not loss of the data itself. And while crime, fidelity or errors and omissions policies may provide some coverage, again they would typically exclude the lion's share of the expense of a cyber loss. The response has been a line of policies -- known as cyber liability (or data/privacy liability) policies -- specifically tailored to cyber risks.
It is certainly true that large data breaches or denial-of-service attacks at large corporations -- as well as losses of laptops and other mobile devices -- get the most media coverage. But smaller companies can and do face such losses and thus can benefit from mitigating their risk through cyber liability insurance. And in some ways, cyber liability insurance is even more appropriate for smaller businesses. Large companies typically have the foresight and ability to manage cyber risk up front and the sophistication to deal with losses when they arise. For smaller businesses, this is not always so, but the playing field can be leveled to some degree through insurance.
Cyber policies do not simply indemnify a business for the damages it must pay its customers. A good cyber policy does much more. For instance, one of the first tasks a victim of a cyber loss must do is investigate the cause, often with the use of IT forensic examiners. Then, the company has to comply with mandated notices that must be sent to potentially affected customers. And of course once word is out about the loss, the victim must manage the negative media attention. Cyber insurance can defray expenses at each of these stages. For instance, cyber insurance can even pay the costs of hiring a public relations firm to mitigate negative publicity following a breach. Such insurance can also pay to retain law firms to determine an insured's rights to indemnification under independent contractor agreements. Cyber insurance can even pay to monitor affected customers to ensure that they themselves do not become victims of identity theft. Cyber insurance can likewise cover the costs of paying regulatory fines and penalties. Given that there is no uniform regulation of data privacy protection worldwide, simply negotiating the fine with the myriad jurisdictions involved in a wide breach can be herculean. One should thus not lose sight of these "non-indemnity" benefits of a cyber policy.
While a large company may be able to absorb these expenses, typically a smaller company cannot.
Smaller companies are also less likely to have robust social media procedures and policies in effect for employees. Businesses are more and more often sued for defamation, unfair competition, breach of privacy and related claims arising from employee postings on social media of all types. Again, cyber liability policies can be tailored to respond to this type of liability.
Similarly, small businesses may be less capable of weathering a shutdown of their business following a denial-of-service attack or even a simple data breach. And while larger companies may have such a breadth of business that they can weather (or effectively self-insure) shutting down one aspect of that business, a smaller business may be significantly more dependent on any given line of business such that interrupting that line would effectively be a death blow. While a standard general liability policy covers only business interruptions that result in physical damage, a cyber liability policy may well include business interruption following a data-only loss.
Finally, some insurers will go so far as to counsel a company client on avoiding cyber liability in the first instance. This benefits both the policyholder and the insurer and can prove to be the most valuable aspect of the insurer-policyholder relationship.
Thus, a good cyber liability insurer will partner with a small business in a holistic, "cradle to grave" management of liability, from counseling to claim response, to mitigation of business interruption to monitoring for breaches and payment of ultimate liability. For businesses without a sophisticated risk management department, this can prove to be invaluable.
Cyber and related liability policies are not a substitute for sound, proactive management of cyber liability risk. Small businesses must continue to develop and implement data protection protocols and must continue to educate employees on the risks associated with social media. But when those protections and education fail (as they will from time to time), having the backstop of an integrated cyber liability policy may mean the difference between a headache and a deathblow to the company.
Mark C. Goodman and Ethan A. Miller are attorneys at the law firm Hogan Lovells. The information in this column does not constitute legal advice.