Cybersecurity Insurance For All?

In the past year, it seems like the rate of cybersecurity incidents has been increasing. It is irrelevant whether these breaches are old or new; the issue is that they are occurring.
On October 16, 2017, Chubb Ltd. (“Chubb”) released the results of a survey it conducted on businesses cybersecurity preparedness. The survey found that “[m]ore than a quarter of senior risk and information technology managers say their firms have been hacked or suffered a cyber incident in the last year.” This is aside from the alarming finding that “[l]ess than half, 43 percent, said that everyone involved knew what to do and that they responded as planned.” Adding to the concern, “only 49 percent of firms said they communicated details of the incident to affected parties ‘quickly and efficiently.’” While it is possible that Chubb’s statistics only apply to European companies (as their results were discussed in the context of complying with the General Data Protection Regulation) they are still shocking. The United States might not be in the exact situation as Europe, but it faces difficult times ahead with “[o]nly 38 percent of organizations . . . believ[ing] they were prepared to meet the onslaught of sophisticated cybercrime.”
Law firms are not exempt from being the victims of cyber attacks. Law firms face daunting statistics, such as the fact that “the average cost for a privacy data breach is $217 per compromised record” and “47 percent of privacy breaches are the result of criminal activity” while only “25 percent employee error, and 28 percent system errors.” In 2015, “‘some of the country’s most prestigious law firms,’ including Cravath Swaine & Moore LLP and Weil Gotschal & Manges LLP,” were the subjects of network hacks. Aside from making sure there are adequate cybersecurity measures in place, up to date employee trainings, and cybersecurity plans, one possible solution to the rising breach rate is Cyber Insurance.
Cyber Insurance is “designed to assist before, during, and after an attack.” Cyber Insurance “generally falls into two categories: third-party, which often extends to fines and penalties arising from regulatory actions, and first-party, which addresses costs and expenses the insured incurs because of a security failure including notification, credit monitoring, investigation, forensics, and perhaps even lost income.” Interestingly, “only about 11 percent of responding lawyers indicated that their firm has cyber liability insurance.” Firms have several reasons for not pursuing Cyber Insurance including the fact that they believe the policy is not relevant to their business, they do not understand the risks involved in not having a policy, and they “lack of clarity about . . . pricing.”
Despite resistance to the industry, it is a growing area. Therefore, lawyers should at least be aware of case law in the area. Two cases of note in this area are Travelers Property Casualty Company of America v. Federal Recovery Services, Inc. and P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co. In Travelers Property Casualty Company of America v. Federal Recovery Services, Inc., the “court interpreted the cyber insurance commercial general liability . . . and errors and omissions liability policy as if it was any other non-cyber policy . . . [,] [thus making the policy] more predicable than some feared.” However this predictability was called into question in P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co. the court held that Federal Insurance Co. (a “unit” of Chubb) was not required to reimburse P.F. Chang’s despite the restaurants Cyber Insurance policy, because they payment was for the reimbursement of Bank of America, the restaurants credit card transaction processor, who did not sustain an injury to privacy. Therefore, when advising clients, lawyers should keep in mind how these types of cases are treated and who suffered a privacy injury.

Given that so few people appear to be well prepared for the cybersecurity threat, lawyers need to consider Cyber Insurance as an option for their clients and at least understand some relevant case law surrounding the industry.