This article courtesy of guest blogger Alfonso Nardi, a student at Roger Williams University School of Law
Commercial General Liability policies (CGL) typically do not include data protection loss coverage, although some insurers offer additional data protection endorsements. Normally those additional endorsements only cover data losses caused by physical damage. That means, if your employee damages a server that stores client or patient data, that could trigger coverage. It would not, however, cover the same employee accidentally releasing client/ patient data, or loss from ransomware or other malware. In a recent case., the parties were in dispute whether the insurance company had a duty to defend the insured against class-action allegations that the insured posted patient data on the internet. In April, a federal appeals court in Virginia upheld a lower court ruling that a CGL policy may cover the underlying data breach. This opposes two State court cases in New York and Connecticut which held that CGL policies generally do not require a duty to defend in the instance of cyber-attacks.
Cyber insurance policies (CIP) don’t guarantee coverage for data breaches either. CIP underwriting requires risk management professionals to have a plan, method, and an understanding of what coverage is needed for the organization. Although it varies by company, most CIPs require this analysis be provided with an organizations own privacy policy in its application for insurance, and bind it with the coverage. This was the case in Columbia Cas. Co. v. Cottage Health Sys., where Columbia issued its’ CIP to Cottage Health Systems. After a breach resulted in the loss of 32,500 patients’ information by Cottage Health, Columbia denied coverage when it found that the insured misrepresented its information privacy practices and security in 10 instances on its application.
The message should be clear: don’t rely on insurance for data breach protection. It is important that an entity has a privacy policy and security measures in place and in-force.