The answer to this question may depend on the actions that the insured takes when it applies for coverage and during the period the policy is in force. The demand for cyberinsurance that is intended to cover exposures from data breaches, among other things, has exploded in recent years, reports The Hill. This is due in large part to the many widely reported data breaches affecting large, well-known companies. Now that more claims are coming in, carriers are looking with more scrutiny at the representations made by their policyholders when they applied for the coverage, as well as their actions during the period of coverage. Carriers consider these representations and anticipated security practices to be critical to the underwriting process and conditions on which the coverage is based. In short, inaccurate representations and failing to make good on carrying out the data security practices promised, could leave a policyholder without coverage.

Business insurance reported last week that a cyber insurance carrier is asking a California court whether it has to pay out on a $4.1 million data breach settlement under a policy issued to one of its policyholders. The carrier’s reasoning – an exclusion in the policy that states it does not have to pay if the insured failed to meet the “minimum required practices” that the insured claimed it would follow when it completed its insurance application.

According to Business Insurance, the breach allegedly occurred when the insured (or one of its third party vendors) had “stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect” the data. The class action lawsuit against the insured that followed the incident settled for $4.1 million, which the insured likely believed would be covered all or in part under the policy. However, the carrier is claiming the insured failed take the measures it promised to take in its insurance application, such as not implementing data security controls, failing to check and maintain security patches, not regularly assessing risks and not having systems in place to identify and address security incidents.

This certainly is not the first case involving a carrier’s challenge to the amount it has to pay under a data breach policy, and it will not be the last. But for companies that have purchased a policy, it is an important reminder that insurance policies are essentially contracts, and if the company seeking the coverage does not meet its end of the bargain (beyond just paying the premiums) the insurer may not have to meet its obligations, leaving the policyholder with an unexpected exposure.

Many companies that purchase data breach coverage often have to complete lengthy applications and questionnaires that delve into the companies’ data security practices and procedures. These applications and questionnaires need to be responded to carefully because as seen from the case above, they can be used by the carrier to deny coverage which is not an uncommon practice regardless of the type of coverage. Additionally, these applications and questionnaires often reflect not only a snapshot of a company’s data security risk and practices, but policies and procedures that carriers expect will continue to be in place as a condition of the coverage.

So, the message is clear, companies that purchase data breach insurance and expect to benefit under the policy should a breach occur will need to carefully review and abide by the conditions for coverage under the policy. In particular, when it comes to the applications and questionnaires that must be completed as part of the underwriting process, they should be reviewed and considered by various departments throughout the company in order to be sure the responses accurately reflect the data security practices in place at the time of underwriting. Additionally, steps need to be taken to ensure that these practices are being implemented during the policy period. The underlying message is that insurance cannot be the only thing that addresses an organization’s information risk. And, of course, this is important from a compliance perspective since many of the data security practices referenced in these questionnaires and applications are practices that are required to one degree or another by various federal or state laws.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.