Many data privacy and security conversations these days inevitably lead to discussions about cyberliability insurance policies.  What kind? How much? Is what we have enough?  Being relatively new, many cyberliability policies remain highly negotiable, although increased standardization of terms is occurring; however, coverage determinations by Courts are few, leaving clients in a somewhat precarious or uncertain position.  Until Courts are presented with opportunities to provide additional coverage guidance, clients are left to their own devices to negotiate the terms and conditions of their cyberliability coverages.  The prevalence of security incidents is bound to increase, so the necessity of insuring against data breach risk will remain an important risk management tool.  Here are a few items to watch out for when procuring cyberliability coverage.

  1. Amount of Coverage

Quite literally, the million dollar threshold question needing answering is: how much coverage do I need?  While there are many types of data breaches, breaches of protected health information are the most costly.  According to a 2016, IBM-sponsored study conducted by the Ponemon Institute, the average cost of a data breach for health care organizations was $355 per record.  This number can be used as a starting point in determining the amounts and types of coverage a company may need to protect themselves from a data breach.

  1. Inception Dates—Retroactivity

For first time purchasers of cyberliability coverage, retroactive dates are crucial.  Oftentimes the retroactive date is set as the date the policy is procured, or the inception date.  This could create a problem because any claims arising out of events that occurred prior to the inception date would not be covered under the policy.   While this start-date dilemma will “right size” itself as the company continues to renew coverage, it remains a crucial issue when first procuring cyberliablity coverage.

  1. Unauthorized Access

Many cyberliability policies extend coverage to liabilities resulting from unauthorized access to the insured’s computer system.  However, insurers will sometimes deny coverage on the ground that certain “unauthorized access” was negligently or fraudulently caused by the insured’s employees.  The definition of “unauthorized access” in the policy—which only some policies expressly define—becomes important.   Insureds would be well-served to negotiate the exact definition and/or meaning of “unauthorized access” so as to avoid or prevent a quick denial of coverage by the insurer.  In South Dakota, as in many other states, ambiguities in insurance contracts are construed in favor of the insured; however, clients should not rely on such presumptions or favorable constructions.  Thus, the scope of “unauthorized access” should be negotiated and appropriated defined in the policy.

  1. Acts and Omissions Exclusions

Some cyberliability policies exclude coverage for liabilities resulting from an insured’s failure to follow certain minimum security practices or otherwise fail to comply with an insured’s own security policies. These rather vague or ambiguous exclusionary provisions leave the insured subject to a subjective denial of coverage by the insurer.  Differing interpretations on these exclusions can quickly result in coverage disputes, which will require additional time and costs on the part of the insured.  Again, negotiation on this point remains crucial.