02016: The Year of Cyber Insurance?
It has been said that there are two types of companies in the world – those that have been hacked, and those that do not yet know they have been hacked. While perhaps an overstatement, it seems that every day, another company (sometimes public, sometimes private) announces that it has been the victim of a data breach. And given the fast-changing nature of cyber threats, even the best information security practices are not foolproof. As a result, sound corporate management means thinking about not just how to prevent a cyber-attack, but how to respond in the event one does occur. Cyber insurance is one tool available to companies to manage and respond to that risk. The cyber insurance market is expanding, and rapidly. According to the Insurance Information Institute, there are now 60 different insurance carriers that offer stand-alone cyber insurance policies, and a leading insurance broker expects the market, estimated to be worth over $2 billion in gross premium in 2014, could increase nearly fourfold by 2020.
Yet with growth has come uncertainty in the marketplace about the coverage itself – about what it does and does not cover, and about whether it is really necessary. Bottom line, any company without cyber insurance needs to start thinking about it; as it becomes more widely adopted, the marketplace, shareholders, regulators and other corporate stakeholders will begin to view it as necessary rather than optional.
What follows are key issues every company should think about when deciding whether cyber insurance is right for them.
Evaluate Your Risk
If your company maintains nonpublic data, you are at risk. Historically, the biggest target for cyber-intruders has been financial information such as credit card data and bank account numbers. Although that information still has value to cyber criminals, these days more sophisticated attacks have targeted other personal information, such as protected health information and other personal information that is not as easily replaceable, including social security numbers and tax identification numbers. 2014 has been called the “Year of the Data Breach,” but 2015 has been called the “Year the Data Breach Got Personal.” Indeed, according to the Identity Theft Resource Center, 2015 saw a large spike in the number of social security numbers exposed, along with a corresponding drop in number of compromised debit and credit card numbers.
In addition to the type of data your company holds, the amount of data is crucial to assessing your risk. The amount of personal information a company holds can vary dramatically. Some companies maintain personal information on a large customer base, whereas others maintain such information only on employees. And companies that store large amounts of protected health information are in many ways at an even higher risk given the regulations that govern such data and the resulting scrutiny that often accompanies health care breaches. Taking stock of what is at stake is the first step in determining the scope and extent of the necessary coverages.
Review Your Existing Coverages
After determining your risk, you should evaluate the insurance you already have to see if you have any coverage for cyber events. Although your existing policies likely will not cover everything that a stand-alone cyber policy would, there may be some existing coverages you should take into account when selecting a cyber policy. For example, an existing directors & officers (D&O) policy, while not covering direct losses for cyber-attacks, may provide some measure of coverage to directors and officers against claims that they failed to take adequate steps to protect against a security breach. Similarly, some errors and omissions (E&O) policies have cyber modules that attach and may provide similar coverage to stand-alone cyber policies. Finally, most cyber losses do not fit neatly within the framework of a general liability policy, and even where they might, it is very common for general liability coverages to exclude cyber-related loss such as losses of data and information. Still, general liability coverages should be reviewed for possible elements of cyber coverage that may be available.
Work with a Broker with Real Cyber Expertise
In the insurance world, cyber coverage is a relatively recent invention. While products such as general liability, E&O and D&O coverage go back decades (or even centuries), cyber insurance only started to mature in earnest in the 2000s, and even then, was only used in any real sense over the past 10 years. As a result, there is little uniformity among the policies and rates can vary markedly. Thus, when shopping for a cyber policy, it is in your best interest to work with an insurance broker with real cyber experience, not just a broker who places a handful of such policies per year. Ask how many the broker has placed recently. Because so much is open to negotiation, working with an experienced broker will put you in the best position to get the most favorable policy language you can.
Use Outside Counsel to Evaluate Your Coverage Options
While an experienced broker is a necessary first step in obtaining good coverage, it often isn’t enough. Because cyber insurance is a relatively new product, the policy language is highly variable and not yet universally understood. Likewise, case law interpreting the policies is still immature, making careful review of the policy language even more important. For this reason it is wise to retain experienced counsel to review the policy in conjunction with your broker.
Not All Policies Are Created Equal
In general, a stand-alone cyber policy covers a variety of losses, from first-party expenses (meaning costs incurred by the insured, such as forensic investigation costs, the cost to repair or replace data and the cost to notify affected individuals, if required by law), to third-party loss (meaning defense costs and amounts paid to others, such as liability incurred in a lawsuit or penalties imposed by government agencies). Policies can and do vary within this framework, though. For example, many policies do not cover physical damage to computer hardware resulting from the breach. Others have broadly worded exclusions for acts of terror, which could operate to disclaim coverage for losses caused by state-sponsored hacking. And some policies have broad exclusions that deny coverage when certain data security practices are not in place.
Another key policy provision is the retroactive date provided for by the policy. A “retroactive date” is, in essence, an exclusion under the policy that disclaims coverage for claims or loss in connection with breaches that occur prior to the policy’s retroactive date. Yet, it is common for companies to not discover a cyber intrusion until long after it occurs. If the retroactive date is relatively recent in time (perhaps even the date of policy inception), there is a risk that you will be without coverage for earlier-occurring breaches. You will want to evaluate retroactive coverage options to make sure you are fully protected for undiscovered breaches occurring earlier in time.
These common exclusions reinforce the importance of working with experienced brokers and counsel to get the policy that is right for your company’s risk profile. Where exclusions cannot be negotiated out, experienced counsel can help manage expectations with senior management as to what a cyber policy will and will not cover in the event of a privacy or security incident.
Consider the Mechanisms of Filing a Claim
Although one hopes never to have to file a claim, it’s never too early to start thinking about ways to protect yourself if you do. Think about the claim retention or deductible level you’re comfortable with. Also think about whether you have preferred outside counsel you want to work with if a privacy or security incident occurs. In the event of a breach or lawsuit, many cyber carriers will require you to use their panel counsel, or offer to pay only a portion of the rates for the law firm you would prefer to use. These negotiations are especially fraught in the context of an active breach situation, when you will be at your most vulnerable and with the least leverage. You may have better luck negotiating for your counsel of choice in the first instance, before you are committed to a carrier.
A Final Note
With the increasing sophistication of cyber-attacks and the frequency with which they occur, it is no longer a badge of shame to fall victim. Many of your company’s counterparties, clients and customers have been victims themselves, and can be sympathetic to a report of a breach. But what your business partners will not take in stride is a poorly-managed response. Although cyber coverage by itself is not enough to ensure a pitch-perfect response, it can provide you with the financial resources that, when coupled with a thoughtful and diligent response plan, can go a long way towards mitigating exposure in the event of a breach.
0State Summaries
California
Arbitration Clause That Authorizes Preliminary Injunctions in Court is Enforceable. In Baltazar v. Forever 21, Inc., S208345 (Cal. Mar. 28, 2016), the California Supreme Court upheld an arbitration clause in an employment contract that also permitted the parties to seek preliminary injunctive relief in court. The employee argued that such injunctive relief is more likely to be sought by the employer, making the provision intolerably one-sided, but the court held that this provision merely confirmed the parties’ existing statutory rights to seek such relief and thus was not substantively unconscionable. The court also rejected the employee’s argument that the arbitration clause was unconscionable because it listed only employee claims as examples of ones subject to arbitration, noting that the agreement expressly provided that arbitrable claims “include[d] but were not limited to” the listed examples.
Whether a Product’s Visual Layout Is Functional, Thus Defeating a Claim for Trade Dress Infringement, Is Intensely Factual. The Lanham Act protects “trade dress,” which is a product’s total image, but not its functional features. In Millennium Lab., Inc. v. Ameritox, Ltd., No. 13-56577 (9th Cir. Apr. 4, 2016), the plaintiff argued that the defendant copied its aesthetic design for displaying urine test results, while the defendant argued that its layout was functional. The Ninth Circuit emphasized that functionality is “generally viewed as an intensively factual issue” and held that summary judgment should not have been granted to the defendant. The court explained that (1) although a comparison of test results is functional, the precise format in which the results are presented “is not necessarily functional,” and (2) the format adopted by the plaintiff was designed to distinguish its product from its competitors.
Individual Held Jointly Liable for FTC Violation May Be Ordered to Pay Restitution Beyond Personal Gain. In FTC v. Commerce Planet, Inc., No. 12-57064 (9th Cir. Mar. 3, 2016), the Ninth Circuit addressed the amount of restitution that a corporate officer can be ordered to pay under the FTC Act, which prohibits unfair or deceptive business practices. The company had settled with the FTC but the individual officer was held liable for violating the Act; the district court ordered him to pay restitution of $18.2 million, which was the amount that the company had unjustly made. The defendant argued that a restitution award must be limited to the gain that the individual defendant personally received, but the panel held that an individual who is held jointly and several liable for an FTC violation may be ordered to pay restitution for the entire benefit that was unjustly obtained.
Delaware
Demand Futility Assessed Based on Composition of New Board, Even Though Constituted After Shareholder Derivative Complaint was Filed. In Park Employees’ & Retirement Board Employees’ Annuity & Benefit Fund of Chicago v. Smith, 2016 Del. Ch. 82 (May 31, 2016), Vice Chancellor Glasscock considered a “twist” on the requirement of Rule 23.1 that a stockholder intending to file a shareholder derivative suit must either first make a demand upon the board or show that the demand is excused. The court noted that “whether demand is excused is typically analyzed with respect to the directors seated as of the date that the complaint was filed.” But the court found that because a new board was in place just four days after the Complaint was filed, the new directors had been disclosed and were uncontested in the board election, and the Complaint was not served until several weeks after the board change, it was proper to analyze demand futility based on the composition of the new board since that board “was in a position to actually assess the Plaintiff’s Complaint.”
Registration to Do Business Is Not Consent to General Jurisdiction. In Genuine Parts Co. v. Cepec, 2016 Del. LEXIS 247 (Del. Apr. 18, 2016), the Delaware Supreme Court, overruling a 1988 decision, held that an out-of-state company’s registration to do business in Delaware did not constitute consent by the company to general jurisdiction in Delaware courts. General jurisdiction means that a company can be sued in the state’s courts even over disputes that have nothing to do with the state. The court reasoned that interpreting Delaware law to infer consent to general jurisdiction from merely registering to do business “collides directly” with the United States Supreme Court’s decision in Daimler AG v. Bauman, which held that a company typically is subject to general jurisdiction only in its state of incorporation and principal place of business. For more information on this jurisdictional issue, see Daimler Turns Two: Personal Jurisdiction Over Out-Of-State Mass Tort Defendants In The Wake Of Daimler AG v. Bauman.
Inspection of Corporate Records Conditioned on Their Incorporation in Full into Any Future Derivative Action Complaint. In Amalgamated Bank v. Yahoo! Inc., No. 10774-VCL (Del. Ch. Ct. Feb. 2, 2016), the Chancery Court granted in part an investor’s Section 220 demand to inspect Yahoo’s corporate books and records, but imposed a condition under which the produced documents “will be deemed incorporated by reference in any derivative complaint that [the investor] may file relating to the subject matter of the demand.” The court held that such a condition would protect the legitimate interests of both the company and the courts by ensuring that any future complaint “will not be based on cherry-picked documents.” That is so because a court ruling on a motion to dismiss can consider any documents incorporated into the complaint, and hence the court will be able to consider all of the produced documents in their entirety, not just the documents (or parts of documents) quoted in the future complaint.
By Adam M. Chud
Massachusetts
Parties Cannot Contract for Broader Judicial Review of Arbitration Awards. In Katz, Nannis & Solomon, P.C. v. Levine, 473 Mass. 784, 46 N.E.3d 541 (Mar. 9, 2016), the parties’ arbitration agreement purported to allow judicial review “in the event of a material, gross and flagrant error” by the arbitrator. The SJC however, held that the parties cannot modify the standard of review under the Massachusetts Uniform Arbitration Act for Commercial Disputes (MAA), which lets a court vacate an award only if it “was procured by corruption, fraud or other undue means” or “the arbitrators exceeded their powers.” In so ruling, the court relied both on the plain language of the MAA and the policy considerations weighing against expanded judicial review of arbitration awards.
Merger Clause in Counteroffer Avoids Battle of the Forms. In Liddell Brothers, Inc. v. Impact Recovery Sys., Inc., No. 15-13226-FDS (D. Mass. Mar. 21, 2016), the seller transmitted a price quote with a Texas forum-selection clause, and the buyer responded with a purchase order containing both a Massachusetts forum-selection clause and a merger clause providing that “any additional or different terms and conditions proposed by vendor are expressly rejected.” After litigation ensued, the court held that the Massachusetts forum-clause controlled. The court acknowledged that if this were a classic “battle of the forms” case, one might “knock-out” both conflicting clauses. But because the buyer’s purchase order had a merger clause, it could not be viewed as acceptance of the seller’s price quote, but rather constituted as a counteroffer. The seller’s signing of the purchase order thus constituted acceptance of that counteroffer, including its Massachusetts forum-selection clause.
Independent Panel Denied in Derivative Suit Against Officer of Closely Held Corporation. In Kelleher v. Squires, No. 15-CV-03125-BLS2, 2016 WL 377037 (Mass. Super. Ct. Jan. 26, 2016), the half-owners of a closely held Massachusetts corporation filed a derivative suit, on behalf of the company, asserting claims for conversion and gross negligence against the other half-owner, who was also the corporation’s sole officer and director. The court denied the defendant’s motion to appoint an independent panel to decide whether to let the derivative suit proceed. The court held that appointing an independent panel would mean “taking away power to exercise business judgment that is normally reserved to the board of directors and shareholders and giving it to strangers.” Id. The court acknowledged that the defendant would not be able to participate in the shareholder vote on proceeding with the derivative suit because he was its target. But the court held that the defendant had not rebutted the presumption that the plaintiffs (the remaining shareholders) should be trusted to exercise their business judgment on behalf of the corporation and had made no prima facie case that the suit was against its best interests.
New York
Common Interest Doctrine Requires Actual or Anticipated Litigation. On June 9, 2016, the New York Court of Appeals held in Ambac Assur. Corp. v. Countrywide Home Loans, Inc. that the common interest doctrine – under which an attorney-client communication remains privileged if it is shared with a party holding a common legal interest – applies only if the communication related to actual or anticipated litigation. The court held that absent such litigation, there is no proven need for parties holding a common interest to share privileged communications and the risk of losing relevant evidence is too great. The court acknowledged that the Restatement and some federal courts have reached an opposite conclusion, but it decided to retain what it deemed the historical New York rule limiting the scope of the doctrine.
Court Decides Whether Arbitration Agreement Exists but Arbitrator Decides Whether Dispute Is Covered by Arbitration Clause. In Consolidated Precision Prods. Corp. v. General Elec. Co., 2016 U.S. Dist. LEXIS 62999 (S.D.N.Y. May 12, 2016), Judge Castel addressed the respective roles of a court and an arbitrator in deciding whether a dispute filed as a court lawsuit is subject to arbitration instead. GE moved to dismiss the case for lack of subject-matter jurisdiction based on the existence of an arbitration clause, but the court held that GE’s argument went to arbitrability rather than jurisdiction. The court then held that GE met the first requirement for compelling arbitration by showing that the parties had entered into an enforceable arbitration agreement, and the court then stayed the case to allow the arbitrator to determine whether the parties’ dispute fell within the scope of that agreement to arbitrate.
Non-Party Sued for Interference with Contract May Invoke Contractual Choice-of-Law Provision. In Bausch & Lomb Inc. v. Mimetogen Pharms, Inc., 2016 U.S. Dist. LEXIS 59941 (W.D.N.Y. May 5, 2016), Mimetogen sued third-party defendant Valeant, which had acquired Bausch & Lomb (“B&L”), alleging that Valeant tortiously interfered with Mimetogen’s contract with B&L. The court held that even though Valeant was not a party to the contract between B&L and Mimetogen, and thus normally could not enforce the terms of that contract, Valeant could invoke the choice-of-law provision in that contract because Mimetogen’s tortious-interference claim against Valeant arose from and relied upon the contract between B&L and Mimetogen. The court explained that choice-of-law and arbitration clauses are exceptions to the usual rule that only parties to a contract can enforce its provisions.
By Jordan D. Weiss
Editor Richard M. Wyner
Contributors
- /en/people/t/tully-mark
Mark E. Tully
Partner - /en/people/m/metzger-carl
Carl E. Metzger
PartnerChair, Risk Management & Insurance - /en/people/r/rockers-joseph
Joseph P. Rockers
Partner - /en/people/s/simes-jeffrey
Jeffrey A. Simes
Partner - /en/people/w/weiss-jordan
Jordan D. Weiss
Partner - /en/people/g/giannotto-michael
Michael S. Giannotto
Retired Partner - /en/people/h/hanlon-william
William R. Hanlon
General Counsel - /en/people/m/matheny-iii-richard
Richard L. Matheny III
Partner - /en/people/w/wyner-richard
Richard M. Wyner
Of Counsel