{"id":5387,"date":"2017-11-01T13:30:13","date_gmt":"2017-11-01T17:30:13","guid":{"rendered":"http:\/\/ncjolt.org\/?p=5387"},"modified":"2020-06-04T20:52:51","modified_gmt":"2020-06-04T20:52:51","slug":"cybersecurity-insurance-for-all","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/cybersecurity-insurance-for-all\/","title":{"rendered":"Cybersecurity Insurance For All?"},"content":{"rendered":"<p>In the past year, it seems like the rate of cybersecurity incidents has been increasing. It is irrelevant whether these breaches are old or new; the issue is that they are occurring.<br \/>\nOn October 16, 2017, Chubb Ltd. (\u201cChubb\u201d) released the results of a<a href=\"https:\/\/www.law360.com\/articles\/974620\/just-1-in-4-risk-managers-reports-cyberbreach-chubb-says\"> survey<\/a> it conducted on businesses cybersecurity preparedness. The survey found that \u201c[m]ore than a <a href=\"https:\/\/www.law360.com\/articles\/974620\/just-1-in-4-risk-managers-reports-cyberbreach-chubb-says\">quarter<\/a> of senior\u00a0risk and information technology managers say their firms have been hacked or suffered a cyber incident in the last year.\u201d This is aside from the alarming finding that \u201c[l]ess than half, <a href=\"https:\/\/www.law360.com\/articles\/974620\/just-1-in-4-risk-managers-reports-cyberbreach-chubb-says\">43 percent<\/a>, said that everyone involved knew what to do and that they responded as planned.\u201d Adding to the concern, \u201conly 49 percent of firms said they communicated details of the incident to affected parties \u2018<a href=\"https:\/\/www.law360.com\/articles\/974620\/just-1-in-4-risk-managers-reports-cyberbreach-chubb-says\">quickly and efficiently<\/a>.\u2019\u201d While it is possible that Chubb\u2019s <a href=\"https:\/\/www.law360.com\/articles\/974620\/just-1-in-4-risk-managers-reports-cyberbreach-chubb-says\">statistics<\/a> only apply to European companies (as their results were discussed in the context of complying with the General Data Protection Regulation) they are still shocking. The United States might not be in the exact situation as Europe, but it faces difficult times ahead with \u201c[o]nly <a href=\"https:\/\/securityintelligence.com\/20-eye-opening-cybercrime-statistics\/\">38 percent<\/a> of organizations . . . believ[ing] they were prepared to meet the onslaught of sophisticated cybercrime.\u201d<br \/>\nLaw firms are not exempt from being the victims of cyber attacks. Law firms face <a href=\"https:\/\/www.americanbar.org\/publications\/gp_solo\/2016\/may-june\/cyber_insurance_law_firms.html\">daunting statistics<\/a>, such as the fact that \u201cthe average cost for a privacy data breach is $217 per compromised record\u201d and \u201c47 percent of privacy breaches are the result of criminal activity\u201d while only \u201c25 percent employee error, and 28 percent system errors.\u201d In 2015, \u201c\u2018some of the country&#8217;s most prestigious law firms,\u2019 including Cravath Swaine &amp; Moore LLP and Weil Gotschal &amp; Manges LLP,\u201d were the subjects of network <a href=\"https:\/\/www.americanbar.org\/publications\/litigation-news\/featured-articles\/2017\/law-firm-cybersecurity-breach-opens-door-to-lawsuit.html\">hacks<\/a>.\u00a0Aside from making sure there are adequate cybersecurity measures in place, up to date employee trainings, and cybersecurity plans, one possible solution to the rising breach rate is Cyber Insurance.<br \/>\n<a href=\"https:\/\/www.americanbar.org\/publications\/gp_solo\/2016\/may-june\/cyber_insurance_law_firms.html\">Cyber Insurance<\/a> is \u201cdesigned to assist before, during, and after an attack.\u201d <a href=\"https:\/\/www.americanbar.org\/publications\/gp_solo\/2016\/may-june\/cyber_insurance_law_firms.html\">Cyber Insurance<\/a> \u201cgenerally falls into two categories: third-party, which often extends to fines and penalties arising from regulatory actions, and first-party, which addresses costs and expenses the insured incurs because of a security failure including notification, credit monitoring, investigation, forensics, and perhaps even lost income.\u201d Interestingly, \u201conly about 11 percent of responding lawyers indicated that their firm has cyber <a href=\"https:\/\/www.americanbar.org\/publications\/gp_solo\/2016\/may-june\/cyber_insurance_law_firms.html\">liability insurance<\/a>.\u201d\u00a0Firms have several reasons for not pursuing Cyber Insurance including the fact that they believe the policy is not relevant to their business, they do not understand the risks involved in not having a policy, and they \u201clack of clarity about . . . <a href=\"http:\/\/www.insurancejournal.com\/news\/national\/2017\/05\/31\/452647.htm\">pricing<\/a>.\u201d<br \/>\nDespite resistance to the industry, it is a <a href=\"http:\/\/www.insurancejournal.com\/news\/national\/2017\/05\/31\/452647.htm\">growing<\/a> area. Therefore, lawyers should at least be aware of case law in the area. Two cases of note in this area are <a href=\"https:\/\/www.americanbar.org\/publications\/gp_solo\/2016\/may-june\/cyber_insurance_law_firms.html\">Travelers Property Casualty Company of America v. Federal Recovery Services, Inc.<\/a><em> and <\/em><a href=\"https:\/\/docs.justia.com\/cases\/federal\/district-courts\/arizona\/azdce\/2:2015cv01322\/934023\/45\">P.F. Chang&#8217;s China Bistro, Inc. v. Fed. Ins. Co.<\/a> In <em>T<\/em><em>ravelers Property Casualty Company of America v. Federal Recovery Services, Inc.,<\/em>\u00a0the \u201ccourt interpreted the cyber insurance commercial general liability . . . and errors and omissions liability policy as if it was any other non-cyber policy . . . [,] [thus making the policy] more <a href=\"https:\/\/www.americanbar.org\/publications\/gp_solo\/2016\/may-june\/cyber_insurance_law_firms.html\">predicable<\/a> than some feared.\u201d However this predictability was called into question in <em>P.F. Chang&#8217;s China Bistro, Inc. v. Fed. Ins. Co.<\/em> the court <a href=\"https:\/\/docs.justia.com\/cases\/federal\/district-courts\/arizona\/azdce\/2:2015cv01322\/934023\/45\">held<\/a> that Federal Insurance Co. (a \u201cunit\u201d of Chubb) was not required to reimburse P.F. Chang\u2019s despite the restaurants Cyber Insurance policy, because they payment was for the reimbursement of Bank of America, the restaurants credit card transaction processor, who did not sustain an injury to privacy. Therefore, when advising clients, lawyers should keep in mind how these types of cases are treated and who suffered a privacy injury.<\/p>\n<blockquote><p>Given that so few people appear to be well prepared for the cybersecurity threat, lawyers need to consider Cyber Insurance as an option for their clients and at least understand some relevant case law surrounding the industry.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>In the past year, it seems like the rate of cybersecurity incidents has been increasing. It is irrelevant whether these breaches are old or new; the issue is that they are occurring. On October 16, 2017, Chubb Ltd. (\u201cChubb\u201d) released the results of a survey it conducted on businesses cybersecurity preparedness. The survey found that <a href=\"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/cybersecurity-insurance-for-all\/\" class=\"more-link\">&#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":5388,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/5387"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=5387"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/5387\/revisions"}],"predecessor-version":[{"id":7010,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/5387\/revisions\/7010"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/5388"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=5387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=5387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=5387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}