Prevention & Mitigation of Losses Good Areas of Focus
By Tom Hagy
John Mullen called me after reading coverage of our teleconference, Private Data Breaches: Insurance Coverage Implications & Prevention. His feeling is, in the end, typical CGL policies will not cover these events.
Of course, as Nelson, Levin, de Luca & Horst’s Complex Litigation Chair, Mullen counsels carriers and represents their insureds. But he was adamant that, as a practical business matter, because carriers did not contemplate these kinds of losses, they will not cover or, more likely, they will outright exclude them. Instead, as many major carriers are, they will write coverage specifically for what they view as a new and different kind of risk.
Some carriers have remained silent on the subject, while others have excluded claims related to data breaches. New products, riders and policies specifically for data loss have surfaced. Mullen rattled off a list of companies that are writing these policies, including ACE, Arch, AIG/Chartis, Beazley, CNA, Hiscox, Zurich and The Hartford.
Another practical issue he raised is that not that many companies are in the business strictly of data storage, relative to the number of companies simply handling, collecting and storing data as part of their business. For those companies whose business is storing data, they could find coverage for losses under their CGL or professional liability contracts. But this is a small minority of businesses/entities exposed to the risk of data breaches.
Who Moved My Terabytes?
What’s frightening, Mullen said, is that top people at top companies who should be informed about their data retention policies and the risks involved, do not understand them.
“I have asked executives, ‘What do you collect? How long do you save it? Where do you keep it? Who has access to it? And they can’t answer. They have little idea.”
Mullen said a small percentage of the market has purchased new data breach protection policies, but “the rest of the market is exposed.” And the exposures are nothing to sneeze at. With a loss of 100,000 records (which is not particularly large in this context), damages claimed for credit monitoring may be significant but it alone will not be enough for a successful federal class action. The secret sauce, he said, may be rendered when the class representative and the potential class members allege actual identify theft.
As if yet another new risk isn’t enough, when you have a data loss and get sued in multiple states, you the insured, take the matter to an insurer which has to: retain lawyers in the multiple states involved to respond to the various complaints, retain counsel to evaluate and comply with a wide variety of state notification statutes, have counsel comply with costly e-discovery requirements (class actions are generally found in federal courts requiring e-discovery compliance), retain and guide specialists in data forensics (since all you will know is there has been a data loss, but you won’t know which data, how much data, how it was breached or where it went!), and you have, as Mullen put it, a “nightmare.”
D&O issues lurk, public relations problems abound, and law firms that really understand these issues are scarce.
Test Your Firewall
One thing Mullen advocates is taking a proactive approach to testing your data retention policies and protections. He noted one Bryn Mawr, Pa.-based company, NetDiligence that leads the market with the fun job of taking a virtual sledge hammer to your data protection system to see just how good it really is. Wise insurers and brokers are paying this company to whack away at prospective policyholder’s security as a condition of securing coverage.
Bottom line, Mullen said, is that the insurance coverage fights are going to be dwarfed by any underlying litigation. It is the prevention or mitigation of that quagmire where both carriers and companies that handle large quantities of sensitive data should focus their energy.
Mullen is the Complex Litigation Chair of Nelson Levine de Luca & Horst which has offices in NY, NJ, Pa, Ohio and the UK.