Figuring Out the Details

According to a report from the Government Accountability Office, in 2021, American businesses and individuals were the targets of 26,074 cyber incidents, which resulted in almost $2.6 billion in economic loss. Data breaches represent one of the largest sources of business liability, which means cyber-related insurance coverage has become more important than ever. Equally important is an insurer’s ability to assess damages and liability resulting from a cyberattack affecting its insured.

The first step in evaluating any cyber incident or claim is identifying, as soon as the insured reports the incident, any applicable policies and the coverages those provide. It is also important to ensure that the insured has the resources in place to effectively respond to the incident as required by state and federal law and any applicable cyber policy. At a minimum, the insured should immediately:

•    Retain approved legal counsel.

•    Engage with forensic examiners and its breach-response team.

•    Determine whether reporting to law enforcement is appropriate.

•    Determine any state and federal notification requirements.

These steps, and, in particular, analysis of and complying with any notice requirements, can generate significant costs. Other early stage, first-party costs can include public relations and crisis management expenses; business interruption losses; system monitoring expenses; cyber extortion losses; and data recovery losses.

As soon as possible after identifying the initial first-party costs and damages, the insurer should determine the who, what, when, and extent of the cyberattack. Figuring out the details of the incident informs the full nature and extent of first-party damages, and it also lets the insurer evaluate the potential for third-party liability resulting from the breach.

The insurer first needs to know, in general terms, what kind of incident happened—whether it was a phishing scam, a ransomware attack, a data mining attempt, or some other type of attack.

The job gets harder when the incident affects third-party data. Incidents involving third-party liability and coverage introduce a whole host of new potential costs. Some types of data breaches involving third parties put the insured at risk of incurring civil and criminal regulatory penalties. That risk of liability can increase, and new fines and penalties can be imposed, if the incident response fails to comply with applicable state and federal law.

The most likely source of additional regulatory liability comes from an insured’s failure to meet reporting and notification requirements. Those requirements can change depending on the organization that was breached, the persons whose personal information was affected, and the nature of the compromised data and information.

It is important to consider that states can impose their own requirements, and those operate independently of each other and federal requirements. The locations of the affected individuals must be determined for the insurer to evaluate the damages.

Additionally, federal law imposes reporting and notice requirements that apply based upon the target of the breach. For example, following most breaches, financial institutions must meet the reporting requirements of the Gramm–Leach–Bliley Act, while HIPAA imposes on covered providers different reporting obligations for breaches involving protected health information. Federal requirements can also change based on the type of data or information compromised. In March 2022, new federal data-breach legislation was signed into law requiring all organizations in critical infrastructure sectors to report cyber incidents to the Department of Homeland Security within 72 hours.

The final piece of evaluating potential third-party liability is determining actual and potential harm to third-party individuals. Courts are expanding the types of damages that affected third-party individuals may recover. Individuals may recover damages resulting from the actual misuse of their personal information, even if the misuse happens more than a year after the cyber incident. [See, for example, Resnick v. AvMed, Inc., (11th Cir. 2012).] In some cases, they may also recover based on a heightened risk of injury caused by compromised personal information, even if that risk has not yet materialized.

With that said, an insured is not automatically liable for third-party damages resulting from a breach of its system. In cases involving more than one allegedly culpable party, an emerging majority of courts apportion liability under an “imposter” or “last-best-chance” approach. Under that approach, the party that was in the best position to prevent the breach bears the resulting loss. Determining which party was in the best position to prevent the breach requires an intensive inquiry that takes into account all facts and circumstances surrounding the breach. [See, for example Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., (6th Cir. 2018); Parmer v. United Bank, Inc., (W. Va. Dec. 7, 2020); and Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd., (D. Nev. 2020).]

Because of that, insurers must cast a wide net when investigating and evaluating potential third-party liability. These steps include:

•    Identifying, if possible, the likely responsible parties.

•    Identifying the possible risks for misuse of the particular personal information and data compromised.

•    Identifying all parties involved in maintaining or operating the breached system.

It is also important to determine key features of the breached system’s security, including:

•    Whether the insured’s providers manage the system through remote access credentials, which are particularly vulnerable to cyberattack.

•    Whether the insured’s providers selected and installed the anti-virus software for the system.

•    Whether the insured’s providers were responsible for updating and installing patches for any of the insured’s computer programs.

•    Whether the insured’s providers established firewall rules for the insured’s system.

•    Whether the insured’s providers were responsible for monitoring for suspicious activity.

•    Whether the insured’s providers were responsible for any part of the insured’s network design—e.g., segregation, or lack thereof, of network areas containing sensitive or confidential information.

Finally, it is important to determine whether one or more parties’ conduct in the lead up to the breach deviated from established procedures or courses of dealings related to the compromised system.

The rate of cyberattacks and claims continues to rise, and cyber policies are becoming more prevalent. Insurers must ensure that they are prepared to meet their critical role of mitigating and reducing the risk of cybercrime, which includes a thorough evaluation of the potential damages and liabilities resulting from the cyber incident.