What have we learned about cyberrisk over the last few years? We’ve learned that it does not discriminate. Whether your company is a health care organization, retail operation, professional service firm, or a business focused within the transportation industry, you are a target.
In a recent study of actual claims information conducted by NetDiligence, the four biggest causes of loss due to a data breach event were from hackers (31 percent), followed by malware/virus (14 percent), then staff mistakes and rogue employees each accounting for 11 percent. Further, the report indicates that companies with less than $50 million in revenue experienced the most incidents (29 percent), followed by companies with revenues between $300 million and $2 billion (25 percent). Companies with revenues between $50 million and $300 million came in at 18 percent.
The transportation industry, in particular, is susceptible in many ways. Aviation, marine, rail, and trucking/auto have their own individual risks and exposures, but each shares one single item: a sophisticated technology platform that is keeping track of every movement of not only physical assets, but also packages and shipments containing intellectual property, financial information, chemicals, perishables, weapons, personally identifiable information (PII), and more. On top of that, it’s carried on the seas, in the skies, and on the rails and highways. The technology platforms utilized by the transportation industry typically include multiple clouds, servers, and networks, all of which are susceptible to hackers. Sophisticated hackers can set up fraudulent trucking operations to hijack shipped goods and cargo. With the ability to shut down commerce, cyber incidents and the risks and exposures associated with the efficiency of technology do not come without concerns.
The effects of a cyber event can be devastating to a transportation company in many ways and can include critical customer, employee, client, and organizational data being lost or stolen; business interruption; reputational damage; regulatory actions; cyber espionage; and extortion. Additionally, the first-party costs associated with mitigating the event and defending against litigation can be crippling.
For example, almost all states require that individuals be notified if their PII has been accessed, lost, or stolen. Some states even require payment for credit and identity theft monitoring. The breach may prevent business from being conducted and concomitant loss of revenue. Forensic professionals will have to be retained to determine the extent of the breach, eradicate the hacker, and restore the data to its prebreach state. Investigation by a state or federal regulatory authority such as the state attorney general or the Federal Trade Commission is possible. The breached company will have to respond to the inquiries, defend against the investigations, and may be subject to fines or penalties.
The company’s reputation is now on the line. As a result, there is no choice but to retain a public relations firm to handle the inquiries and implement a plan to restore the company’s image. Of course, attorneys will have to be retained immediately. One year and millions of dollars later, the nightmare is finally over, right? Unfortunately, the answer is “no.” Now it’s time to consider the third-party risk: the liability to the individuals whose PII was compromised. Even with the best credit and fraud monitoring services, these individuals can incur financial loss. They will, of course, file suit and seek compensation for their damages.
The insurance typically procured by a transportation or logistics company may not cover part or all of the first- and third-party losses. Commercial general liability insurance typically covers bodily injury and property damage claims, not stolen identities and data breaches. Some insureds have sought coverage under the “advertising injury” section of their CGL policy, which may provide coverage when publication of PII violates an individual’s right to privacy. However, the loss of data without a publication probably will not trigger coverage.
Directors and officers (D&O) policies cover claims involving allegations that the board has abdicated its responsibilities in running the company. These policies may cover some aspect of a third-party data breach claim, but probably will not cover the first-party expenses. Errors and omissions (E&O) policies cover claims arising out of mistakes committed while rendering professional services. Since many data breaches are not caused by human error but, rather, some type of criminal attack, a standard E&O policy will probably not cover the loss. If the breach only results in the release of PII—in other words, no physical damage is caused to the insured’s property—it may prevent coverage under a traditional first-party property policy. In addition, many policies exclude coverage for the intentional or criminal acts of employees, which may vitiate coverage if a rogue employee facilitates the breach.
Although some courts have found coverage for data breaches under customary policies, many carriers are modifying policies to exclude data breach losses. In fact, the Insurance Services Office (ISO), which develops policy language that is adopted by many insurers, has introduced several endorsements that limit or exclude coverage for data breaches. A breach will occur—it’s not if, it’s when. Thus, the transportation industry needs to be aware of the coverage issues and consult its insurance brokers to determine whether it has procured adequate cyber liability insurance.
Transportation companies also need to implement data breach prevention programs and best practices. For example, an Internet usage policy that restricts users and forbids unauthorized downloading of apps and software is a must. Confidential information must be stored in password protected, encrypted databases. Malware detection and anti-virus software must be regularly updated. Backup tapes should be utilized to preserve data in the event of a breach, and counsel should be consulted to ensure that contracts with outside vendors contain appropriate indemnification and risk transfer provisions. The transportation industry needs to implement these best practices and seriously consider whether it is at risk for a devastating breach that may not be covered.