There have been several large-scale cyberattacks in the news in recent years, demonstrating both how costly these events can be and the importance of having cybercrime insurance coverage.
This new modern “hazard” has prompted many insurance companies to offer cyberattack coverage in the event a business is stricken with this bad conduct. Of course, having cyberattack insurance coverage does not necessarily mean that your insurance company will honor its promises to cover losses your company has suffered, for which you paid expenses premiums. Some examples of the scale of cybercrime attacks and the new problems faced by insureds in making insurance companies pay claims made are listed below. In the end, it is just the same old story of insurance companies refusing to keep their promises until forced to do so.
- Data stolen from 50 million credit cards from Home Depot’s database
- Data stolen from 76 million individuals and 7 million businesses from JPMorgan Chase’s customer database
- Breach of Yahoo compromising the data of 1.5 billion customers
- 79 million healthcare customers’ data stolen from Blue Cross and CareFirst Blue Shield’s database
- 700,000 Social Security numbers stolen from the Internal Revenue Service
- Records from 21 million federal employees stolen from the United States Office of Personnel Management
Recent Complicating Legislation
Risk and exposure to insurance companies for cybercrime liability has been magnified. Recent privacy legislation by states such as New York, New Jersey and California have codified new dimensions of potential liability for insurance companies. Along with the drastic increase the number, scope, and complexity of these crimes, this has prompted some think tanks to propose the formation of a separate cybercrime court to deal with them.
Recent Court Cases Against Insurance Companies
A recent example of the difficulty in obtaining insurance coverage is the lawsuit against Landry’s, Inc., a private company operating many restaurant chains including McCormick & Schmick’s Grill, Bubba Gump Shrimp Company, Morton’s The Steakhouse, and Rainforest Café. (As an aside, Landry’s CEO, Tilman Feritta, recently purchased the Houston Rockets NBA franchise for a record $2.2 billion dollars).
JP Morgan Chase filed a $20 million lawsuit against Landry’s as a result of a large data breach at Landry’s properties, resulting in the compromise of millions of credit care accounts between May 2014 and December 2015. In turn, Landry’s contacted its insurer to indemnify its costs in defending the lawsuit under a series of liability policies it held. Courts ruled that because the policies were not specifically written for cybercrime coverage, the insurer was not liable for funding Landry’s defense of the data hack lawsuit.
Another example is Target Corporation suing Chubb for coverage relating to a massive 2013 data beach against it that compromised millions of customer credit cards. Target settled these claims for $138 million, with at least $74 million paid for costs associated with banks replacing the compromised credit cards. Target then made an indemnity claim against its liability insurer, Chubb. This case is ongoing.
What Do You Do In the Event of a Cyberattack?
Cyberattacks can wreak havoc on your business. As soon as an attack occurs, you should immediately notify your broker and all of your insurance companies for whom you believe coverage may exist. If you have cyber coverage, the insurance company usually has a team of experts available to you as the insured. Assignment of this team by the insurance company will help you in securing your data and getting your business back up and running. The insurance company recovery team has already been vetted by the insurance company itself.
If your insurance company denies or delays your cyber loss claim for any reason, call us for assistance. We are here for you, to make sure your insurance company keeps the promises it made to your company.
Evan S. Schwartz
Founder of Schwartz, Conroy & Hack