Pitfalls of Cyber Insurance Policies for Law Firms

Mitigating a Data Breach

One way many law firms seek to mitigate risks is by buying insurance coverage. However, most insurance policies don’t cover cyber-related damages. To get proper coverage, firms must typically purchase supplemental insurance policies specifically designed for this.

Finding the right cyber insurance for your firm can be challenging, however. Given that cyber insurance is so new, there are only so many coverage options available. Even worse, premiums can fluctuate as much as 40 percent depending on the current security climate and even media stories about breaches.

How Much Coverage can Insurance Contracts Provide?

The terms and conditions of specific insurance contracts can be very rigid, and small changes to the terms can determine whether you’re completely covered for a particular breach event or not at all. For example, some policies may not provide coverage if the insured does not have certain security protocols in place or if the company’s employees do not follow them (which has been the case in many breaches).

Even if the policy covers your firm for a specific event, it’s unlikely to cover all the economic and reputational damage you may suffer. Most cyber insurance policies will not cover that sort of loss.

Legal Complications Impact Coverage

Recent litigation involving the breach of a healthcare entity demonstrates the types of legal challenges that can arise concerning cyber insurance. Cottage Health System (“Cottage”) suffered a data breach that ultimately led to 32,500 patient records being compromised. The records had been posted online without any security precautions to prevent unauthorized access.

As a result of the breach, a class action lawsuit was filed against Cottage. Cottage had prudently purchased an insurance policy from Columbia Casualty Company, which agreed to cover the settlement amount for the class action lawsuit of more than $4 million.

Columbia filed a complaint about a declaratory judgment and reimbursement against Cottage, though, based on the terms of the insurance policy. An exclusion to the policy provided that Columbia would not be liable for any loss if it was the result of a failure to implement and maintain the protocols identified in the insurance application.

The application included a “Risk Control Self Assessment,” with a list of data security practice questions which Cottage answered affirmatively. Columbia alleged that Cottage provided false responses to the questions, and by implication, Columbia was not responsible for covering the cost of the settlement agreement. (The court subsequently dismissed Columbia’s complaint without prejudice based on an alternative dispute resolution clause in the contract. Columbia Cas. Co. v. Cottage Health Sys., No. CV 15-03432-DDP-AGRX, 2015 WL 4497730 (C.D. Cal. July 17, 2015).

Policies Without Security Procedures are not Effective

This case demonstrates the necessity for insurance policyholders to not only procure the correct type of coverage but to also ensure they implement and maintain the appropriate security procedures. Complicating the situation is the fact that when an entity is breached, it means its security systems did not operate as planned. For an insurance policy to mean anything, the insured must make sure they are maintaining the security procedures the insurance policy requires.

Similarly, insured entities must take the proper actions after a breach so the policy is properly activated. Some policies contain provisions that exclude coverage if the insurer is not notified of the breach within a certain amount of time.

Meeting the standards set forth in an insurance contract or fulfilling other legal obligations is only the bare minimum. To truly protect both their clients’ confidential information and their reputation, law firms should strive to greatly exceed those legal minimums.