Does Cyber Insurance Cover Your Hackable Device?
The recent headlines regarding Johnson & Johnson’s disclosure of a “cybersecurity issue” affecting one of its products illustrate that companies are identifying security concerns involving products in the marketplace even before they are hacked. See, e.g., here. The mere disclosures of vulnerabilities are leading to claims and regulatory inquiries focused on cyber security issues – even without an actual breach. See, e.g., Cahen v. Toyota Motor Corp., 3:15-cv-01104-WHO (N.D. Cal.) (putative consumer class action alleging that defendant automobile manufacturers “sold or leased vehicles that are susceptible to computer hacking and are therefore unsafe”); In re Dwolla, Inc., No. 2016-CFPB-0007 (Doc. 1, filed March 2, 2016) (consent order between company and CFPB entered into regarding alleged misrepresentations with regard to a company’s data security practices despite there being no evidence of that consumers actually suffered tangible harm). In the absence of other available insurance coverage, the million dollar question many companies may find themselves asking is whether this risk is covered by cyber insurance.
For background, a company that has experienced an actual data breach may quickly face claims on multiple fronts, such as from consumers, businesses, and regulatory authorities. Those claims may fall within the general scope of coverage afforded by cyber insurance because one of the necessary predicates to trigger coverage – unauthorized access to sensitive information through the failure of computer security on the insured’s network – is present. See, e.g., P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. 15-cv-1322 (SMM), 2016 WL 3055111 (D. Ariz. May 31, 2016).[1]
Claims involving security vulnerabilities in devices may be different for two primary reasons.
First, many cyber policies respond only to incidents affecting specified computer systems. For claims involving the security of products that do not fall within those networks, coverage may be unavailable or limited from the outset for that reason.
Second, cyber insurance policies often require the existence of a breach (or reasonably suspected breach) first discovered during the relevant policy period to trigger coverage. In this way, the availability and extent of coverage may in some respects mirror the triggers for reporting and notice obligations under state breach notification laws. See, e.g., Cal. Civ. Code § 1798.82(a) (requiring notification to persons whose “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person”). A claim involving a potential vulnerability, where it has not actually been exploited, may not meet that threshold requirement.
First-party cyber coverage may be roughly analogous to coverage under a commercial crime policy in this context. Under a crime policy, coverage may be triggered for a first-party loss, such as the theft of merchandise, after the crime has taken place. It typically does not cover the expenses of investigating potential holes in a company’s security procedures that may enable theft to happen in the first place. Similarly, a cyber policy may be triggered for first-party loss after an actual breach of the insured’s computer system, but it may not afford coverage for the costs to assess an insured’s security or detect potential ways that a vulnerability might be exploited. That may just be considered by an insurer as a cost of doing business.
The same result may apply in the event of a claim made against the company, because third-party liability coverages under cyber policies often are written to apply only to claims involving the same events that trigger coverage in the first-party context – i.e., when there has been a data breach event. As such, there may also be no coverage for “breach-less” claims made by consumers or regulators because there was no trigger to coverage (i.e., no breach).
While these issues may present roadblocks for a company trying to secure coverage under its cyber policy for claims involving vulnerabilities in its products, its other insurance policies may afford such coverage. In addition, companies routinely shift risk for these vulnerabilities through contractual indemnification provisions with other parties in the supply chain. As such, cyber insurance is ideally only a small piece of the bigger risk management strategy that a company employs to address emerging data security risks.
[1] An appeal has been filed in the P.F. Chang’s case. See Case No. 16-16141 (9th Cir.). For a description of the original P.F. Chang’s decision, see here.