One issue that often faces small to medium sized companies is whether or not to buy cyber liability insurance policies. The need and market for such policies is developing. In this post, I will provide an overview of the product and why I recommend that our clients obtain this coverage.
First, with rare exception, today every company is a tech company. Obviously, social networks and electronic marketplaces are run from an internet platform but the same can be said for the auto body shop that interacts with insurance carriers via web portals. Just as tech companies have a significant brick and mortar presence, traditional brick and mortar companies transact large amounts of business online. Because of this simple fact, I advise my clients, large to small, to obtain cyber liability coverage.
Cyber liability policies were very pricey in their infancy five to ten years ago. Only behemoths like Target, Google and Facebook could afford the premiums. However, smaller companies have lower risk exposure by virtue of a smaller client base. As such, premiums are often more affordable than clients often realize.
What risk is typically covered? In general, these policies address data breaches, employee error, intellectual property infringement and defamation. For large companies, these losses are inevitable in today’s environment. For smaller companies, the risk is increasing. As cyber liability insurance defense litigators, we often defend online defamation cases, data breach and copyright trademark cases. The fees to defend such cases can easily exceed $500,000, a sum that could bankrupt many of our clients. With a proper policy in place, clients are able to mount a substantial defense while at the same time retaining operational profitability.
Going forward, data breach lawsuits are likely to rise exponentially as contingency lawyers continue to develop negligence theories across the country. Currently, there is no viable data breach statutory claim outside of the health care field, which is regulated at the federal level by HIPAA and by a patchwork of statutes at the state level. Standing is the typical barrier to such cases and many are dismissed at the pleading stage even in health care cases with statutory damages. That is because victims of data breach typically do not experience any immediate financial harm but rather only the threat of future identity theft. Furthermore, often plaintiffs cannot allege that the stolen data was accessed by the thieves. As long as companies timely notify consumers of the data breach, they are typically shielded from further liability.
Despite this, plaintiffs continue to bring negligence lawsuits against companies like Sony and Target alleging that anything but state of the art cyber security is negligent. Despite the challenging legal environment, companies like Target continue to enter into significant settlement deals with plaintiffs well into the millions. Such settlements provide the encouragement for the plaintiff’s bar to continue to file these suits. Additionally, a small trickle of cases is starting to get by the motion to dismiss stage. We saw this happen in the In Re Adobe Systems, Inc., Privacy Litigation.
We advise our clients to purchase cyber liability policies as soon as they can afford it. In today’s environment, any company that markets or processes transactions online is likely to be sued for data breach, defamation or intellectual property infringement – typically due to employee error or malfeasance. Large companies can self-insure this risk if they desire. Small and medium sized companies do not have this luxury. As such, insurance is the way to prevent a potential financial disaster because litigation is almost inevitable. Leading carriers of cyber liability products include Beazley, Ace, Travelers and Axis Capital.