Franklin R. Cragle, III// August 3, 2015//
Over the last year, cyber crimes have dominated front-page media coverage. Sony. Anthem. The Home Depot. Target. Even now, reports of overseas hackers accessing the U.S. government employee databases are terrifying the nation. These cyber breaches can cost tens-of-millions of dollars to mitigate. For a small company, like many that make up the Virginia landscape, a multimillion-dollar liability caused by a cyber attack could mean closing its doors for good. To protect against these types of liabilities, companies of all sizes must have robust cyber insurance coverage.
Small and midsized businesses as primary targets
According to the Identity Theft Resource Center, as of June 23, 2015, 380 reported cyber breaches in the U.S. resulted in the exposure of 117.4 million records. The overwhelming majority of these breaches were not the size of Sony or Anthem; they were smaller companies who are often more vulnerable to attacks. Symantec reported in its 2014 Internet Security Threat Report that small (250 employees or fewer) to mid-sized (251 to 2,500 employees) businesses have seen huge spikes in cyber attacks. These attacks increased 61 percent from 2012 to 2013.
The duration of these attacks also changed, increasing from four to approximately eight days as criminals engaged in a “low and slow” approach specially designed to elude the victim’s suspicion.
Smaller organizations are becoming a common target of cyber crimes for several reasons. Companies of this size tend to have fewer safeguards or internal protocols to protect against these types of attacks, and they generally do not invest in employee training or company policies for cyber protection (and even if policies are in place, smaller companies tend to lack the resources for enforcement).
In a 2012 study on cyber security mistakes, KPMG found that “the human factor” remains “the weakest link in relation to [cyber] security.” Hackers readily overcome firewalls and other safeguards largely by focusing their efforts on employees who are not educated on the risks.
The most common methods of cyber attack remain phishing (the deposed Nigerian prince who needs your help); viruses attached to unsecured or unknown downloads; and open Wi-Fi accounts. Additionally, a new method called “spear phishing” is becoming a hacker favorite: these solicitations appear to come from a trusted source and request sensitive information.
Small-to-midsize companies should respond to increased victimization with more robust internal protections and specialized insurance coverage to mitigate their risk.
Courts rejecting cyber coverage under CGL policies
Nearly all companies have (or should have) Commercial General Liability (CGL) policies. These tried-and-true policies protect against physical injury or damage to property in the event of an “occurrence.” Accordingly, when breaches occur, policyholders naturally turn to their CGL policy and expect coverage. Insurers, however, have taken the position that CGL policies do not cover cyber-attacks — and the courts tend to agree.
In May 2015, a Connecticut court rejected an insured’s claim for CGL policy coverage as the result of a cyber breach in Recall Total Info Mgmt. v. Federal Ins. Co. In this case, Recall lost digital employment data for approximately 500,000 of IBM’s employees when a box of back-up tapes literally fell off the back of Recall’s truck. Despite the loss of these records, the court rejected the CGL claim, determining that the records were not “published.” It cost approximately $6 million to remediate this claim through notification and employee credit protection.
In Eyeblaster Inc. v. Federal Ins. Co., the court determined that a CGL policy did not cover claims where computers became infected with spyware after visiting Eyeblaster’s website. The court reasoned that CGL policies protect against property damage meaning “physical injury to tangible property” and that, unless the computer’s hardware was physically damaged, CGL policies do not protect against the software and information contained in the computer.
Similarly, in Travelers Indem. Co. of CT v. P.F. Chang’s China Bistro, Inc., Travelers asserted it does not owe coverage to P.F. Chang’s under its CGL policy for a massive, nine-month data breach that gave hackers access to credit and debit card information for roughly 7 million customers. Although the case is currently stayed for other reasons, it provides another example of an insurer rejecting cyber claims under the insured’s CGL policy.
Best practices — audit and acquire necessary coverage
With hackers focusing on small to mid-sized companies and courts rejecting claims that CGL policies cover cyber attacks, companies must turn to specialized insurance policies for protection.
Audits are a first step in this protection. Insurance brokers can provide a degree of comfort with regard to policy terms and conditions, however, with the changing legal landscape, insurance auditors and coverage attorneys can ensure the most appropriate coverage. After the audit is complete, it is critical that the company fill in any gaps by obtaining additional cyber coverage.
Cyber policies are not a luxury of large corporations; they are a necessary tool to protect smaller companies who could be put out of business by the costs of mitigating a single cyber attack.
Frank Cragle is a trial lawyer and member of the Insurance Recovery Team and Data Privacy and Security Practice at Hirschler Fleischer in Richmond. He may be reached at (804) 771-9515 or by email at [email protected].
C