Legal Blog

Mitigating Loss following a Data Breach

Mitigating Loss following a Data BreachThe Internet has forever changed the way in which we conduct business. However, with innovation come new risks. This is especially true with the Internet. As more and more business is conducted online, cyberrisk, especially data breach, becomes more prominent and the financial risks for both individuals and companies grow. A data breach involves the release of personal information, such as credit card numbers, Social Security numbers or passwords, to an untrusted environment, such as thieves or hackers. And everyone is at risk, from microbusinesses to global corporations. The recent example of Wells Fargo & Co. illustrates that even the largest companies with sophisticated controls in place are susceptible to data breach, either through inadvertence, negligence or theft. In the case of Wells Fargo, the lender allegedly inadvertently disclosed customers’ Social Security numbers, an allegation that the Connecticut attorney general is now investigating. There is no magic bullet that will prevent your company from suffering a data breach. There are, however, steps you can take to help protect your company in the event of a data breach. Mitigating Loss following a Data Breach If your company maintains a database with customer information, it is critical that you have insurance to cover losses that stem from data breach. There are several insurance products designed to do just this. However, there are several pitfalls that may prevent full coverage. The first thing to consider is that a data breach will likely result in both first-party and third-party coverage, i.e. Your company will suffer direct harms as a result of a data breach, as well as potentially indirect harm from third-party claims. For this reason, it is important to have insurance that covers both. 1) First-Party Coverage: For first-party coverage, property insurance may be enough. However, it is vital to check the definitions of property, which may not include “data.” If data is not covered, the direct losses resulting from a data breach will not be covered and, if the business interruption or extra expenses coverages are related, they also may not be triggered. Consequently, some carriers are writing manuscript policies or have specially tailored endorsements to address this risk. It would be beneficial for any in-house counsel or outside risk manager to carefully explore this coverage. 2) Third-Party Coverage: For third-party coverage,the type of insurance you need depends on whether the data breach was accidental or intentional. For an intentional data breach, most likely at the hands of a hacker, you would need Internet crime coverage. However, this likely will not protect your company if the losses were incurred by negligence or corporate error. It is important to be mindful of data breach when obtaining insurance and consider what exposures your company has. In addition, if a company is facing losses and/or claims stemming from an incident of data breach, it is important to look at all of your insurance to determine if coverage exists. An experienced insurance recovery attorney can review your policies to ensure that you are covered for losses as the result of a data breach. Mitigating Loss following a Data BreachIf you have any questions about Mitigating Loss following a Data Breach, Insurance Recovery, or our Insurance Policy Cyber Risk Review, please contact Offit Kurman insurance recovery attorneys.