• First Reference
  • About us
  • Contact us
  • Blog Signup 📨
  • 22nd Annual Ontario Employment Law Conference 📢

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Business / Cyber-insurance: What you need to know?

By Occasional Contributors | 5 Minutes Read August 26, 2015

Cyber-insurance: What you need to know?

business-insuranceA question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act (“PIPEDA”) has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.
As data breach incidents continue to rise, and legislative regimes provide more and more stringent regulation of data breaches, including the proliferation of mandatory breach notification provisions, the expense associated with data breaches also rises. Estimated costs of dealing with a data breach, even to resolve a potential attack, or an attempted breach, have been as high as $600 000.[1] Costs can be incurred as a result of forensic and investigative activities, assessment and audit services, crisis team management, and the necessary internal and external communications.[2] As these incidents increase in number, scope, and impact, organizations are looking to transfer the risk associated with informational security breaches.[3]
The most common way of transferring risk is by obtaining insurance policies: if the risk is insurable, the risk is transferable. Cyber and privacy insurance has been available on the market for the last decade, covering organizations’ liability for a data breach in which the organization’s or customers’ information is lost or stolen. Marsh Inc., a global insurance broker, said that the number of organizations that purchased cyber insurance in the US increased by 33% from 2011 to 2012, and that cyber insurance is currently the fastest growing area of commercial insurance in the world.[4] Policies vary, with cyber insurance offered as an add-on or included in more generally policies, or sold as a distinct product. Marsh Inc. also noted that the lesser growth of cyber insurance in Canada compared to the US is likely due to the higher number of mandatory breach reporting regimes in the US.[5]

Coverage

An important preliminary note on cyber insurance is that cyber insurance is often confused with technology errors and omissions insurance (commonly called “Tech E&O” insurance). Tech E&O insurance protects providers of technology services or products, such as software designers and manufacturers, whereas cyber insurance protects consumers of those products and services.[6]
Generally, cyber insurance is divided into first party coverage protecting the policyholder, and third party coverage protecting from third party claims against the policyholder. First party policies may cover:
   (a) The costs associated with determining the scope of the breach and taking steps to stop the    breach;
   (b) The costs of providing notice to individuals whose identifying information was compromised;
   (c) Public relations services to counteract the negative publicity that can be associated with a    negative publicity;
   (d) The costs of responding to government investigations;
   (e) The costs of replacing damaged hardware or software;
   (f) The costs of responding to parties vandalizing the company’s electronic data; and
   (g) Business interruption costs.[7]
Third party policies may cover:
   (a) Liability for permitting access to identifying information of customers;
   (b) Transmitting a computer virus or malware to a third-party customer or business partner;
   (c) Failing to notify a third party of their rights under the relevant regulations in the event of a    security breach; and
   (d) Potential “advertising injury,” i.e., harms through the use of electronic media, such as    unauthorized use or infringement ofcopyrighted material, as well as libel, slander, and defamation    claims.[8]
Cyber insurance can also cover specifically the crisis stage of a data breach. This could include any expenses related to the management of the incident, such as investigation, remedial steps, required notifications, call and public relations management, credit checks for the subjects of the data, and any legal costs including fines or the costs of running a suit.

Limitations of coverage: Relevant considerations

It is important to determine the extent to which your organization’s cyber insurance policy will protect against liability for breaches. Because all insurance policy coverage is dependent on the particular terms and conditions in the policy at issue, organizations looking to obtain cyber insurance should consider a number of questions, including those detailed below. In general, organizations should ensure that their response plan to a potential or actual breach is consistent with their insurance policy. Organizations should consider:
   (a) What security controls can you put into place that will reduce the premium?
   (b) Will you have to undertake a security risk review of some sort?
   (c) What is expected of you to reduce or limit the risks?
   (d) Will you get a reduction for each year you do not claim?
   (e) What assistance is provided to improve information governance and information security?
   (f) What and how big a difference to your future premiums will a claim make?
   (g) What support if any will be provided to assist in making the right security decisions for the    industry/business you are in?
   (h) The security/protection industry is very fast changing, how can the insurance ensure that    your policy is current?
   (i) Do all portable media/computing devices need to be encrypted?
   (j) What about unencrypted media in the care or control of your third-party processors?
   (k) Are malicious acts by employees covered?
   (l) Will you have to provide evidence of compliance to existing Data Protection Principles, in    relation to your actual processing, to prove you were not acting disproportionately?
   (m) Although ignorance of the law is no excuse, we are just not able to keep up with all the    compliance issues that may affect all the territories our company works in, would you refuse a    claim if you were processing data that may contravene laws in one country but not another –    because insurance policies often stipulate that you must not be breaking the law?
   (n) What if there is uncertainty around whether the incident took place a day before the cover    was in place or on the day?
   (o) Are the limits for expenses grouped together in a way that the maximum limit that is covered    is likely to be achieved very quickly, unless you increase the cover?
   (p) Are all and any court attendances to defend claims from others covered?
   (q) Could you claim if you were not able to detect an intrusion until several months or years have    elapsed, so you are outside the period of the cover? [9]
Every organization faces different challenges with regard to data breaches. The size, industry, type of data, potential exposures, business model, and many other considerations will affect the scope and detail of the ideal cyber insurance policy.[10] Organizations should ensure that they have a detailed system tailored to the specific liabilities and risks to which they are exposed in the event of a data breach.
By Roland Hung, McCarthy Tétrault’s Technology and IP Groups
 


 
[1] Miriam Smolen, Adrian C Azer and Katrina F Johnson, “Cyber-Insurance: Mitigating the Dreaded Friday Night Phone Call”, December 18, 2013, Gilbert LLP, online: .
[2] Matthew Davies, “The Threat from Within: Why Your Clients Need Standalone Coverage”, March 27, 2014, Canadian Insurance: Top Broker, online: ; Miriam Smolen, Adrian C Azer and Katrina F Johnson, “Cyber-Insurance: Mitigating the Dreaded Friday Night Phone Call”, December 18, 2013, Gilbert LLP, online: .
[3] “Cyber insurance in demand after recent data breaches: banks, hotels, educational institutions buying cyber insurance”, July 28, 2013, CBC News, online .
[4] Ibid
[5] Ibid
[6] “Technology Errors & Omissions Insurance”, International Risk Management Institute, online: ; “Cyber and Privacy Insurance”, International Risk Management Institute, online: .
[7] List taken from Miriam Smolen, Adrian C Azer and Katrina F Johnson, “Cyber-Insurance: Mitigating the Dreaded Friday Night Phone Call”, December 18, 2013, Gilbert LLP, online: .
[8] Ibid
[9] Questions taken from “An Introduction to Cyber Liability Insurance Cover”, ComputerWeekly.com, online: .
[10] “An Introduction to Cyber Liability Insurance Cover”, ComputerWeekly.com, online: .

  • About
  • Latest Posts

Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Latest posts by Occasional Contributors (see all)

  • Changing structured arrangements into reasonable person test – Part I - April 20, 2021
  • Waksdale: Rethinking or removing for-cause provisions? - March 31, 2021
  • 2021 due dates for T3010s - March 11, 2021

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Privacy / Breach notification, commercial insurance, computer virus or malware, copyrighted material, Cyber and privacy insurance, cyber-insurance coverage, data breach incidents, defamation claims, Digital Privacy Act, forensic and investigative activities, insurance policies, liability for a data breach, mandatory breach notification provisions, mandatory breach reporting regimes, negative publicity, Personal Information Protection and Electronic Act, PIPEDA, policyholder, privacy law, products and services, Public relations services, Tech E&O” insurance, technology errors and omissions insurance, Third party policies, transfer the risk associated with informational security breaches

Share with a friend or colleague

Learn the 10 essential HR policies in the time of COVID-19

Get the Latest Posts in your Inbox for Free!

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference Inc. (known as La Référence in Quebec) provides Canadian organizations of any size with practical and authoritative resources to help ensure compliance.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2021 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy