A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act (“PIPEDA”) has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.
As data breach incidents continue to rise, and legislative regimes provide more and more stringent regulation of data breaches, including the proliferation of mandatory breach notification provisions, the expense associated with data breaches also rises. Estimated costs of dealing with a data breach, even to resolve a potential attack, or an attempted breach, have been as high as $600 000.[1] Costs can be incurred as a result of forensic and investigative activities, assessment and audit services, crisis team management, and the necessary internal and external communications.[2] As these incidents increase in number, scope, and impact, organizations are looking to transfer the risk associated with informational security breaches.[3]
The most common way of transferring risk is by obtaining insurance policies: if the risk is insurable, the risk is transferable. Cyber and privacy insurance has been available on the market for the last decade, covering organizations’ liability for a data breach in which the organization’s or customers’ information is lost or stolen. Marsh Inc., a global insurance broker, said that the number of organizations that purchased cyber insurance in the US increased by 33% from 2011 to 2012, and that cyber insurance is currently the fastest growing area of commercial insurance in the world.[4] Policies vary, with cyber insurance offered as an add-on or included in more generally policies, or sold as a distinct product. Marsh Inc. also noted that the lesser growth of cyber insurance in Canada compared to the US is likely due to the higher number of mandatory breach reporting regimes in the US.[5]
Coverage
An important preliminary note on cyber insurance is that cyber insurance is often confused with technology errors and omissions insurance (commonly called “Tech E&O” insurance). Tech E&O insurance protects providers of technology services or products, such as software designers and manufacturers, whereas cyber insurance protects consumers of those products and services.[6]
Generally, cyber insurance is divided into first party coverage protecting the policyholder, and third party coverage protecting from third party claims against the policyholder. First party policies may cover:
(a) The costs associated with determining the scope of the breach and taking steps to stop the breach;
(b) The costs of providing notice to individuals whose identifying information was compromised;
(c) Public relations services to counteract the negative publicity that can be associated with a negative publicity;
(d) The costs of responding to government investigations;
(e) The costs of replacing damaged hardware or software;
(f) The costs of responding to parties vandalizing the company’s electronic data; and
(g) Business interruption costs.[7]
Third party policies may cover:
(a) Liability for permitting access to identifying information of customers;
(b) Transmitting a computer virus or malware to a third-party customer or business partner;
(c) Failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and
(d) Potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement ofcopyrighted material, as well as libel, slander, and defamation claims.[8]
Cyber insurance can also cover specifically the crisis stage of a data breach. This could include any expenses related to the management of the incident, such as investigation, remedial steps, required notifications, call and public relations management, credit checks for the subjects of the data, and any legal costs including fines or the costs of running a suit.
Limitations of coverage: Relevant considerations
It is important to determine the extent to which your organization’s cyber insurance policy will protect against liability for breaches. Because all insurance policy coverage is dependent on the particular terms and conditions in the policy at issue, organizations looking to obtain cyber insurance should consider a number of questions, including those detailed below. In general, organizations should ensure that their response plan to a potential or actual breach is consistent with their insurance policy. Organizations should consider:
(a) What security controls can you put into place that will reduce the premium?
(b) Will you have to undertake a security risk review of some sort?
(c) What is expected of you to reduce or limit the risks?
(d) Will you get a reduction for each year you do not claim?
(e) What assistance is provided to improve information governance and information security?
(f) What and how big a difference to your future premiums will a claim make?
(g) What support if any will be provided to assist in making the right security decisions for the industry/business you are in?
(h) The security/protection industry is very fast changing, how can the insurance ensure that your policy is current?
(i) Do all portable media/computing devices need to be encrypted?
(j) What about unencrypted media in the care or control of your third-party processors?
(k) Are malicious acts by employees covered?
(l) Will you have to provide evidence of compliance to existing Data Protection Principles, in relation to your actual processing, to prove you were not acting disproportionately?
(m) Although ignorance of the law is no excuse, we are just not able to keep up with all the compliance issues that may affect all the territories our company works in, would you refuse a claim if you were processing data that may contravene laws in one country but not another – because insurance policies often stipulate that you must not be breaking the law?
(n) What if there is uncertainty around whether the incident took place a day before the cover was in place or on the day?
(o) Are the limits for expenses grouped together in a way that the maximum limit that is covered is likely to be achieved very quickly, unless you increase the cover?
(p) Are all and any court attendances to defend claims from others covered?
(q) Could you claim if you were not able to detect an intrusion until several months or years have elapsed, so you are outside the period of the cover? [9]
Every organization faces different challenges with regard to data breaches. The size, industry, type of data, potential exposures, business model, and many other considerations will affect the scope and detail of the ideal cyber insurance policy.[10] Organizations should ensure that they have a detailed system tailored to the specific liabilities and risks to which they are exposed in the event of a data breach.
By Roland Hung, McCarthy Tétrault’s Technology and IP Groups
[1] Miriam Smolen, Adrian C Azer and Katrina F Johnson, “Cyber-Insurance: Mitigating the Dreaded Friday Night Phone Call”, December 18, 2013, Gilbert LLP, online:
[2] Matthew Davies, “The Threat from Within: Why Your Clients Need Standalone Coverage”, March 27, 2014, Canadian Insurance: Top Broker, online:
[3] “Cyber insurance in demand after recent data breaches: banks, hotels, educational institutions buying cyber insurance”, July 28, 2013, CBC News, online
[4] Ibid
[5] Ibid
[6] “Technology Errors & Omissions Insurance”, International Risk Management Institute, online:
[7] List taken from Miriam Smolen, Adrian C Azer and Katrina F Johnson, “Cyber-Insurance: Mitigating the Dreaded Friday Night Phone Call”, December 18, 2013, Gilbert LLP, online:
[8] Ibid
[9] Questions taken from “An Introduction to Cyber Liability Insurance Cover”, ComputerWeekly.com, online:
[10] “An Introduction to Cyber Liability Insurance Cover”, ComputerWeekly.com, online:
Occasional Contributors
Latest posts by Occasional Contributors (see all)
- Changing structured arrangements into reasonable person test – Part I - April 20, 2021
- Waksdale: Rethinking or removing for-cause provisions? - March 31, 2021
- 2021 due dates for T3010s - March 11, 2021
