An April court decision on company liability for data breaches underlines the increased reliance commercial clients will have on insurance producers, industry and legal experts say.
The US District Court for the District Court of New Jersey ruled that the Federal Trade Commission can sue companies on charges related to data breaches. The lawsuit accused Wyndham Worldwide Corp.—which suffered three major data breaches in two years—of unfair trade practices and of misleading customers into believing their cardholder data was adequately protected.
To Tony Busseri, CEO of data security firm Route1, the decision signaled a lasting shift toward corporate responsibility for “inadequate data security measures.”
“Legal consequences are a very concrete risk that organizations accept when settling for inadequate data security measures,” Busseri said. “As evidenced by [US District Judge] Judge Esther Salas’ decision, proper technological controls must be put in place to ensure the security of sensitive information. Information security can affect the financial well-being of the entire organization and thus ceases to simply be an IT function. Boards and executive management teams can no longer ignore the topic.”
Carrying the proper insurance is an important part of these increasing risk management responsibilities, says Gregory Podolak, a partner with insurance law firm Saxe, Doernberger, and Vita.
“The FTC has as much unfettered access as it’s ever had to regulate data security and with the market pushing toward standalone cyber coverage, policyholders really need to think about getting that,” Podalak said. “The key point is that now that clients know the FTC has this authority, they will be even more concerned about having the proper coverage in place to respond and absorb this loss, and they will need their broker to walk them through that.”
Because the cyber liability product is a long way from standardized, Podalak says producers must be especially conscientious regarding policy language—particularly with how it relates to covering regulatory risks and potential legal fees.
Because many companies pursued by the FTC end up settling outside of court, commercial clients will want the peace of mind that comes with a ready amount of cash.
“These products are so new, many have never been considered by courts before and you have to be careful in making sure the actual policy language has been engineered to respond to that specific regulatory risk,” Podalak said. “Most of these policies are manuscript—written in [the underwriter’s] own language.”
You may also enjoy: "White House pushes for data breach reporting"
"One sector especially at risk for cyber attacks, report says"
"Cyber coverage for retailers shrinks by $100m"
