Guest Post: Cyber & Privacy Policy Exclusions: Analyzing Differences, Negotiating Modifications

The exclusions are an important part of any liability insurance policy, but this is particularly true of cyber liability insurance polices. In the following guest post, Robert Bregman, CPCU, MLIS, RPLU, Senior Research Analyst, International Risk Management Institute, Inc., takes a look at the ten of the most common exclusions found in cyber liability and privacy insurance policies. This guest post is an excerpt taken from a longer article entitled “Cyber and Privacy Insurance Coverage” that appeared in the July 2015 edition of The Risk Report, and is copyrighted by IRMI. Learn more about The Risk Report here.

I would like to thank Bob for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Bob’s article.

******************************************************

As is the case with virtually every type of management liability insurance, the true extent of coverage that any given policy provides is a function of its exclusionary language. Accordingly, this article will analyze both the differences and similarities between 10 of the most common exclusions found within cyber and privacy policies. Its goal is to assist the reader in negotiating exclusionary wording that maximizes the scope of coverage a policy will provide in the event of a claim.

Bodily Injury and Property Damage. Cyber and privacy forms exclude coverage for claims alleging bodily injury and property damage. This is because such losses are covered under CGL/property insurance poli­cies. However, cyber policies should contain language that excepts—and thus covers—“mental anguish,” “shock,” “emotional distress,” and “humiliation.”  This is important, because in addition to alleging financial loss­es, data breach-related lawsuits also sometimes include these types of allegations.

Employment-Related Claims. Employment-related claims are excluded by cyber forms because em­ployment practices liability (EPL) policies are de­signed to cover such exposures. However, exclusions pertaining to employment-related acts should except—and thus cover—employee suits alleging employment-related pri­vacy violations, such as when personally identifiable information (PII) is obtained via electronic hacking.  Although EPL forms also cover this exposure (invasion of privacy is a covered peril under virtually all EPL policies), in an actual claim situation, the coverage available under a cyber and privacy policy is likely to be more robust. Therefore, an insured should have its EPL policy endorsed to cover cyber-related invasion of privacy claims on an excess basis, and its cyber policy endorsed to cover such losses on a primary basis.

ERISA Act Exposures. Similarly, the policies exclude coverage for exposures relating to an employ­er’s responsibilities enumerated by the Employ­ee Retirement Income Security Act (ERISA) of 1974. Again, this is because such exposures are cov­ered by a more specialized policy: fiduciary liability insurance. However, cy­ber forms should except, and thus cover, claims involving data breaches that impact employee bene­fit programs; such as when a hacker obtains in­formation about an employee’s medical condi­tion that is stored in an electronic file pertaining to the health insurance coverage pur­chased and administered by an employer-insured. Once again, because the scope of coverage in a claim situation of this kind will probably be more comprehensive under a cyber and privacy policy, that form should be endorsed to cover such losses on a primary basis, and the fiduciary policy endorsed to cover claims of this nature on an excess basis.

War, Invasion, Insurrection. Nearly all of the policies exclude coverage for claims caused by war, invasion, insurrection, and similar perils. To insureds’ detriment, a number of insurers also exclude coverage for “terrorism” within this exclusion. Yet, language of this kind is problematic, because virtually every intentionally caused cyber-related hacking or intrusion event could be considered “terror­ism,” thus affording the insurer an opportunity for a coverage denial. One means of moderat­ing the scope and effect of such wording is for insureds to request that this exclusion be amended to affirmatively cover “electronic terrorism.” Wording of this kind would preserve coverage for hacking/intrusion-driven losses—al­though it still might preclude coverage if, for ex­ample, an insurer were to assert that an individ­ual who stole paper files containing PII had engaged in an act of “terrorism.”

Fraud, Criminal, Dishonest Acts. Although the policies exclude coverage for fraudulent, criminal, and dishonest acts,  make sure this exclusion is worded so that it only applies when these acts are committed by an insured and not by third parties. Such wording preserves coverage to defend insureds if they are accused of criminal acts. The language of this exclusion should also include defense cover­age for: (a) “innocent insureds” (for situations where one or more insureds did commit an intentional act, but others did not) and also (b) contain “final adjudication” defense wording.

Patent, Software, Copyright Infringement. Pat­ent infringement claim exposures are excluded by cyber policies because they can be covered by intellectual property (IP) insurance forms. Never­theless, the broadest cyber policies affirmatively cover the defense costs associated with copyright infringement claims, provided they are caused by non-management employees or by outside, third party technology providers.

Mechanical or Electrical Breakdown/Failure. The policies exclude coverage for losses caused by mechanical or electrical failures and break­downs for two reasons. First, such failures do not usually result from data breaches. Second, when these kinds of breakdowns do cause business interruption, the resulting losses are normally insurable under standard property policies. Yet, some mechanical failures can be caused by hackers who, for example, overload a system (i.e., by using a “spam attack” or by introducing a virus, that shuts down a system). As a conse­quence, insureds should request wording that excepts and thus covers mechanical/electrical failures that are intentionally caused by hackers.

Failure To Follow Minimum Required Security Practices. Applications for cyber and privacy in­surance policies routinely contain detailed ques­tions regarding the steps the applicant is cur­rently taking to protect its electronic data. Accordingly, a growing minority of policies ex­clude coverage in the event it can be estab­lished that a claim was caused by a fail­ure to continue implementing such measures (e.g., not regularly checking and maintaining security patches). Fortunately, this exclu­sion is not (yet) universal. Therefore, an insured can avoid it by selecting a policy that does not contain an exclusion for failing to follow minimum security practices. If this is not possible, the insured should first, take great care when completing a coverage application, making sure not to over­state the scope of its current cybersecurity measures. Second, once coverage is in place, insureds must closely and continuously monitor the extent to which the procedures enumerated within the application are actually being implemented.

Professional Services. This exclusion elimi­nates coverage for what are essentially technol­ogy E&O exposures (i.e., providing technology products and services to others for a fee), rath­er than losses resulting from data protection is­sues—the essence of the coverage provided by cyber and privacy insurance. Therefore, technology businesses such as cloud providers and website designers providers should buy “tech E&O” coverage, rather than cyber and privacy insurance.

Loss Involving Portable Electronic Devices. This exclusion (while admittedly unusual) is  referred to as the “laptop exclusion.”  It is typically added as an exclusionary endorse­ment, rather than being included within the reg­ular provisions of cyber and privacy policy forms.  A few insurers require this exclusion because a surprisingly high percentage of data breaches have been traced to portable electronic devices. (One Ponemon study indicated that 29% of all breaches involved such devices.) The key point to recognize is that insurers will sometimes agree to remove the exclusion, provided the insured agrees to encrypt (i.e., “scram­ble” to make unreadable) all data contained on its portable devices.

Concluding Thoughts. Hopefully, the “preferred wording” suggested within this article is already incorporated within the exclusionary language contained in your cyber and privacy policy. In cases where it is not, it might be worthwhile to attempt to negotiate the foregoing modifications.