CYBER CORNER

In recent years, the cost of cyber incidents has risen dramatically, in large part due to increased recovery expenses involved in addressing cyber incidents. Additionally, those recovery costs have been attributed to various factors. 

A major factor impacting recovery costs centers around the complexity of corporate networks. The process of restoring these complex systems following cyber incidents can be intensive. Restoration of affected systems involves retaining outside vendors with specialized expertise, such as forensic investigators and data recovery specialists.

Another contributing factor to the rise in recovery costs is the increased regulatory scrutiny of cyber incidents. As regulatory bodies demand the reporting of relevant information about cyber incidents and institute security protocols, affected companies are faced with higher attorney fees and data mining costs to address these requirements. Although regulators may have valid grounds for stepping up their enforcement efforts, given the severity of some recent cyber incidents, businesses are often burdened with covering the costs involved in meeting these demands.

However, companies may be able to mitigate rising costs by having an incident response plan in place. Obtaining quotes from different vendors may help in quickly identifying the most cost-effective option for each specific incident. Also, matching service providers to specific claims may help minimize costs by allocating the right vendor to every stage of recovery. Although cyber incidents often trigger a range of expenses, affected companies can limit the financial impact of such incidents through advanced planning.

A major telecommunication company (the “Company”) recently settled with the Federal Communications Commission (the “FCC”), to address an investigation by the FCC into multiple data breaches. 

The settlement, which consisted of significant monetary and therapeutic cybersecurity measures, stemmed from a series of data breaches between 2021 and 2023 which exposed personally identifiable information of present, former, and prospective customers. The FCC’s investigations revealed that the breaches during those periods were largely attributable to the Company’s poor cybersecurity protections. 

The settlement underscored the importance of improving cybersecurity measures and corporate governance procedures in alignment with the FCC’s model. It also illustrated the increasing regulatory oversight of cybersecurity practices and the importance of implementing robust controls to protect customer data. The FCC’s involvement revealed the federal government’s commitment to bringing enforcement actions to combat the spike in data breaches in recent years despite the lack of a national data privacy statute. 

While adhering to protective measures is crucial, companies should also ensure that the initiation of a regulatory action constitutes a trigger for coverage under their cyber policies. Although coverage for regulatory actions in cyber policies varies, it is essential to ascertain that triggering coverage does not require an actual data breach, and that penalties are insurable under applicable laws. An experienced broker with a deep understanding of the market will be able to tailor your cyber policy language to the specific needs of your business, and to advocate for coverage in the event of a cyber incident.

An Illinois court recently reversed a lower court’s holding that an insurer had a duty to defend a grocery chain company (the “Company”) in an underlying class action (the “Lawsuit”). The Lawsuit was initiated by former employees against the Company alleging its improper collection and disclosure of their biometric data without sufficient notice or consent, thus violating specific Biometric Information Privacy Act (“BIPA”) provisions.

The Company sought defense and indemnification coverage for the Lawsuit pursuant to two identical cyber policies with its insurer covering two successive policy periods. In its argument, the Company stated that the policy terms covering loss incurred from a “data breach,” or “security failure” aligned with the Lawsuit’s allegations of unauthorized disclosure of employee biometric data. However, the insurer denied coverage because the Company failed to timely notify the Insurer about the Lawsuit within the required policy period. In addition, the Insurer maintained that the scope of the policy was limited to third party unauthorized access to the Company’s systems and did not extend to allegations of Company’s own collection and use of employee data.

The court sided with the insurer, finding that the BIPA claims contained in the Lawsuit were not covered by the policy, as the “data breach” coverage was limited to access of biometric data by a third party that the Company itself did not authorize. In support of its interpretation of the policy as whole, the court also cited an exclusion for losses incurred from the Company’s unauthorized collection of employee data, which, according to the court, precisely described the allegations in the Lawsuit. The court concluded that, since the insurer had no duty to defend the claim based on the policy language and exclusions, it could not be estopped from raising policy defenses in the current action. This case highlights the importance of accurately interpreting all policy terms and exclusions in relation to allegations in the underlying lawsuit.