Atlanta, GA (404) 885-1400

Albany, GA (229) 431-3036 

Brunswick, GA (912) 280-9662

Happenings

  • Home
  • Blog
  • Coverage Issues Related To Remote Access Breaches- Part One: What Is A Covered Data...


workers\' compensation, workers compensation, workers comp, water loss claims, trucking litigation, tips, supreme court, sponsorships, spokeo inc, speaking events, slip and fall, seminar, scholarships, robins, retail, recognition, randy moody, quarterly property breakfast series, property claims, product hunt, prima, presentations, paul burke, partnerships, overtime hours, nccae insurance meeting, melody kiella, legal industry, legal, law firms in atlanta, law, kniffen, karen karabinos, juliana neelbauer, journal, john p reale, john feguson, jim anderson, jennifer parrott, jack reale, international association defense counsel, insurance, gold sponsor, georgia prima, georgia legal food frenzy, georgia law injuries, georgia insurance law, football, flsa, firm news, fair labor standard acts, events, estates attorney, estate planning, employment law, employee, elizabeth rose, dri, drew eckl farnham, diversity, def helps, daniel cheek, daniel c kniffen, dan kniffen, dan, cpcu, corporate attorney, corporate, community service, community, client alerts, charity, ce credit, breakfast, blog, best lawyers, awards, attorney speakers, atlanta\'s fastest growing law firms, atlanta business chronicle legal, atlanta business chronicle law firms, atlanta business chronicle, atlanta and tyrannosaurus tech, atlanta, arkansas, april, american bar association, Workers Compensation, Workers Comp, Welch, Volunteer, United Way Coastal of Georgia, US Department of Labor, Speaker, Rose bowl, Robert Welch, Robert L. Welch, Recognition, ROYAL CUP, OFFICE COFFEE, Merrill Lynch, Lisa N. Higgins, Legal Food Frenzy, Karen Karabinos, Juliana was sworn into the Forsyth County Supior Court by Honorable Chief Judge Jeffrey S. Bagley. Juliana is now barred in both Maryland and Georgia, Janeen Smith, Jack Reale, Iowa Hawkeyes, Georgia trusts and estates, Georgia Hispanic Chamber of Commerce, General Liability, GHCC, Firm News, Events, Eric Mull, Drew Eckl and Farnham Summer Associates, Drew Eckl and Farnham Corporate Law, Drew Eckl & Farnham Corporate, Diversity, DRI, DEF Interviews, DEF Achievements, Cyber coverage, Corporate Transaction, Corporate Law, Congratulations to Juliana Neelbauer for passing the Georgia bar! On Friday, Christina Jay, COVID-19, CHARITABLE CONTRIBUTIONS, Business Breakfast Series, Big changes to overtime, Awards, 2016 Summer Associates

Coverage Issues Related To Remote Access Breaches- Part One: What Is A Covered Data Breach?

June 10, 2020 BY Karen Karabinos

In light of the shelter-in-place orders issued by the state, counties and municipalities across the country, a significant number of businesses allowed most of their employees to work remotely.  While working remotely has reduced the spread of COVID-19 in the workplace, employees may not be as diligent with cyber security while working from home. As a result, employers should be concerned that the increased remote access by employees may make their network ripe for cyber-attacks. According to a 2018 Security Tracker Study conducted by Shred-it, 86% of C-Suite executives and 60% of small business owners agree that the risk of a data breach is higher when employees work off-site than when they work at the office. In light of these concerns, employers must not only implement an effective remote work from home policy (more about remote work policies can be found here), employers must be aware of the possible cyber insurance issues that might exclude or otherwise limit coverage for a remote cyber breach.  

This article is the first of several articles addressing the various cyber insurance coverage issues that may arise in connection with a company’s claim for claims relating to data breaches. The focus of this article is whether there is a covered data breach. 

When a company suffers a data breach, coverage will depend on the specific provisions of the policy issued by an insurance carrier. Therefore, an insured’s first hurdle will be demonstrating that the cyber breach it suffered falls within the covered cyber incident described in the policy. Not all cyber policies are the same as is demonstrated by a recent review of more than 100 cyber policies approved by the state of Georgia. 

For example, one form approved by Georgia Department of Insurance provides coverage for a “Cyber Event” which is a “Data Breach” and/or a “Network Threat.”  The cyber form defines a “Data Breach” as a “Security Failure or Privacy Event” which compromises or potentially compromise data stored on the Company’s Computer System, included any Personal Information.”  A “Security Failure” is further defined as any:

  1. unauthorized access to or unauthorized use of; 
  2. denial of service attack by a third party directed against, or 
  3. transmission of authorized, corrupting or harmful software code to, the Company’s Computer System; provided, that Security Failure will not include any such access, attached or transmission with the assistance or acquiescence of an Executive. 

Under the policy form, a “Privacy Event”  is any: 

1. loss, theft or unauthorized disclosure of: 

  • personal information, or 
  • third-party corporate information provided to the Insureds and specifically identified as confidential and protected under a non-disclosure agreement or similar contract with the Company; or 

2. violation of a Privacy Regulation provided, that Privacy Event will not include any such loss, theft, disclosure or violation made with the assistance or acquiescence of an Executive. 

Compare those definitions with another Georgia-approved cyber coverage insurance endorsement that specifically provides that coverage is only afforded for a “Privacy Breach Event.” That endorsement defines such an event as “the theft or unauthorized disclosure of Protected Information due to the Insured’s unintentional failure to safeguard such Protected Information.” The endorsement further defines “Protected Information” as: 

“individual’s name, social security number, medical or healthcare data, or other protected healthcare information, driver’s license number, state identification number, credit card number, debit card number, account number, account history, passwords, or other nonpublic personal information as defined in Privacy Law. Protective Information does not include records that are lawfully available to the general public for any reason, including but not limited to information from federal, state or local government records and does not include any “phone book” information such as name, addresses, email address and telephone number and left part of any Privacy Law.” 

Unlike the first policy discussed, this endorsement only provides coverage for a cyber 

incident that involves the theft of unauthorized disclosure of an individual’s personal protected information such as an individual’s name, social security number and other private information. As a result, if a company had this type of a policy, there would be no coverage for damages caused by a denial of service or a malware attack. However, such cyber incidents would be covered under the first policy. 

This simple comparison shows the importance of companies analyzing their cyber risks, especially in light of the increased number of employees working remotely and understanding whether their current cyber policies will provide coverage for those cyber risks.  

Download 

karen-karabinos-1729.jpg

Karen Karabinos

(404)-885-6313

[email protected]

Full Bio