In light of the shelter-in-place orders issued by the state, counties and municipalities across the country, a significant number of businesses allowed most of their employees to work remotely. While working remotely has reduced the spread of COVID-19 in the workplace, employees may not be as diligent with cyber security while working from home. As a result, employers should be concerned that the increased remote access by employees may make their network ripe for cyber-attacks. According to a 2018 Security Tracker Study conducted by Shred-it, 86% of C-Suite executives and 60% of small business owners agree that the risk of a data breach is higher when employees work off-site than when they work at the office. In light of these concerns, employers must not only implement an effective remote work from home policy (more about remote work policies can be found here), employers must be aware of the possible cyber insurance issues that might exclude or otherwise limit coverage for a remote cyber breach.
This article is the first of several articles addressing the various cyber insurance coverage issues that may arise in connection with a company’s claim for claims relating to data breaches. The focus of this article is whether there is a covered data breach.
When a company suffers a data breach, coverage will depend on the specific provisions of the policy issued by an insurance carrier. Therefore, an insured’s first hurdle will be demonstrating that the cyber breach it suffered falls within the covered cyber incident described in the policy. Not all cyber policies are the same as is demonstrated by a recent review of more than 100 cyber policies approved by the state of Georgia.
For example, one form approved by Georgia Department of Insurance provides coverage for a “Cyber Event” which is a “Data Breach” and/or a “Network Threat.” The cyber form defines a “Data Breach” as a “Security Failure or Privacy Event” which compromises or potentially compromise data stored on the Company’s Computer System, included any Personal Information.” A “Security Failure” is further defined as any:
- unauthorized access to or unauthorized use of;
- denial of service attack by a third party directed against, or
- transmission of authorized, corrupting or harmful software code to, the Company’s Computer System; provided, that Security Failure will not include any such access, attached or transmission with the assistance or acquiescence of an Executive.
Under the policy form, a “Privacy Event” is any:
1. loss, theft or unauthorized disclosure of:
- personal information, or
- third-party corporate information provided to the Insureds and specifically identified as confidential and protected under a non-disclosure agreement or similar contract with the Company; or
2. violation of a Privacy Regulation provided, that Privacy Event will not include any such loss, theft, disclosure or violation made with the assistance or acquiescence of an Executive.
Compare those definitions with another Georgia-approved cyber coverage insurance endorsement that specifically provides that coverage is only afforded for a “Privacy Breach Event.” That endorsement defines such an event as “the theft or unauthorized disclosure of Protected Information due to the Insured’s unintentional failure to safeguard such Protected Information.” The endorsement further defines “Protected Information” as:
“individual’s name, social security number, medical or healthcare data, or other protected healthcare information, driver’s license number, state identification number, credit card number, debit card number, account number, account history, passwords, or other nonpublic personal information as defined in Privacy Law. Protective Information does not include records that are lawfully available to the general public for any reason, including but not limited to information from federal, state or local government records and does not include any “phone book” information such as name, addresses, email address and telephone number and left part of any Privacy Law.”
Unlike the first policy discussed, this endorsement only provides coverage for a cyber
incident that involves the theft of unauthorized disclosure of an individual’s personal protected information such as an individual’s name, social security number and other private information. As a result, if a company had this type of a policy, there would be no coverage for damages caused by a denial of service or a malware attack. However, such cyber incidents would be covered under the first policy.
This simple comparison shows the importance of companies analyzing their cyber risks, especially in light of the increased number of employees working remotely and understanding whether their current cyber policies will provide coverage for those cyber risks.