Cyber insurance transfers risk but doesn’t replace due care

The ongoing series of high-profile data breaches reported by companies across multiple industry sectors – including major retailers (Target and Home Depot), health insurers (Anthem and Premera), online service vendors (Uber), hotels (Mandarin Oriental and Hilton HHonors), and entertainment (Sony) – has raised awareness of the diverse and sophisticated nature of threats that organizations face and increased interest among executive teams of ways to reduce risk exposure from data breaches. One increasingly popular option is cyber insurance, particularly to cover corporate liability from breaches and ensuing harm to consumers and to pay the costs of responding to breaches such as notifying affected individuals and providing credit monitoring services. Firms that underwrite cyber insurance and the companies that seek such coverage are separating cyber liability coverage from conventional commercial general liability policies. This separation provides policy holders greater confidence that the potential damages from a cyber incident will be covered, but also allows insurers to clearly define exactly what types of incidents and damages are covered and to prescribe conditions under which claims will be honored. Those shopping for cyber insurance should also be aware that while there are now dozens of insurers offering such policies, the terms of coverage vary widely.

For organizational executives and risk managers looking for a means to transfer (instead of mitigate or accept) risks related to IT security and privacy, cyber liability insurance may be a terrific option. These companies should be mindful, however, that securing cyber insurance coverage does not diminish their obligations to ensure adequate protective measures are in place for customer data and other IT assets. Adding insurance as a response to identified risks should not therefore be seen as a substitute for implementing many types of available security and privacy controls, as these measures may be necessary to satisfy the standard of due care. The standard of due care in American tort law says that organizations can be held liable if they fail to implement readily available technologies or practices that could mitigate or prevent loss or damage. The legal precedent for this traces back more than 80 years to a 1932 decision by the U.S. Second Circuit Court of Appeals, familiarly known as the T.J. Hooper case. This case involved two tugboats (the T. J. Hooper and the Montrose) that were towing coal barges that sank off the New Jersey coast in a storm. The cargo owner sued the barge company and the tugboat operators to cover its loss. The court ruled that both the barges towed by the tugboats and the tugboats themselves were “unseaworthy,” because with respect to the tugs they were not equipped with radios that could have been used to alert the tugboat pilots to the impending storm. Although the court noted that the use of such radios was not yet widespread, it nevertheless found the tugboat operators liable because radios were available and, had they been in place, the bad weather and the subsequent loss of cargo could have been avoided. The modern lesson is that where technology is available that can reasonably be expected to prevent or reduce the likelihood of loss or damage, under the standard of due care an organization may be held responsible for implementing that technology. This means, for instance, that organizations that have not established security monitoring or intrusion detection or prevention controls may find their cyber insurers unwilling to accept claims for breaches and resulting damages.