Beyond Data Breach: Evaluating Coverage for Misuse of Information Claims

July 6, 2020
Insights for Insurers

New and comprehensive privacy and cyber regulations continue to proliferate across the globe. These are not your father’s data breach notification laws. The scope of information included within these mandates has expanded significantly beyond the limited categories of personally identifiable information found in early notification laws to now include broad categories of information like browsing history, biometric information, geolocation information, and audio, visual, thermal, and olfactory information, depending on the specific law or regulation at issue.

In addition, these mandates typically are not limited to data breach and disclosure situations; they often apply to how covered entities treat protected information throughout its entire lifecycle, from collection or creation, through use, retention, security, until ultimate disposition. They may create disclosure obligations concerning the entity’s information-related practices as well as actionable rights for affected individuals. Some laws require that companies create certain roles such as a data protection officer or a chief information security officer, and establish requirements concerning oversight by corporate boards. They also may mandate creation of specific internal and/or publicly-facing written policies and procedures. In addition to empowering enforcement by a state attorney general or other governmental or regulatory agency, these new laws and regulations sometimes provide a private right of action to affected individuals, pursuant to which they can seek statutory and/or actual damages.

Achieving and maintaining compliance with these complex and constantly evolving privacy and security obligations can create both budgetary and operational challenges for many entities. Mistakes and mishaps are inevitable, even for those entities that fully embrace their obligations in good faith. Incidents can arise when entities act negligently or recklessly, or if they intentionally elect not to comply with legal requirements. This backdrop is leading to a higher frequency of regulatory actions and private lawsuits against covered entities that are quite different from “typical” data breach claims. How any given cyber insurance policy will respond to claims arising out of these information misuse claims requires a thoughtful analysis of the precise facts giving rise to the claim, the terms of the policy at issue, and the applicable law.

Cyber insurance policies typically include coverage for claims arising out of violations of cyber and privacy laws and regulations, but the coverage provided can vary greatly from policy to policy. When considering whether any given claim falls within a policy’s coverage, the following issues should be considered:

Conclusion

Cyber insurance policies typically provide broad coverages for a wide range of cyber and privacy risks, but that doesn’t mean that every claim involving the misuse of information will be covered under every policy. Insurers should closely review each claim at issue in light of the relevant policy language and applicable law.