Misunderstandings over policy language can leave businesses unprotected , Richard Caplan warns in recent blog

Richard Caplan
Richard Caplan

An “alarmingly regular” series of data breaches and other digital attacks against major retailers and other organizations has set off a stampede for cyber insurance, according to Richard Caplan, a litigation associate in national law firm LeClairRyan’s Atlanta office. Purchases of such policies—which buttress traditional crime and general liability coverage—are expected to triple to $7.5 billion by 2020.

“But even if you purchase a cyber-specific insurance policy, disputes over coverage may still arise,” Caplan warns in a recent blog post at Information Counts, which focuses on privacy, data security, information technology, e-commerce and other digital issues. Some recent court rulings illustrate the challenges that businesses face when they try to guard themselves against liability, where decisions can hinge on the meaning of certain key words and phrases in a policy.

For example, following the 2011 Sony PlayStation data breach—where sensitive personal data for some 100 million customers was exposed by hackers—a Supreme Court of New York judge ruled that the insurer had no duty to defend or indemnify the electronics company under its Crime and General Liability policy. While the case was on appeal, Sony and its insurer reached a settlement.

“The insurance company argued its policy ‘was never intended to cover cyber losses,'” Caplan writes in the blog, Cyber Insurance: Make Sure You Understand Your Coverage. “But even if you purchase a cyber-specific insurance policy, disputes over coverage may still arise.”

He also cites a case involving Federal Recovery Services, which allegedly mishandled data from a company that operated fitness centers in several states. Federal had a cyber policy, but the United States District Court in Utah determined the insurance company was not obligated to defend Federal under the policy terms.

“This case illustrates two conflicting issues floating around in the world of cyber insurance,” Caplan explains. “First, that whether an insured is actually covered is not always so clear; and, second, that courts may be requiring a heightened standard of care for insurers to diligently investigate a cyber-related claim.”

Companies considering cyber insurance should start with the basics common to any kind of policy, he advises: “Do you need it, what risks should be covered – first party remediation, third party claims, or both – and how much is enough.”

Other cyber-specific issues include whether the carrier or the insured will choose a forensics expert in the event of a breach, or whether the carrier will impose underwriting conditions like data encryption and periodic audits or penetration tests. Also, “What key data are you trying to protect, how it is currently secured, and what is the risk of third party claims or litigation if it is compromised?” Caplan notes. “Many companies think their GCL or Errors & Omissions policies cover certain cyber risks, when in reality those risks may be specifically excluded.”

Additionally, many companies that have already purchased cyber insurance mistakenly think it covers all first-party costs in the event of an incident – like investigation, notification and credit monitoring – when it actually only covers third party claims, or lawsuits.

“If your cyber coverage only kicks in when a third party makes a claim, then practically speaking you may not have any coverage at all,” he warns. “For now, perhaps the most important thing to do is make sure you do not fall into the category of someone who thinks they are covered when they are not.
Also review the language and scope of your coverage on a periodic basis, speak with counsel about developing law in this rapidly evolving area, and monitor the way insurance companies are modifying their terms and contracts in response to recent legal and other developments.”

To read the full blog post, visit

Related Articles