Cybercrime, social media and the cloud are popular buzzwords. The prevalence of information technology (IT) in Australia has not yet radically changed the claims made by companies, the policies developed by insurers and the disputes heard before the courts. But the international experience, and the increasing dependency of companies and individuals on technology, suggests that it warrants our attention.
The Ponemon Institute's 2013 Cost of Data Breach Study revealed that, on average, data breaches in Australia, at 34,249 compromised records per breach, resulted in more exposed records than in any other country. The study also identified that companies in Australia were among the most likely to:
- suffer a malicious cyber-attack
- spend money on investigating a data breach ($1.25 million per breach), and
- lose customers following a data breach.
It is estimated that cybercrime costs the Australian economy billions of dollars, and costs hundreds of billions of dollars globally.
Not surprisingly, cyber risk is an area of exposure and concern for Australian companies.
However, there has not been a uniform response to this new risk. While some insurers have rolled out specific cyber risk insurance products, many are of the view that traditional liability policies are sufficient to respond to claims arising out of the use of IT.
Can a commercial general liability policy protect against cyber risk?
Insurers and brokers need to carefully consider the terms of liability policies and how they respond to cyber risk, particularly how they define terms in insuring clauses and exclusions. On the one hand, companies that fall victim to cyber-attacks may find themselves uninsured under traditional policies. Conversely, insurers that have tried to isolate and separate risks by rolling out cyber risk insurance products may find that traditional policies respond to a broader range of claims than forecasted.
Sony's recent hacking experience highlighted the risk of relying on a commercial general liability policy to cover a data breach. Over 50 class action complaints were filed against Sony after hackers acquired personal data of millions of users of PlayStation's online services. In February 2014, the New York Supreme Court ruled that Sony's insurer had no duty to defend Sony's claim for indemnity. This was because the policy required the policyholder to commit an action that breached a person's right of privacy, and the actions of hackers on Sony accounts did not constitute a violation by Sony.
The Sony decision is at odds with an earlier decision by the District Court of California where a general liability policy was found to respond to claims arising out of a data breach affecting the hospital records of 20,000 patients. This discrepancy highlights the risk and uncertainty for both insurers and policyholders in relying on traditional liability policies.
Optional extensions and stand-alone policies Exclusion clauses addressing claims arising out of the use of IT may be effective, but will be read down where they are ambiguous or undermine the commercial efficacy of the policy. Optional extensions that subvert the exclusion, potentially for payment of an additional premium, may allow insurers to better price and prepare for cyber risk.
Similarly, stand-alone cyber risk policies enable insurers to isolate cyber risk claims, and companies to rely on IT with confidence. There are likely to be teething problems with the scope and pricing of this fledgling cover, but these should be ironed out as more data becomes available.
Insurers can also mandate that their clients comply with nominated information privacy and security standards to be eligible for cover. This compels organisations to assess their internal policies and improve the integrity of their data processes, reducing the likelihood of a cyber-attack.
However, there are also subtle risks at play. Insured companies that may be required to notify their clients of large-scale cyber-attacks or data breaches need to consider how they balance their obligations under an insurance policy not to admit liability with the desire to mitigate loss. This is particularly relevant where data breaches affect privacy rights.
The intersection of privacy rights and IT The intersection of privacy rights and IT is a growing area of risk for insurers. Under the recently introduced Australian Privacy Principles (APPs), companies can face civil penalties of up to $1.7 million for serious or repeated interferences with privacy in addition to the costs of rectifying a breach and exposure to civil claims. The APPs require that entities holding personal information only use or disseminate that information for the purpose for which it was collected, subject to certain exceptions. Entities are also required to take reasonable steps to ensure that overseas recipients of that information comply with the principles. This includes offshore databases and clouds where information is stored over a network. The potential vulnerability of these systems to data breaches was highlighted by the recent leaking of nude celebrity photos that were allegedly retrieved from Apple's iCloud (although Apple has denied any security breach).
What does this mean?
For insurers, as companies and individuals become more reliant on IT, cyber risk will continue its transformation from futuristic buzzword to a present and pressing concern. This presents challenges and opportunities for lawyers and insurers alike, and the response to cyber risk is likely to require innovation and communication between insurers, brokers and their policyholders. Fortunately, communication has never been easier.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.