Cyber insurance experiencing 'Future Shock'
Insurers who write cyber liability policies are well-equipped to manage cyber claims, but what about carriers and adjusters who face such claims under more traditional policies?
The idea of “Future Shock ”— that an accelerated pace of change causes social and psychological disruptions — dates from Alvin Toffler’s 1970 book of the same name. As it copes with the mutable nature of cyber risks, the insurance industry is experiencing such a shock. Insurers who write cyber liability policies are well-equipped to manage such claims, but what about carriers and adjusters who face such claims under more traditional policies — also known as “Silent Cyber?”
Expanding liability
Recent court decisions show how a cyber claim can arise under a traditional policy:
- A Maryland federal district court determined that a ransomware attack — and the insured’s attempts to remedy that attack — caused “direct physical loss or damage” to the insured’s computer system by slowing the system and making it less useful. The carrier argued that the critical issue was whether the software or data had been damaged, and that both were intangible. The court reasoned that the business owner’s policy listed among covered items “data stored” on physical media, including software. Thus, the policy contemplated that these things could experience direct physical loss or damage. Nat’l Ink and Stitch, LLC v. State Auto Prop. and Cas. Ins. Co., 435 F.Supp.3d 679 (D. Md. 2020).
- Under a similar policy, Ohio’s Court of Appeals determined that the encryption of a company’s data — when hackers locked the data after gaining access to the company’s systems — may fall within the definition of “direct physical damage.” The court noted that in addition to damage to data and media, the attack resulted in the company’s phone system being completely unworkable. EMO Servs., LLC v. Owners Ins. Co., 2021 Ohio App. LEXIS 3849. The Supreme Court of Ohio has accepted review.
- A company that operated restaurants, hotels, and casinos suffered a data breach which led to the loss of customer credit card data. A credit card processor sued the company after a data breach seeking to recover $20,000,000 in assessments from MasterCard. The company in sough coverage from its insurer under a commercial general liability policy. The United States Court of Appeals for the 5th Circuit Court found that the retail company’s loss of the data was a “publication” of that information that triggered “personal and advertising injury” coverage. The insurer had to defend the case against the retail company because the complaint alleged that the breach had exposed consumer data and violated the right of the consumers to keep credit card data private. Landry’s, Inc. v. Ins. Co. of the Pa., 4 F.4th 366 (5th Cir. 2021).
- The most recent example comes from the court that reversed itself. Target’s 2013 breach led to $138 million in losses, including $74 million to replace credit cards that were compromised. After finding no coverage in a 2021 ruling, the court changed its mind in March 2022, ruling that the loss of use of the compromised cards had occurred to “tangible property that is not physically injured.” Target Corp. v. Ace Am. Ins. Co., 19-cv-2916 (WMW/DTS), 2022 U.S. Dist. LEXIS 51044 (D. Minn. Mar. 22, 2022).
What makes cyber claims so difficult?
As the cases above show, cyber claims can have huge stakes. This has caused insurers to try to clarify when such losses are covered. They have tried to exclude cyber liability from traditional policies for more than a decade, seeking to push coverage for such claims toward cyber-insurance policies. But this is where the Future Shock comes; insurers cannot write new policy language as quickly as hackers change their tactics.
Tips for non-cyber adjusters
1. Recognize the need for speed
Accelerated pace is both a general and a particular problem in cyber losses. Not only do the ways of causing such a loss morph quickly, but the facts of individual claims change by the hour, if not by the minute. Cyber adjusters are accustomed to retaining breach counsel within hours after receiving a new claim and being on a call with counsel and the insured shortly after that to discuss the breach. Often the result of that call is to recognize the need for forensic investigator. A second call happens with the insured, counsel, the adjuster, and the forensics team. All this typically is done within 24-36 hours after the adjuster receives the assignment.
There are two reasons for this. If the hackers have left evidence in the insured’s system, the forensic investigator wants to get that evidence before the insured restores its systems in a way that might destroy it or critical logging “rolls over.” More importantly, not every hacker attack leads to a breach of information. If there is any chance of stopping an attack before it becomes a breach, the investigator, counsel, and insured must act quickly.
This schedule makes the 20-30 days between the filing of a complaint and the due date for an answer seem leisurely.
2. Recognize and deal with coverage issues quickly
If your company manages coverage in house, get the file in the hands of a coverage adjuster or attorney. Even with that done the claim adjuster still must consider coverage issues while overseeing the claim.
First, cyber policies cover generally both liability to the insured resulting from a cyber event, and the insured’s own losses, which can include remediation of its computer system, amounts spent to protect or restore its reputation, and sometimes lost business income. Even if a court finds cyber coverage where an insurer did not think it existed, that “Silent Cyber” coverage is likely to extend only to first party claims or liability claims, not to both. The adjuster must be able to explain this before the insured develops unwarranted expectations.
Next, the claim-handling adjuster must be able to understand and apply the language of a particular policy to determine what parts of a loss might be covered. For example, under a business owner’s policy, an adjuster may need to understand whether the insured has suffered “direct physical loss of or damage to” covered property. As National Ink points out, “physical” may not mean the same thing as “visible.” Computers rearrange “the atoms or molecules of a disc or tape” to store data. National Ink, 485 F.Supp. 3d at 684.
In the end, Nat’l Ink turned on policy language. The policy before that court expressly included electronic storage media (and the data stored on them) as covered property. Other cases construed policies that did not include data as covered leading to the conclusion that data was not covered because it “cannot be touched, held, or sensed by the human mind; it has no physical substance.” Id. At 683, quoting State Auto Prop. And Cas. Ins. Co. v. Midwest Comp. & More, 147 F.Supp. 2d 1113 (W.D. Okla. 2001).
3. Act quickly but deliberately
A claim under a business owner’s or crime policy may not proceed on the compressed schedule of a claim under a true cyber policy. But in such a claim, the traditional adjuster may face all or some of the same reasons a cyber claim moves so quickly — an insured may still be facing an active attack, attackers may be shifting their tactics quickly to meet any initial response, and all these forces are acting on electronic data which, by its nature, can change constantly. As in the National Ink case, the adjuster may have to deal with an insured whose data is not accessible and wants access to it immediately. That wish may run counter to the needs of a forensic investigation.
An adjuster not familiar with these issues may find intramural assistance. If working for a company that writes cyber insurance the adjuster should reach out to a counterpart in cyber claims for advice. Is this a case where a forensic vendor might assist in defending the claim or mitigating damages? If so, the earlier the adjuster can bring such a vendor on board, the better. But it generally is better to follow the practice of the adjusters, who allow breach counsel to retain the forensic specialists to cloak their work with attorney-client privilege.
Is this a case that trusted defense counsel can manage, or does the adjuster need to consider retaining counsel with knowledge of cyber issues? A cyber adjuster may be helpful in making this call. If there is a genuine need for either an expert or for counsel conversant with cyber issues, the cyber adjuster can help identify experts and counsel who already are on the insurer’s panel.
If the traditional adjuster does not have access to a cyber adjuster in the same company, the next step may be to vet law firms already on the carrier’s approved list. If a panel firm also has a cyber practice the adjuster may find help in a familiar place. In firms that have a data security practice there may be overlap between attorneys who do defense or coverage work and advise clients on data security.
Advice and foresight from these sources can help the non-cyber adjuster address the need to act quickly, but correctly.
4. Understand — and help the insured understand — the need to preserve evidence
Many adjusters are accustomed to addressing early in a claim whether physical evidence exists, and whether it has been preserved. But in the electronic world — where evidence can include the data stamp on a data file, that changes whenever it is accessed — adjusters must act quickly. This highlights again the requirement to have access to forensics experts who can save an evidentiary copy of the insured’s data and systems software, and who know how to keep that information under a proper chain of custody so it can be used as legal evidence.
The need to preserve such evidence can runs counter to the insured’s first thoughts after a cyber event — wiping hard drives of affected computers, using backup systems to restore compromised data, or gaining access to locked data using an encryption key purchased from hackers. But the insured must preserve its data for several reasons:
- It may need the data to defend liability claims. If the insured has been the victim of a criminal act, that act may supersede any conduct that would put fault on the insured or may establish that the insured was not negligent because it acted to protect its systems.
- The insurer may need the data to evaluate liability, or statutory and/or contractual notification obligations.
- The data may lead to subrogation opportunities. It is part of cyber insurance folklore that the Target breach happened because it gave its HVAC provider credentials to its network for electronic billing and project management. An insured (and its carrier) who suffers a data breach may have recourse against its contractors and suppliers. But loss of the initial data may complicate attempts to subrogate.
Part of the sting of “Future Shock” is that the accelerated pace of change is not anticipated. In a world where most insureds rely on computers and networks to conduct day-to-day personal and commercial business, non-cyber adjusters must expect that they will face claims involving the use or loss of computer data and equipment. When that happens the adjuster must understand the need to act quickly and know who can help the adjuster get up to speed.
Barry Miller is the chair in the Freeman Mathis & Gary, LLP’s Lexington, KY office, and co-chair of the firm’s insurance coverage and extra-contractual liability practice section.
Elisabeth “Lisa” Gentile is a partner in the Columbus, OH office of the firm. Lisa has over 25 years of litigation and trial and experience in the areas of general defense and risk exposure and prevention issues.