Most law firms and clients have cyber liability insurance. Cyber insurance policies provide broad coverage for cyber extortion, data restoration, public relations, computer fraud, business interruption, regulatory compliance, and related risks. However, having coverage is one thing; keeping it is another. The coverage under a policy depends on the representations the insured makes in its application and its subsequent compliance with them. One of the biggest reasons for coverage denial are misrepresentations, omissions or incorrect statements in the insured’s application for the policy, or the failure to notify the insurer of any material changes in its security practices.
A typical application for cyber liability insurance will contain a privacy and security liability questionnaire, as well as a section on information security. According to an August 2022 Fitch Ratings Report, some of the key items insurance providers require for coverage include the use of multifactor authentication, employee training on phishing and other types of cyberattacks, strength-of-password requirements, regulatory reporting obligations, as well as an assessment of the quality of the insured’s incident-response plan and penetration testing. The insured’s compliance with the requirements is required to keep the coverage.
There is a hole in the cyber insurance net that stems from the insured’s inadvertent (hopefully not intentional) failure to understand its security measures and maintain them throughout the life of the policy. Unfortunately, too many insureds—law firms included—do not have a written information security policy (WISP) that sets forth the procedures for evaluating its electronic and physical methods for accessing, collecting, storing and protecting its data. Unless you know what you have and where it is located, it’s hard to know what you need to protect.
An insured’s failure to fully understand its data security practices and procedures can lead to material misrepresentations, omissions, and incorrect statements in the application for insurance. The consequences of misstatements or omissions in the policy application cannot be understated. Unfortunately, one business that had a large data breach suffered those consequences when it was denied coverage and had its policy rescinded.
In Travelers Prop. Cas. Co. v. Int’l Control Servs., Inc., 2:22-cv-02145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022), Travelers sought to rescind its cyber liability coverage of the insured, International Control Services (ICS), because of material misrepresentations allegedly made by the insured in connection with its application for the policy. The insured had represented that “to the best of [its] knowledge and belief, and after reasonable inquiry, the statements provided in response to this Application are true and complete … . (Id.). Travelers’ success in rescinding the policy was based on the fact that ICS, in its policy application, stated (and signed a separate attestation) that it required multifactor authentication to gain administrative access to its data. Upon investigation, Travelers determined that ICS misrepresented the scope of its authentication process, resulting in the breach. The parties agreed to rescind the policy and the lawsuit was dismissed with prejudice by a stipulated order.
The Travelers case clearly establishes the consequences of an insured’s failure to follow the policies and procedures claimed in its application. In fact, most insurance policies have a specific exclusion that precludes coverage for claims arising from the policyholder’s failure to maintain adequate security standards. As a result, insureds must regularly monitor, update, and test all cybersecurity requirements mandated in their policy.
The increase in data breaches, the costs resulting from them (which can include potential criminal and regulatory liability), the security measures and representations required by some law firm clients (banks in particular) and insurance companies, and the need to stay abreast of constantly changing threats, demand that law firms (and their clients) implement and closely monitor cybersecurity policies and practices. Best practices require at least an annual review of the written information security policies and practices.
Read your cybersecurity insurance policy application and representations to confirm each representation is accurate.
The bottom line: date breaches may be inevitable, but diligence and preparation can mitigate both their financial and reputational impact.
©2023 Reprinted with permission by the American Bar Association. This article was first published by the ABA Section of Litigation’s Commercial and Business Litigation Committee in January 2023.
Jones Foster Shareholder Robert W. Wilkins is Chair of the Litigation & Dispute Resolution Practice Group and is Board Certified by The Florida Bar in the areas of Business Litigation and Civil Trial. Rob represents and counsels clients in complex business litigation matters, including e-discovery and data privacy issues. He serves as Co-Chair of the Data Security Subcommittee and the E-Discovery Subcommittee of the ABA’s Commercial and Business Litigation Committee (CBL) and is a member of the Palm Beach County Bar Association Technology Committee.
Jones Foster is a commercial and private client law firm headquartered in West Palm Beach, Florida. Established in 1924, the Firm has served as an integral part of South Florida’s growth and prosperity for nearly a century. Through a relentless pursuit of excellence, Jones Foster delivers original legal solutions that help clients, colleagues, and the community to move forward. The Firm’s attorneys focus their practice in Real Estate, Litigation & Dispute Resolution, Private Wealth, Trusts & Estates, Corporate & Tax, and Land Use & Governmental. For more information, please visit www.jonesfoster.com.