KCIC is pleased to present this guest post by Laura Foggan, Partner at Wiley Rein LLP, serving as lead counsel in trial and appellate matters involving complex insurance claims.
I thought it would be interesting to explore this topic a bit more, especially with regard to the key coverage issues under different components of cyber coverage. This is a complex area, and there is much variation.
Data Breach Notification
We know that one of the key cyber coverage components is coverage for the costs of notification of a data breach. Digging in a bit deeper, a key issue is whether the policy covers the costs of notifications that are not necessarily legally required, or at least are not required by statute. Since breach notice laws vary from state to state, many companies may want to provide broader notice across the board (for instance, to simplify their notice process) — a practice that may raise coverage issues. Is a policyholder going to seek coverage for voluntary notice — or for notice it agreed by contract to provide — that may not be required under applicable law? This may not be within a coverage grant. A similar question arises when coverage is sought for mitigation efforts or goodwill activities, depending on the terms of the cyber policy.
Also, the definition of “damages” has long been a point of contention in coverage disputes, and it looms large in the context of cyber coverage as well. “Data breach” class settlements may not involve monetary compensation at all, or may include agreed relief that isn’t damages, e.g., future credit monitoring services.
In one of the earlier blog posts, there was a discussion of issues arising from cyber exposure to, or from, a company’s business partners — such as vendors. Some of the most highly publicized data breaches reportedly arose as a result of exploitation of a weakness in a vendor’s security. Another tricky set of coverage issues under cyber policies concerns exposure arising from employee or insider actions, as well as exposure from breach of employee data. There often are employment practices and other exclusions in cyber policies that bar coverage for exposures of this sort.
These are just a couple examples of coverage issues that can be presented in cyber policies. We are likely to see an increase in coverage litigation involving these specialized policies in the coming months.
Laura Foggan leads the Insurance Appellate Group as a Partner at Wiley Rein LLP, serving as lead counsel in trial and appellate matters involving complex insurance claims. She has participated in more than 200 insurance coverage appeals nationwide and made significant contributions to the development of key insurance law precedents across the country. A former co-chair of the Insurance Coverage Litigation Committee of the American Bar Association (ABA) Litigation Section, she is praised by Chambers USA as an “acknowledged expert in her field” (2013) with an “encyclopedic knowledge of insurance law” (2014). In addition, Laura counsels insurers on emerging exposures and represents insurers in arbitration and mediation settings. On behalf of both individual insurers and industry trade groups, she advocates for insurers in legislative and regulatory matters.