Insuring Your Business Against Cyber Risks (Part Two)

Below is the second in a series of posts from Emergent partner Peter Roldan on the increasing need for cyberinsurance.  His prior post in the series is here.

Any business that collects and stores Personally Identifiable Information (meaning social security numbers, driver’s license numbers, credit card numbers, or bank account numbers) or Personal Health Information (medical records, including diagnosis, treatment and prescription information), faces the risk of a data breach.  A data breach is commonly defined as a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

The costs of a data breach can be enormous. Almost every state has enacted notification laws requiring businesses to provide notice of a data breach all affected individuals. Some states, including California and Connecticut, also require businesses to provide free credit monitoring to individuals whose personal information has been compromised.

In addition, businesses hit with a data breach face the threat of lawsuits brought by individuals whose information has been exposed.

Generally speaking, insurance coverage for the losses and expenses associated with a data breach is not going to be available under the standard commercial general liability, directors and officers, and errors and omissions insurance policies typically held by most businesses.  Instead, businesses must look to special cyber insurance policies in order to insure against these risks.

Because the market for cyber insurance is relatively new, the scope of coverage offered under these policies can vary from insurer to insurer.  Policyholders looking to purchase cyber insurance should familiarize themselves with the specific types of coverage that apply to data breach risks and, if needed, seek advice as to what’s needed for their business.

Liability Coverage

Most cyber insurance policies include liability coverage, including defense costs, for claims made against a policyholder brought by persons whose personal information has been exposed in a data breach. 

Notification Costs

The costs of notifying affected consumers is usually the biggest out-of-pocket expenditure associated with a data breach.  Policyholders should make sure that coverage includes the costs of voluntary notification and is not limited to notifications required by law.

Crisis Management

The damage to a company’s reputation following a data breach can be immeasurable, making coverage for crisis management expenses essential.  Policyholders should examine the policy to make sure that these expenses are covered and to familiarize themselves with any limitations that might apply.

Having insurance to cover the fallout from a data breach is essential, but it’s just as important to make sure that the coverage purchased actually fits a company’s needs.  To find out how Emergent can help you to better understand your insurance coverage and identify any potential gaps, contact us.

Insurance Update: Insuring Your Business Against Cyber Risks (Part One)

Emergent partner Peter Roldan not only litigates insurance coverage matters, and provides advice to other attorneys on insurance issues in their cases, but also advises companies on how to avoid gaps in their insurance and how to maximize their coverage.  Below is the first in a series of posts from him on the inceasing need for cyberinsurance.

Data breaches. DDoS attacks. Ransomware.

Ask any IT professional and he or she will tell you that these are some of the biggest cyber risks that their clients face.

As businesses continue to move more of their operations online and into the cloud, they need to prepare for these threats just like they would any other disasters.

For most businesses, that means obtaining insurance, and many business owners have heard that their businesses need to carry cyber-insurance coverage.

But what exactly does cyber-insurance cover that isn’t already covered under standard commercial property or commercial liability policies? Does your business actually need an additional, specialized insurance policy? These days, the answer is mostly likely “yes.”

Almost all businesses face exposure to cyber risks that are not covered under traditional lines of insurance, and these risks can result in losses that would be difficult to absorb. In a worst-case scenario, it could mean the end of a business.

Of particular concern are risks relating to data breaches, denial of service attacks, data loss or ransoming, and hacking. Businesses that provide online content or that are heavily involved in social media activities also face additional risks that are often excluded under standard commercial liability policies.

In this multi-part series, we’ll help business owners to better understand the risks that are covered (and not covered) by these policies, and provide them with the tools to ensure that claims are paid when a loss occurs.

What Is Cyber-Insurance?

Insurers offering cyber-insurance coverage typically provide coverage under their own unique policy forms (unlike commercial general liability coverage, which is usually written on policy forms using standardized language). Because each insurer is using its own forms, there’s no such thing as a standard cyber-insurance policy.

These policies often provide both property/casualty (first-party) and liability (third-party) coverage for cyber risks:

First-Party Coverage:

● Distributed denial of service attacks (DDoS)

● Damage to networks and equipment

● Data loss

Liability (Third-Party) Coverage:

● Data breaches

● Internet/media activity

● Regulatory action and statutory violations

In addition to stand-alone cyber-insurance policies, some limited coverage for cyber risks can also be included as endorsements to more traditional first-party and third-party policies. Before purchasing a cyber-insurance policy, it is a good idea for business owners to review their policies with an insurance professional in order to determine what is already covered and to identify the potential coverage gaps.

In our upcoming posts, we’ll examine some of the specific coverages that apply to cyber-risks, starting with data breaches, as well as the issues businesses should be aware of when applying for and purchasing cyber-insurance policies.

Five Emergent Attorneys Lauded by Super Lawyers

For the second year in a row, multiple Emergent attorneys have been acclaimed by Super Lawyers based on their peer recognition and professional achievement. Greg Demirchyan joined Joshua Paulson and Christopher Wimmer (both for the second straight year), as well as Chi-Ru Jou (for her fourth straight year) as Rising Stars, a designation given to the top 2.5% of attorneys under 40 or with fewer than ten years' experience. Seth Rosenberg was named a Top 100 Super Lawyer for Northern California, the sixth year in a row he has received that, the Super Lawyer, or the Rising Stars designation.

We're grateful that our peers have taken notice of our work.  To find out why they did, contact us.

Trial Attorney Seth Rosenberg Joins Emergent

Emergent is pleased to announce that Seth I. Rosenberg, a Columbia Law School alumnus who has obtained millions in settlements and verdicts in personal injury actions throughout California, has joined the firm.  Seth has been named a Top 100 Super Lawyer for all of Northern California the last two years and is regularly asked to speak to attorneys regarding trial and civil litigation practice.  In his last three trials, he ended up obtaining verdicts or settlements that were multiples of defendants’ last, best pre-trial offers.

Before joining Emergent, Seth was a partner at the esteemed Minami Tamaki LLP, founded by civil rights icons Dale Minami and Don Tamaki.   He also was previously an attorney at O’Melveny & Meyers LLP, practicing in white-collar criminal defense and intellectual property litigation.

Seth adds 15 years of invaluable courtroom experience to our firm, and will bolster our ability to take to trial not only personal injury matters, but also complex commercial, mass tort, insurance coverage, and civil rights matters.

To find out how Seth and Emergent can help you, contact us.

Emergent's Greg Demirchyan Authors Second Paper on Computer Fraud and Abuse Act

In February, Emergent partner Greg Demirchyan released a whitepaper analyzing recent federal decisions construing the Computer Fraud and Abuse Act and their implications for data-driven enterprises.  Today, he released the second part of that paper, covering two recent Ninth Circuit decisions construing the Act's requirement of "unauthorized access" for civil and criminal liability.

The paper is available here.  For more information about our work with businesses on the cutting edge of technology, contact us.

Emergent Adds Litigation Partner Peter Roldan

Emergent is pleased to announce that Peter Roldan -- a Columbia Law School alumnus with over a decade of experience in insurance coverage and other commercial litigation  -- has joined the firm as a partner in San Francisco.  Peter brings in-depth expertise in coverage matters and expands the firm's litigation practice to three attorneys, allowing us to take on ever-larger, more complicated cases.

You can read more about Peter here.  To find out how he and Emergent can help you, contact us.