LawyersUSA

Just a few years ago, cyber insurance was the new kid on the block, a novel and exciting form of coverage for the expanding frontier of the Internet.

But today, any business or company with a web presence – including law firms – should consider purchasing coverage for a variety of problems that might affect their websites. "No matter how many safeguards you put in place, hackers are trying to get one step ahead of the software," cautioned Travis Crabtree, a litigation attorney who focuses on emerging media and Internet issues at Looper Reed & McGraw in Houston.

Insurance litigator and counselor Robert D. Chesler, a partner at Lowenstein Sandler in Roseland, N.J., explained that cyber insurance began as protection from the dreaded "Y2K" event.

But policies now include a range of coverage options and the market is continually expanding, he said, from coverage for defamation or libel claims for bloggers to coverage for a failure of service or a hacker attack.

"Insurance companies are entering the market with increasing speed and are now able to customize a policy to suit a business' specific needs," he said. "In five years, everyone will have one."

Coverage for intangibles

The policies began to develop after litigation arose when website operators sought coverage under their traditional general liability policies for data breaches and other virus issues.

In a typical case, someone would hack into a dentist's database, causing him to lose his patients' information and months worth of billing information and insurance forms, explained Margaret Reetz, a partner at Kerns, Frost & Pearlman in Chicago who specializes in technology and privacy liabilities.

When the dentist sought coverage under his insurance policy, the insurer would argue that because there was no tangible property loss, the losses weren't covered, she said.

"Insurers then tried to address this lack of coverage by creating new types of policies," she explained.

The big push for cyber insurance came within the last few years, however, as numerous businesses reported significant security breaches of consumers' private information, Chesler said.

Coverage is especially important because data breach notification laws differ from state to state and the cost of responding to a breach can be substantial, Reetz noted.

Companies must notify their customers and certain third parties of a breach, as well as possibly pay for credit monitoring.

In addition, they must conduct a forensic analysis to determine how the database in question was affected and how they can recover from the breach, and in some cases, they must replace the credit or debit cards that may have been compromised – all of which adds up.

Policy types and coverage

There are two main categories of cyber insurance, Chesler explained.

A policy for computer-related business interruption includes coverage for a website being shut down by a denial of service attack, a virus or a hacker.

This type of policy is most important for e-retailers or companies that traffic in personal information on the web.

The health care field is also increasingly turning to cyber insurance, Reetz said, because of the expanding use of electronic medical records. While digitizing records can save patients time and hassle, it also presents serious issues when security is breached.

The second type of coverage generally covers intellectual property liability, including claims for defamation or copyright or trademark infringement – essentially for websites that have creative content such as blogs.

Reetz said she has handled claims on behalf of insurers when policyholders use an unauthorized link to another site, for example, or make a reference to a trademark protected-product without permission.

Coverage under cyber insurance policies typically includes not just civil liability exposure, but also fines or sanctions imposed by governmental entities, Reetz added. And some policies even include coverage for "cyber extortion," similar to kidnap and ransom insurance.

For example, if a major retailer were threatened during the holiday season by a hacker who figured out how to shut down the website right before the biggest shopping weekend of the year, how should the retailer respond?

It might be forced to pay off the hacker to prevent a denial of service attack, but could purchase insurance to cover such an incident and the costs associated with it, Reetz explained.

As the market continues to expand, "prices are surprisingly reasonable," Chesler said.

Crabtree said he helped a client purchase a policy last summer from AIG with annual policy premiums of $1,000 for $100,000 of coverage. The client – a small business – had coverage to protect it from hackers, internal crashes and data loss with a $1,000 deductible.

But larger businesses could pay up to hundreds of thousands of dollars in premiums annually, Reetz noted.

These prices reflect the fact that cyber insurance is relatively new and there is limited data on the real costs and risks to insurers, Crabtree said.

But he predicted that prices might decrease further as time passes and insurance companies are better able to quantify the risks.

Risk assessment and audits

Crabtree cited a 2007 study by the Computer Security Institute, which found that the average annual technology-related loss for U.S. companies was $350,424 – more than twice the average in 2006, which was $168,000.

And at the same time, the survey noted that 29 percent of the respondents had some form of cyber insurance.

A business interested in cyber insurance should perform a "risk assessment" to determine what type of coverage makes the most sense, Chesler suggested.

Crabtree agreed.

"It's a very case-by-case basis that depends on a lot of factors," he said. "Even a small mom-and-pop business that does most of its sales through the Internet should definitely have coverage because if their payment processing system goes down, they aren't going to be doing a lot of sales and [will be] losing a lot of money."

On the other hand, a company that engages in minimal transactions or whose website is purely for marketing purposes with no interactivity "may not need coverage," Crabtree said.

A law firm with an informational site also may not need cyber insurance, while a firm with attorney blogs and the ability for clients to log in and contact their attorneys would definitely need some form of coverage.

When cyber insurance was first offered, insurance companies would perform much more burdensome audits to analyze a potential insurer's security measures and risks.

Today, only large companies with significant risk will be subject to such an analysis, Reetz said.

"For the big financial or health institutions with a great deal of potential exposure, the insurer may hire an outside firm to go in and issue a report on whether or not they have a Chief Privacy Officer, or a Chief Security Officer, what they are doing to keep their system secure, as well as what problems they may have had in the past," she said. The insurer could also "bring in different people to analyze their systems to make sure the company is using the best practices."

On the other end of the spectrum, a smaller company may only have to fill out some paperwork, checking off information about how much annual Internet revenue they have and what type of security system they use.

Because the policies are constantly changing to keep up with the ever-evolving world of the Internet, it's important for companies to be proactive, Chesler said.

"A lot of insurance brokers aren't up to speed on it yet, so you can't wait for your broker to bring [cyber insurance] to your attention," he said.

Questions or comments can be directed to the writer at: correy.stephenson@lawyersusaonline.com