Last year, I asked my friend Cary Platkin, a tech attorney specializing in SaaS/cloud issues, to contribute to this blog with a Q&A on the SaaS Business Model and Some Common Legal Questions. That posting was so well received, I asked him to come back again with whatever issue was most pressing for his clients these days.
Not surprisingly, he said SaaS and cloud-based companies are struggling with the liability issues associated with customers’ number one concern – security. Customers want vendors to assume unlimited liability for security breaches; vendors want to restrict and cap their liability. Negotiated subscription agreements often end up somewhere in the middle. So, how can a vendor give its customers a high level of liability protection and still sleep at night?
Q. So, Cary, what exactly is “cyber liability insurance”?
A. Cyber liability insurance is insurance that allows a vendor to outsource the risks that remain after it has implemented direct, technical computer security measures and attempted to limit its contractual liability to customers. Since typical commercial general liability (CGL) and errors and omissions (E&O) policies rarely cover “intangible” losses related to loss of data, privacy breaches, and the like, cyber liability insurance policies are intended to fill that hole to address the particular needs of a company doing business in the cloud.
Q. Why should SaaS/cloud providers strongly consider cyber liability insurance?
A. Unlike traditional enterprise software vendors who ship software to their customers to run locally, SaaS and cloud-based service providers receive and maintain business and personal data on behalf of their customers. The value of this data to the customer often exceeds the cost of the service. So, customers are not shy in asking for security and confidentiality liability that far exceeds the profit the provider can expect.
Providers rely on a myriad of employees and third party vendors (cloud platform providers, collocation facilities, system integrators, solutions providers, etc.). However, these folks cannot or will not provide adequate liability coverage for the security breaches they may allow. After security policies and procedures have been put in place and agreed to, cyber liability insurance increases the providers’ ability to offer liability levels that go beyond the value of the contract.
Q. There is a lot of media hype around security issues but just how big is the risk of a real data breach?
A. Data breaches can come from any number of causes: unauthorized access to online systems, denial-of-service attacks, and introduction of viruses and malicious code, any of which may result in loss, dissemination or destruction of electronic data, business interruptions, privacy law violations, disclosure of non-public personal and or confidential information, and, potentially cause financial harm to the persons whose data is released, as well as the provider.
Fixes can be expensive: detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.
Recent studies provide varying results regarding the cost of data breaches, but they are always expensive:
- A recent survey by the Computer Security Institute found that the average company financial losses due to security incidents exceed $230,000. The Ponemon Institute puts the average total per-incident cost even higher at $6.75 million, with an average cost per compromised record of over $200.
- In the CSI survey, wireless related exploits were the most expensive, averaging $770,000 in losses per incident, followed by theft of personally identifiable information or personal health information through all causes other than mobile device theft ($710,000), and financial fraud ($450,000).
Rogue employees are part of the problem, resulting in data security issues 43% of the time. But accidents can happen too: 25% percent of survey respondents felt that over 60% of their financial losses were due to non-malicious accidents by insiders.
Q. If I’m a cloud provider, can’t I just pass some of the liability on to my vendors?
A. You could pass some of the liability for your vendors back to them, if they were willing to accept it. Problem is, they are not. I have negotiated enough contracts with cloud platform providers, collocation facilities, telecommunication providers, solution providers and others to know that they will simply not take on the liability for damage to your business or your customers’ businesses resulting from their data security breaches. (I’ve actually heard counsel for a colo extol the virtues of its security procedures, only to assert that it should have zero liability for data breaches because placing a box in the facility does not constitute disclosure of the data. At least they offered to cover the cost of the lost hardware if one of their employees walked off with it.)
Inevitably, you will be stuck in the middle between your customers and the third party vendors you use to provision your service at a reasonable cost. Remember that agreements with vendors should require that they carry a cyber/privacy liability policy that names you as a third party beneficiary.
Q. How do I decide what cyber liability insurance I need?
A. To decide what kind of cyber liability insurance you need, first evaluate your existing policies, and ask yourself the following questions: Am I covered for loss of electronic data? Is electronic data stored on media covered? Are first party claims covered (damage to your company’s electronic data or equipment)? Are third party claims related to electronic data loss covered (in other words, customers who claim you damaged or lost their electronic data, or personal information)? Newer commercial general liability (“CGL”) policies typically exclude electronic data loss from coverage as electronic data is excluded from the definition of covered tangible personal property.
You should also consider whether any of the following types of damages and claims are covered or expressly excluded from your policies: DNS and other types of hacker attacks (causing downtime, and potential exposure to your customers); transmission of malicious code; data released by rogue employees or by employees making innocent mistakes; security breaches; business interruptions; privacy violations, including disclosure of personal information or customer personal information, and incidents related to unauthorized access to company online systems; unauthorized access to credit card information; notification and other expenses incurred in remedying a privacy breach; expenses related to customers’ claims; costs to investigate and restore data. In reviewing these scenarios in your existing policies, examine how and whether intentional acts are excluded from coverage; and whether fines, penalties and related settlement costs are covered in any policy.
Also consider whether your current policies cover liability assumed under contract. A CGL policy may not cover liability assumed under contract; they primarily cover tort liability. It is good practice to consider obtaining coverage that expressly covers contractual undertakings, for example, indemnity for privacy breach, as this will give you some flexibility in the types of promises you can safely make to customers. In addition, look at whether your policies cover acts of subcontractors (such as data that is lost/damaged by your collocation provider facility or by your consultants).
Finally, think about the kind of data you are storing online and where is it being stored. Does it contain any personally identifiable information (“PII”)? If yes, then at minimum, you’ll need privacy liability coverage. Is the data encrypted? What techniques are you using to protect unencrypted data? This is quite important since some insurers may include policy exclusions for unencrypted data. Are you transmitting, or do you plan to transmit any PII from Europe to the US? If so, are you US–EU Safe Harbor certified? Do you have good procedures in place for a data breach event? Do you have a disaster recovery and business continuity plan in place? These things matter in terms of whether you can get a policy, and how much it will cost.
You might consider “cyber extortion” coverage if you are concerned about the risk of having to pay a ransom amount demanded by a hacker threatening to shut down your company’s network/services or steal private information. These policies often include forensic or investigative costs to help determine the validity of the hacker threat, and there is usually no deductible because the carrier views this as a proactive measure that could prevent larger damage and loss.
This isn’t an exhaustive list – consider other loss scenarios not mentioned here to determine with your broker what other risks should be covered. For instance, Mike Gilmore of Crump Insurance Services, Inc. in San Francisco highlights that intellectual property infringement and personal injury claims arising our of technology products, services and website activity are often covered with a cyber liability policy. Software copyright infringement claims are fairly common for software code. And he’s seeing more and more personal injury claims arising from company websites that contain blogs where individuals can post comments, pictures, and otherwise, that can be defamatory, slanderous, and damaging to reputation.
Q. What other steps can I take to limit my liability with cyber liability insurance?
A. Many carriers are offering proactive services in addition to the risk transfer in the cyber liability policy, including forensic experts and consultants who can help mitigate a security/privacy breach, legal experts to advise on requirements per state, public relations support, and even 24-hour IT support for guidance if a company thinks it may have a privacy breach situation or hacker threat.
Using its authority under Section 5 of the FTC Act, which prohibits unfair and deceptive practices, the FTC has brought a number of cases to enforce privacy policies, including promises about the security of consumers’ personal information.
A good recent example of this was the settlement by Twitter with the FTC for Twitter’s lax security practices. The case involve two hacking incidents in 2009, one in which a number of high profile accounts were compromised, and another in which a hacker gained access to a Twitter employee email account containing the employee’s administrative password. Under the terms of the settlement, Twitter was barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information. The settlement also required Twitter to establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years. Similar settlements between the FTC and various technology companies over security breaches can be found on the FTC website.
First be sure there is a broad definition of “Claim” so coverage applies to demands, investigations, requests, complaints, and civil, criminal, and administrative and regulatory proceedings. In terms of FTC and other government agency activity in the privacy arena, this is becoming increasingly important.
Evaluate the definition of “Loss” to ensure coverage encompasses a wide scope of relief, including statutory, and regulatory fines and penalties, defense, investigative and settlement costs. Clarify that disruption, corruption, deletion, theft, or copying of data, software, or programs whether stored electronically or on good old fashioned paper is deemed to be “physical loss or damage” to potentially avoid coverage issues for loss or damage of electronic data. Seek to add a provision covering the cost of making a determination that reconstruction of data is impossible. Look for coverage for unauthorized use by authorized users. Check for coverage for loss of use by a third party.
Examine the “Exclusions” to coverage to ensure they are narrow and contain “exceptions” where coverage will be provided. If possible determine if exclusions for bad conduct by officers, directors or company employees will be triggered only by a final adjudication of the excluded conduct. Defense costs should be covered, and the exclusions should be severable, so that one rogue employee does not disrupt coverage for all. Make sure the cost to replace or restore electronic data is not excluded. And review the “insured versus insured” exclusion to ensure you have coverage for your own employees as long as you are buying the coverage.
Finally examine the duty to mitigate damages carefully. “Covered damages” definitions often exclude the cost of repair if you did not take prompt, reasonable measures to address a security breach. In part this why you should take a pre-coverage security assessment, continually improve security procedures, and conduct internal training on them.
Q. OK, I’m convinced! But how do I sell this internally?
A. Ted Doolittle of Risk Placement Services tells me tech providers often think they are immune to the risks identified here. From a tech perspective, they’ll say they don’t have exposure because their systems are airtight, or that they don’t have time for the steps involved in obtaining insurance, such as third party security audits, lengthy applications, etc. From a finance perspective, they’ll simply say that cyber liability insurance is not in the budget. Hopefully, the information in this article will give you some ideas about how to discuss the issues and justify the purchase. Given the risk of litigation associated with dealing with personally identifiable information (PII), he recommends that tech providers get at least a policy to cover the defense costs associated with a claim. The process for obtaining coverage, he says, is much more streamlined that it was even 1 or 2 years ago.
Q. If people want to contact you directly to discuss this issue in more detail, what’s the best way?
A. Just have them email me directly at email@example.com