Cyber Insurance Coverage Disputes

Global cybercrime losses are estimated to be in the trillions of dollars annually and will continue to increase at a rapid pace. Cybersecurity industry spending to counter the growing threat is likewise rapidly increasing, and will soon surpass the trillion-dollar mark in worldwide annual spending.

Insurers have long provided coverage for certain types of “cyber” losses under traditional policies and coverages. But the last decade has witnessed the emergence of an entirely new line of insurance dedicated specifically to protecting against the risk of cyber losses that have plagued individuals, businesses, and government entities, including:

• Data breach
• Phishing and other social engineering fraud schemes
• Ransomware attacks
• DOS and malware attacks
• Intellectual property theft
• Improper storage, handling, and disposal of personal information
• Improper collection of consumer data
• Theft or destruction of digital assets
• System malfunctions and staff errors

Carlton Fields’ coverage team has been at the forefront of counseling and litigating cyber coverage disputes for insurers since long before data breaches made news, or stand-alone cyber coverages were developed. Carlton Fields’ coverage lawyers have handled some of the most high-profile and high-dollar cyber coverage disputes. We have counseled insurers regarding coverage for data breaches, malware attacks, political hacktivism, social engineering/phishing/spoofing schemes, and misappropriation of intellectual property. We have analyzed cyber coverage issues under traditional coverages, including CGL and fidelity policies (and particularly the “computer systems fraud” rider), as well as newer cyber-specific package policies, that include first-party coverages, such as data restoration and replacement, business interruption, and breach response costs, as well as third-party liability coverages, including security and privacy liability, derivative vendor and contractual liability, and internet media liability. 

Many coverage issues raised under cyber policies are familiar: notice and cooperation conditions, “other insurance” provisions, exclusions, priority of coverage in excess towers, notice of circumstances, etc. But many are untested, including new definitions, such as “electronic data,” “denial of service attack,” and “malicious code,” new coverage grants, and new exclusions for everything from power surges to the illegal collection of personal information. First-party coverages raise difficult valuation issues where digital assets cannot be restored, or where disabled software and computer systems become obsolete. Carlton Fields’ coverage lawyers have worked with numerous forensics experts, brokers, law enforcement, and regulators specializing in cybersecurity.

Carlton Fields’ coverage lawyers also draw from the firm’s interdisciplinary cybersecurity and privacy team, which focuses our attorneys’ combined professional experiences on the frontlines of cybersecurity across numerous industries, including energy, technology, and health care. We are an ISO 27001:2013 certified firm, and our cybersecurity and privacy team includes attorneys who have earned the designation of Certified Information Privacy Professional (CIPP/US), Certified Information Privacy Manager (CIPM), and Certified Information Privacy Technologist (CIPT), as well as former federal cybersecurity prosecutors. They are active and have held leadership positions in data privacy and cybersecurity organizations, such as:

• International Association of Privacy Professionals (IAPP)
• The Sedona Conference Working Group on Data Security and Privacy Liability
• DRI - Data Management and Security Committee
• ABA - Privacy and Computer Crime Committee CLE Working Group
• ABA - Computer and Software Legislation Committee
• ABA - Electronic Filing Committee
• ABA - Internet Relationships and Cloud Computing Committee
• ABA - Section of Science & Technology Law
• The International Security Management Association 
• ISACA (Information Systems Audit and Control Association)

The task force attorneys’ work includes:

• Data breach and incident response
• Data privacy and information security policy drafting and implementation 
• Federal and state privacy laws 
• International privacy regulations and global policies
• Employee privacy issues
• Website and social networking issues
• Class action and litigation
• Represent clients in data privacy litigation brought by federal and state regulators

The experience and knowledge of our Cybersecurity and Privacy Task Force is complemented by Carlton Fields’ long-standing reputation as a leader and go-to firm for coverage disputes of all types. This combination ensures that we are prepared to handle any and all cyber coverage issues with the expert and efficient service our insurer clients expect.