This entry is part 4 of 10 in the series IRONSHORE

Tech E&O, Network Security, Internet Media, and MPL Insurance Policy

Roughly speaking, this insuring agreement, I.D., regards amounts of money the Insurer will reimburse the Company for certain expenses–its Privacy Breach Expenses–after the Company has inflicted–and perhaps has been held responsible for inflicting–cyber-injuries on a third party and that injury directly results from a Privacy Incident. In other words, this is first-party coverage that the Insured will have as a result of its mistake–perhaps “mistake” could be put this way: as a result of its tort or its injury-causing statutory violation. Real-world general liability policies do not carry such first-party rights for an insured, so far as I know.
 
Obviously, the phrase Privacy Incident is crucial. Briefly, it includes (i) the disclosure, etc., of some information of another, that is secret, or close to it; and the disclosure is in the care, custody, or control of the Insured or Service Provider.  (ii) That disclosure must result from a Privacy Regulation or a failure of the Company to comply with its own privacy policies.  The concept of Privacy Regulation includes a slew of  named statutes, both state and federal, plus regulations under those statutes, and “any similar state, federal or foreign identity theft or privacy protecting statute.”  [MSQ: Does the reader recognize that there may be controversies generated by the word “similar”?  Or what about this what about the word “any”?  What about when they don’t apply? Are Romanian privacy administrative rules applicable to problems in Oklahoma?  Perhaps not; but consider the twists and turns, “New York lawyers” might generate out of this.]
 
In any case, the definition of Privacy Breach Expenses is a complex checklist. There are 7 paragraph-length, Yes-answers  (one of which has 3 separate parts) all following a short but “rich”  introduction.  In addition, there are then 9 shorter No-answers. [MSQ: Interestingly, many of the definitions have “This is included.” versus “This is not included” lists.]
 
Here are brief sketches of some “Yeses”; of course, nothing on the list is provided without the consent/endorsement of the Insurer, and that consent may not be unreasonably refused by the Insurer.

[MSQ: Another probable area for insurer-insured controversy?]

Remember: the following is just an incomplete sketch: 

  • reasonable and necessary fee for obtaining lawyers, accountants, public relations firms, or others to”get access to a ‘privacy breach coach'” (through a particular source. . .) to determine the obligation to notify examine Insurer’s rights to indemnity from. . .
  • review Insureds compliance with any [and all] Privacy Regulation[s]. . .
  • conduct computer analysis” to determine cause and effect
  • devise and implement public relations campaign
  • notify affected others. . .
  • procure call center and identify restoration. . .
  • procure credit freezes,
  • reimburse Insured for fines, etc., levied by private organizations with jurisdiction. [Remember: Reimbursement comes after money spent.

The list of the “Noes” is even longer.  Remember: this is a sketch, and they are always incomplete: remuneration for wages, expenses, overhead, benefits, and so forth,

  • expenses for fixing or improving a variety of computer-related “stuff,”
  • same sort of thing for Software errors or vulnerabilities,
  • cost of researching and developing  Digital Assets,  including trade secrets

The idea of Digital Asserts will be briefly and partially explained presently,

—MSQ
  • dealing with software defects, and the like, the economic or market value of Digital Assets,
  • loss out of liability to others

The word here in the policy is not in bold and the first letter is not capitalized.  This means that the kind of loss involved here is not that which is suffered by the “injured” victim.  It is probably the loss to the Company created by its liability and its consequences, other than the amounts which have to be paid to the victim.

—MSQ
  • contractual penalties,

Plus there is a whole slew of causes of situations elsewhere defined in the policy that are not within this insuring agreement and are hence not covered there.

This sketch gives the reader some sense of how the Privacy Breach Expenses Coverage insuring agreement works.  It is a forest of thickets that will generate coverage disputes for generations to come.  It is also extremely expensive.  The reader must keep in mind that all of these expenses eat away at policy limits.

Originally posted on 09/09/2013 @ 3:19 pm

Series Navigation<< An Ironshore Cyber Policy–Part IIAn Ironshore Cyber Policy–Part III >>
Michael Sean Quinn, PhD, JD, CPCU, Etc

Michael Sean Quinn, PhD, JD, CPCU, Etc. (530)

One of Texas's leading insurance scholars, Michael Sean Quinn is a past chair of the Insurance Section of the State Bar of Texas and has a broad legal practice.

Hits: 0