Michael Sean Quinn, Ph.D., J.D., C.P.C.U.
There are now broad and deep shifts going on in the waters of insurance law practicing.  They are jolting. These heavy flood-like flows are principally generated by the computer age having bursting onto the scene and having changing it immensely, or by the dawning and blossoming of “cyber space” (to mix metaphors), by the creation of  the cyber world, or by the arrival of the “digital age”—call it whatever you like, with one exception.  (I would prefer it not be called the “virtual ______”  or “virtual [anything],” since that image is radically false. I have written on the vices of  the “virtual” in cyber-discourse elsewhere.)
Because of what has come to pass on a global scale,  most lawyers (and those who assist them) are required to engage in all sorts of new activities; the profession is becoming reorganized; and new requirements re leaping out of the bushes every week, or so.  Of course, some of those activities involve dealing with the cyber insurance problems of client. This is one of the large changes; it is not small potato’s. 
At the same time, at the same time and related to this one, some of those activities strikingly manifest the need of law firms themselves to have the appropriate cyber insurances.  So, the image if lawyers picking insurance for themselves. (There is nothing new about lawyer helping insurers and insureds determine what provisions would be in a contract of insurance. The larger the policy the more likely there will be lawyers helping draft policies. Lawyers functioning as buyers of insurance for their own professional activities is new and different.)
As one might expect from relatively recent history, many of the new cyber policies are “named peril” policies.  In fact, it is hard to see it being any other way, ever.  There are not yet widely spread (or nearly mandatory) virtually-identical coverage forms.  All of those in use, however, are claims-made policies, as I suspect it will always be. All of them involve many definitions; many of the definition are themselves complex and new to even the semi-novitiate lawyer; and some of the definitions are layered, i.e., the term being defined depends on a second term which is also defined, and the first one down the definitional chain depends on another one further down the chain, and so forth. Perhaps over time the definitional structures will become less challenging. 
Here are some sketches of  those named perils, starting with liability insurance. The key concept is “wrongful act or omissions,” (“WAO”) definitions vary some, but not much.[3] In any case the coverage is more or less for WAOs causing
·      Injury to the network of another by dispatching “malicious codes,” “viruses,” malware, worms, and/or similar “poisons,” 
·       Invasions of protected privacy, 
·       Release (or theft) of private information by another by taking (stealing), turning over, distributing, or setting up other to do this
·      Participation in injurious media use, or causing it,
·      Injury when the insured is a cyber professional and/or a vendor of cyber services, 
·      Injurious hackery.
·      Injury while assisting another (or others) who actually do the hacking,
These are only examples, of course.[4]  (This is a paper of sketches; it is not a handbook or a how-to manual.)
Now for first party policies; keep in mind that what all’s insured are mostly not tangible objects but electronic and financial assets. Of course, since it is the “very modern,” high tech world we live in—though certainly not a “postmodern” world–first and third policies are often packaged together, though not always.  In any case here are some of the usual named perils potentially injuring the insured, but not by liability:
·      Network security of the insured is breached, 
·      Privacy components of the insured are breached,
·      Regulatory proceeding is inflicted upon the insured,
·      The insured is subject to an adverse media event,
·      The insured’s digital assets are destroyed, damaged, or rendered unusable,
·      The business income of the insured is reduced by an insured perilous event,
·      The insured is subject to an extortion of some sort of
“X-napping,” analogous to kidnapping, and/or the like,
·      The insured’s system is subjected to negligent (defective) care of some sort, like 
o   Design
o   Construction
o   Maintenance,
o   Securitization,
o   And so forth.[5]
These kinds of injuries can result from the insured being unable to provide its unusual services to its customer non-negligently, the public, industrial, or private “publicity”cause expenses and/or a loss of business and revenue. This insured injury might arise this way: Insured somehow injures X, but sustains injury as a consequence of its injury causing acts.[6] This might include notification (or similar) expenses, even if there is no actual proceeding pending.  One can easily imagine a law firm need coverage for the injury it causes itself by mishandling the confidential information of a client. Law firm as hackee. (1) Of course, the law firm might be providing legal services to a client by having files of their material from cases the firm worked on. (2) Then again, it might just store information for a client resulting from cases it did not work on.  It is not clear to me that this constitutes the rendition of legal services. (3) Or a firm might simply act as a cyber-storage company holding on to the digital material of a non-client.  (1), (2) and (3) might have very different insurance dimensions. 

*Michael Sean Quinn, Ph.D., J.D.1300 

West Lynn Suite 208

Austin, TX 78703 

Fax: 512-344-9466

[1] Or maybe this should be called, “one enormous concatenations of smaller-looking currents.”
[3] Of course, since some fortuity is required, the WAOs cannot be explicitly undertaken to cause injury of damages. 
[4] See Jes Alexander and Mariah Baker Quiroz, “Hacking Through Cyber Insurance,” State Bar of Texas, 12th Annual Advanced Insurance Law Course, June 11-12, 2015. This essay covers both third party coverage and first party coverage. It has lots of footnotes and is a good place to start one’s cyber insurance education. 
[5] Subrogation sails to the new world. 
[6] Intuitively, this is vaguely like A running into B; A is at fault; but the car of A is also damaged. A’s auto insurance will pick up both the liability side (3rd party) and the property side (1st party) of the accident. Thus, two separate losses.