I have maintained a healthy interest in cybercrimes, cyber risks and related liability exposures, for at least two reasons central to the topics of this blog. The first is that, other than credit card companies, probably no one holds more protected personal information than the entities involved with ERISA plans, from health insurers to mutual fund companies to plan sponsors to record keepers. The second is that, from an insurance coverage perspective, developments in this area echo – more than vaguely even if less than resoundingly – the impact on insureds and on the insurance industry of the expansion of environmental liabilities approximately thirty years ago. Then, as now, you had the sudden creation of new potential liabilities – in that case, environmental exposures – that were not foreseen and taken into account by insurers in setting premiums, followed, in short order, by two developments: first, litigation over whether the exposures should be covered under previously issued policies that were not necessarily underwritten in a manner that would account for those risks and then, second, by the industry altering forms and policy language (such as the wording of pollution exclusions and the increased use of the claims made form) in reaction to those events.
You can see the beginnings of exactly those same events now, with regard to the rise of liability for cyber-crimes and related computer security breaches, as insureds, insurers and their coverage lawyers debate the extent to which standard general liability policy language captures or instead excludes those risks, while at the same time the industry develops products and policy language to respond to those exposures. A colleague and I presented this exact theory, as a lens for understanding the insurance coverage issues raised by cyber liabilities, in a major presentation last year, which is captured in this PowerPoint presentation.
I thought of this today, as I read this article pressing the idea that courts will be expanding the liabilities imposed on corporations for data and similar breaches. If the author is right, both the amount of insurance coverage litigation over coverage for cyber liabilities and the creation of new policy language by the insurance industry to deal with the issue will expand hand in hand with that development, in the same way both moved in tandem with the increase in environmental liabilities thirty years ago.