Insurance brokers and underwriters have admitted to providing coverage for cyber losses under general liability policies in the past, according to Scott Godes, co-leader of Dickstein Shapiro LLP's cyber security insurance coverage initiative.
But the insurance industry is starting to push back on covering data breaches under these broad policies, especially as they try to steer customers toward their cyber policies, he said. Insurers may soon begin specifically excluding data breaches from their general liability policies, according to attorneys.
"Data breach policies are becoming really essential as the number of exclusions multiply, as new risks arise," Robert Chesler, said. "Any company that does business on the Web is going to want some kind of data breach coverage."
As clients turn to their lawyers for advice on how their coverage would apply to data breaches, law firms are beginning to mull buying cyber policies of their own, according to Chesler.
Firms storing any amount of sensitive data — such as clients' Social Security numbers or confidential information related to financial transactions — are attractive targets for hackers, according to Chesler.
Law firms should examine whether their general liability policies could provide some coverage for clients' losses as a result of a data breach, or whether a cyber insurance policy is needed to fill a coverage gap, experts said.
Chesler said a hacking loss could also be covered by malpractice insurance, but that this notion hasn't been tested yet.
According to Lorelie Masters, a partner in Jenner & Block LLP's insurance group, the insurance industry started offering cyber policies as early as the mid-1990s, but early stabs at these policies led to relatively unsophisticated results as insurers struggled to grasp the kind of policies their clients needed and tailor their policies accordingly.
Now, companies have their choice of data breach policies that cover everything from defense costs in class actions over hack attacks to damage that hackers wreak on company property.
Cyber policies can offer coverage for the costs of replacing corrupted data, penalties and internal investigation costs arising from data breaches, the loss of business if a website goes down, and losses related to copyright infringements, according to Chesler.
While insurers are seeking to jump into the cyber policy space and hawking new offerings on the market on a regular basis, data breach policies are far from being as standardized in the way of general liability, workers' compensation and other long-established insurance policies, according to Godes.
"They're part of the Wild West of insurance," Godes said. "They're new to the market, they're new to each carrier, and there are variations in coverage between those policies, even between the forms issued by particular insurance companies."
The Dickstein Shapiro attorney said he didn't see any movements afoot to establish state insurance laws or regulations to govern data breach policies.
That could change, given the rapid growth that's expected in the cyber insurance industry, prompted in part by recent laws requiring companies to disclose data breaches to customers. Such revelations often prompt wall-to-wall news coverage of major cyber attacks — along with class actions brought by data breach victims — and companies across the board are now weighing the need for data breach policies, according to experts.
"Nobody paid attention to them until recently." Chesler said. "Many large corporations have brought this coverage. Many more are considering it. It is rapidly expanding to many other types of industries."
Insurers at first marketed data breach policies to financial companies holding massive amounts of customer data, but retailers quickly got in on the action, according to Chesler. Since then, health care companies, restaurants and many kinds of Web-based companies have begun seeking specialized coverage as a matter of course, he said.
Masters pointed out that many cyber policies had yet to be tested in courts, as coverage disputes resulting from hack attacks have typically been resolved quietly, presumably to preserve the reputations of the companies involved.
"People want to move on," Master said. "They want to keep that under the radar screen."
But coverage battles over data breaches may increasingly reach the public eye if a rare and high-profile legal battle between Sony Corp. affiliates and Zurich American Insurance Co. in New York state court is any indication. Zurich launched the suit in July, seeking a declaration that its primary and excess general liability policies did not provide coverage for a cyber attack that compromised account data for more than 100 million users of Sony's Playstation Network, Sony Entertainment Online and Sony Pictures.
Sony asked the court to toss the suit in November, arguing the company would not pursue coverage under the Zurich policies.
But Zurich has refused to voluntarily dismiss the lawsuit unless Sony disavows claims for coverage under general liability and other policies issued by other insurers, according to Sony.
Attorneys say it's likely that companies facing data breach suits will continue to pursue coverage under general liability policies even while holding a cyber insurance policy, due to a potential overlap in coverage.
Courts have already split on whether the loss of computer data constitutes physical damage covered under general liability policies, and the next battleground might be whether data breaches constitute an invasion of privacy that could be covered by general liability policies, according to Chesler.
While the cyber insurance realm is slated for growth and more companies are thinking of buying such policies, only 35 percent of companies surveyed have actually done so, according to an October study by Advisen that was sponsored by Zurich.
At the same time, nearly 60 percent of risk professionals that took part in the study said information security and cyber exposures were serious threats to their companies.
Companies holding out on buying cyber policies said they lacked enough data to make informed decisions on buying cyber policies, that they were investing in prevention rather than insurance, that the policy coverage was too limited and that the application process was difficult.
According to Masters, companies might be reluctant to bare their souls to an insurance company seeking to audit its operations during the data breach policy application process.
"You're buying insurance to manage risk, and at some level, you're potentially opening yourself to an additional risk," Masters said.