The insurance industry's standard-setting body recently introduced a privacy bill of rights that would ramp up insurers' cybersecurity obligations to policyholders, a development that coincides with regulators' increased scrutiny of data security practices and is likely to expand the fledgling cyberinsurance market.
Recent legal decisions, most notably the Seventh Circuit’s revival of a data breach class action against Neiman Marcus and the Third Circuit’s rejection of Wyndham Worldwide Corp.’s claims that the FTC doesn’t have the authority to regulate data security, have also operated to embolden federal and state authorities to become more involved.
According to Joshua Gold, a shareholder in Anderson Kill’s New York office:
“[Y]ou may see FTC inquiries of some companies about their cyber practices even where no data breach has occurred [in light of the Third Circuit’s ruling]. I expect this will lead some insurance companies to review their cyber insurance policy fine print and adjust it to expressly cover the risks and lead yet others to limit it.”