A recent court dispute makes clear that there are many elements to cyber planning and protection for any company to consider. Although some do involve technical bells and whistles, many or most are merely business operation decisions involving non-technical matters. Just like other operational decisions, the success of these planning measures can have a direct impact on your bottom line.
The Spec’s Family Partners Ltd. v. The Hanover Insurance Co. case involves insurance coverage for a data breach. The insured retailer sought insurance coverage of losses incurred under its merchant account with a payment card processor. Because that account and those losses are governed by a merchant account agreement, the insurer denied coverage under the retailer’s cyber policy, citing the policy’s “contractual exclusions” clause. In other words: the insurer refused to pay for losses the retailer suffered because of the terms of its merchant account agreement. In the case, the appeals court ruled in favor of the retailer, saying that there are several non-contractual theories relating to the losses (costs), and that the trial court must consider those before ruling that the insurer may decline payment. The appeals court did NOT require that the contractual claims be considered, and so in effect it has implicitly endorsed the validity of the exclusion in the policy.
What does this mean for insureds, i.e., ordinary business operators?
First: vendor management is a critical part of cyber planning.
Where you can, try to negotiate for your vendors to take on part of the losses following a data breach; and if the breach is of their system, have your agreement specify that you are entitled to full coverage and remedies from the vendor. Where, as here, the vendor is likely a large market power and you have little basis to negotiate, at least understand what losses the contract apportions to you, so that you can tailor your insurance and other planning appropriately.
Second: cyber insurance.
The main rule of thumb is to have a policy. The corollary is to understand what it covers. They are not comprehensive, and not all policies cover all losses; in this way, they resemble the homeowner’s policy that may cover flooding but NOT sewage backup, depending on what you bought.
This “contractual claims” exclusion is common, and it generally means that the insurer will not cover any costs or losses you bear in a cyber-breach that are the result of a contractual provision with a third party. Thus, if you have a weak vendor contract and end up carrying the costs of a data breach because of that weak contract, you cannot count on your insurance to make you whole. In other words, you will have lost two chances to spread the risk and losses to third parties.
Although a contractual claims exclusion is common, they are by no means non-negotiable. There are carriers that do not use such exclusions, or that use them sparingly. Because so many breaches end up involving some form of third-party contractual dispute, it is worth shopping around on the front end to avoid finding that you are self-insuring all your contractual losses on the back end.