If you are in business today, cyber insurance is no longer optional. It’s not optional for insurance clients, and it’s not optional for insurance agencies. As if the point needed further emphasis, a New York appellate court drove it home yesterday.
The operator of several Five Guys restaurants in the Albany area got hacked. Criminals accessed customers’ credit card information and went shopping. The credit card holders naturally protested the unauthorized charges to their card issuers. The issuers got stuck absorbing the costs of these fraudulent charges. At least one of the issuers, Trustco Bank, sued the restaurant operator for failing to take reasonable care of the data. According to a report in the Albany Times-Union, the bank sought more than $104,000 in damages.
The operator made a claim under the liability coverage section of its business owner’s insurance policy. The carrier denied coverage and refused to provide a defense. The reason was simple. Commercial general liability coverage applies to the insured’s liability for “bodily injury” and “property damage”. The policy defined “property damage” as injury to or loss of use of “tangible property.” It also stated that, “[f]or the purposes of this insurance, electronic data is not tangible property.” The policy also excluded coverage for damages arising out of the loss of electronic data.
The insurer concluded 1) there was no property damage, as the policy defined that term; and 2) the coverage did not apply to loss of data. Accordingly, there was no insurance for this loss.
I find it pretty incredible that the trial court didn’t uphold the claim denial, but it ordered the carrier to provide a defense. The carrier appealed, and yesterday the appellate court ruled that the policy’s “unambiguous language” meant that the bank’s lawsuit was not a claim for property damage and that the loss was excluded. Honestly, insurance policies do not get much more straightforward than that.
It cannot be said often enough. Every organization has an exposure to cyber loss, whether it’s a loss of customer data, loss of proprietary internal information, vandalism to a web site, infiltration of a virus, unauthorized transfers of funds, or any number of losses. Insurance agents, to do their jobs properly, must discuss this with their clients. The client might still refuse to buy the coverage. I heard as much last fall when I covered this topic in a continuing education course I presented. Most of the producers in the classroom reported that their clients believe it won’t happen to them. That’s probably what the operator of these restaurants thought.
And insurance agencies are not immune. There’s an awful lot of confidential client information on their servers. Social Security numbers; salary data; home values; names and ages of children; driving records; loss information – the list goes on and on. If agency principals think cyber criminals are not trying to break into their networks to get their hands on it, they are engaging in a dangerous form of denial. It can happen. It will happen to someone reading this blog post. It’s a sad fact, but it’s true.
Buy the coverage for your agencies. Offer it to your clients. Explain to them why their businesses are in jeopardy without it. Confirm in writing their decisions not to purchase. Unfortunately, some may decide not to buy the coverage today, and then try to sue the agent after an uninsured loss occurs. That’s why it’s important to have a paper trail, either electronic or physical. My hope is that most will see the wisdom in buying the coverage and that the paper trail will not be needed.
It’s the 21st century. Our lives and our property reside on computer networks, and any network can be hacked. Cyber insurance is just not an optional purchase anymore.