Over the past few years, ediscovery professionals have been on the front lines of tremendous changes impacting how organizations and their business partners deal with electronic data. Hyper connectivity, increased regulation, and relentless security threats have created new risks that need to be understood and addressed on a daily basis by today’s ediscovery professionals. But although ediscovery professionals are on the front lines of dealing with data-related risks, they may be far removed from those in their organizations who are responsible for considering insurance to address those risks.
This article discusses three steps ediscovery professionals can take to help their organizations get the right insurance coverage and mitigate the chances that they will violate important cyber insurance policy requirements.
Overview of Cyber Insurance
Cyber insurance can provide much-needed tactical and financial support for entities confronted with a cyber incident. Generally speaking, the cyber policy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event, while third-party coverage responds to claims and demands against the insured arising from a covered incident.
First-party coverage usually can be triggered by a variety of events, including data breach, malicious destruction of data, accidental damage to data, IT system failure, cyber extortion, viruses and malware. Generally available first-party coverages include legal and forensic services to determine whether a breach occurred and, if so, to assist with regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation, and payment of ransom costs.
Third-party coverage can be implicated in a variety of ways, including by claims for breach of privacy, misuse of personal data, defamation/slander, or the transmission of malicious content. Coverage is available for legal defense costs, settlements or damages the insured must pay after a breach, and electronic media liability, including infringement of copyright, domain name and trade names on an Internet site, regulatory fines and penalties.
There are no standard cyber insurance policies, and no two policies are the same. Therefore, it’s important to review any proposed cyber policy in light of the individual organization’s cyber risk profile. Because of their proximity to the risks involving much of an their electronic data, ediscovery professionals can play an important role in helping their organization’s procure and keep their cyber insurance coverage.
Tip 1 – Communicate Data Risks
Some cyber policies provide coverage only for a breach impacting the organization’s own data, not third party data. A policy also may limit coverage to security events affecting the insured’s own computer network. If the organization’s ediscovery processes include possession of third-party (including client and client’s adversary) data and utilization of vendors to host and/or handle such data, that information can be passed on internally so that the organization’s cyber risk profile can be better understood and appropriate coverage can be purchased.
Tip 2 – Appropriately Escalate Suspected Cyber or Privacy Incidents
Cyber insurance policies may require the insured to provide notice of claim under the policy when an employee first discovers or becomes aware of an incident. Failure to provide timely notice may jeopardize coverage for an otherwise insured claim. Ediscovery professionals should work with the appropriate people within their organization to establish procedures to internally report any suspected incidents so a determination can be made as to whether or not insurer notification is required.
Tip 3 – Understand Prior Written Consent Requirements
Many policies require the insured to get the insurance company’s written consent prior to hiring any outside professionals, such as a lawyer, forensic consultant, and public relations firm, in the event of cyber incident. While in the throes of confronting such an incident, however, obtaining prior consent may not be top of mind within the organization. It may be helpful, therefore, for ediscovery professionals to inquire as to the existence of any such requirements in their organization’s cyber insurance policy and to add that information to their incident response plan.