Cyber insurance from the perspective of a data breach lawyer

James P. Harris, Sheehan Phinney

When a data breach occurs, one of the first steps is to examine whether there is cyber insurance to cover the costs of the response (above the deductible). Cyber policies vary greatly, but this article describes some of the benefits commonly available under a cyber policy from the perspective of a lawyer who advises clients on how to use them. 

Thinking about the types of services that are helpful in the event of a breach might help inform discussions with your insurance professional when deciding what type of coverage to purchase.

Forensic specialists

Cyber insurance affords access to a roster of specialists from some of the top firms in the country. Getting these experts involved early is often essential to understanding what happened, repairing the damage, preventing further harm and getting a business back up and running. These firms augment the client’s in-house or outsourced IT personnel with specialized expertise useful in responding to security incidents.  Even if the client has a capable IT staff, I often advise utilizing the expertise of these firms — for which the client has paid through the insurance premium.

Legal services

Carriers also maintain a roster of law firms that provide legal advice in the event of a breach. Getting a lawyer involved early is important for many reasons, one of which is to attempt to cloak the response effort in the work product doctrine, a privilege that might keep information about the response from being produced to third parties (like regulators or individuals asserting claims). 

For example, if the forensic specialist conducts its work at the direction of the lawyer, there is a chance any report generated by the forensic specialist will be privileged.  The lawyer can also guide the client as to any regulatory risks, such as an assertion that the client failed to properly safeguard personal information in the first place or misrepresented the security services it purported to deploy. The lawyer will also assist the client in satisfying any notice requirements imposed by any of the state or federal laws that might be implicated by the event. 

If individuals affected by the incident assert any claims, the lawyer will be available to defend the client against them. These legal costs (and all of the other costs described in this piece) will be borne by the carrier, after the client pays its deductive or self-insured retention.

Mailing and call center services 

If notices must be sent to affected individuals, insurers will often pay for the services of a vendor that will complete the mail-merge, send out the letters and track any that are returned because of incorrect information. In this way, the carrier pays for practical items such as the paper to print the notices, the postage required to reach the affected individuals, and the labor associated with the task. 

When formal notices are required, the client must provide ways for recipients to ask questions and get more information. These vendors can establish and staff a call center to respond to these telephone calls. The client will work with the vendor in advance to script out responses to commonly asked questions and create a plan to escalate any callers who require additional attention.  These vendors can assist in setting up dedicated websites to provide further instructions to affected individuals. 

Again, the carrier will pay for these services, if the client chooses an approved vendor.

Credit monitoring

In some instances, clients are required to or decide to offer affected individuals credit monitoring, which will alert individuals of suspicious activity on their credit. Insurers have arrangements with vendors to offer these services, and the vendors will supply online portals for individuals to apply for the monitoring. Some vendors offer ancillary services like assistance in clearing up any accounts that were opened fraudulently or unauthorized purchases. Insurers have negotiated more favorable rates for these services, if the client uses a vendor approved by the carrier.

Public relations

Some policies will also cover the cost of hiring professionals to assist with messaging to the public after a breach, to attempt to minimize the negative publicity associated with such an event. As with forensic specialists and the other vendors, it is often wise to use legal counsel to direct and coordinate the PR effort, to attempt to cloak that work in a privilege so that it will not be discoverable by third parties.  

Cyber insurance policies come in many shapes and sizes, but, as a lawyer advising clients in the event of a breach, the policies provide important tools and resources to help clients navigate a difficult time. If you have not already purchased a standalone cyber policy, or if you are up for renewal soon, you should ask your insurance professional questions about the types of services that will be covered in the event of a breach.

J.P. Harris, Esq., is a shareholder at Sheehan Phinney.