Can You File an Insurance Claim for a Data Security Breach?
How to protect and defend your data in Oregon
on February 28, 2020
Updated on February 8, 2021
Any Oregon business that stores personal information regarding their customers or employees needs to understand their legal obligations in the event of a data breach. A “data breach,” broadly speaking, can be any incident where such information is accessed, disclosed, or otherwise retrieved without your permission. Under Oregon law, you must notify any affected customers when a data breach occurs. If the breach affected more than 250 customers, you are also required to notify the state attorney general's office.
In some cases, a data breach may involve so many customers that individual notice proves to be impractical. In such cases, it is possible to notify customers generally through your website or by notifying statewide media. But you may want to do so in compliance with the law and on your own terms, as opposed to responding to leaked information, which is where an attorney can come in handy.
Does Your Business Need Separate Cyber Liability Insurance?
Beyond the costs of notifying customers, a data breach also creates a risk of liabilitiy for damages. Can you file an insurance claim for such damages? The answer, of course, depends on the type of insurance you have and the exact language of your policy.
“A lot of companies are buying cyber-insurance now,” says Seth H. Row, an insurance coverage attorney at Miller Nash Graham & Dunn in Portland. “Most brokers are advising commercial clients to buy it, unless they’re a mom-and-pop grocery store or similar. Claims are excluded from other policies, generally speaking, so they’ve been trying to get people to get cyber-insurance.”
This insurance can provide both first-party and third-party coverage. First-party coverage protects you against the direct costs of notifying customers of the breach and managing the immediate crisis. Third-party coverage provides protection if you are sued by individual customers over the data breach.
If you do not have cyber liability insurance, you may still be covered for a data breach under your commercial general liability (CGL) or business owners' insurance policy. It will vary based on the state and policy language. But some courts have held such policies cover data breaches.
Doing your research beforehand to choose the best policy is obviously important, as is reviewing it annually as technology changes and attackers shift schemes. “These data security incidents and cyber-breaches keep changing,” Row says. “The criminals keep coming up with new ways to try to make money and, generally speaking, these are criminal gangs aiming to make money. The problem is which insurance policy will respond to it? That can be a difficult question.”
In January 2020, a federal judge in Maryland held the issuer of a business owners' insurance policy was liable for damages sustained by a customer in a ransomware attack. The policy in question covered “direct physical loss of or damage” to the business owner's computer systems and any “data stored on such media.” The judge held this language required the insurer to cover the “replacement cost” of the policyholder's entire computer system following the data breach.
“The problem, sometimes, is that these policies are written for the world as it was maybe five years ago—for instance, when they hacked into Target to get credit card numbers. That doesn’t happen a lot anymore,” Row says. “Now there's ransomware, where people are messing with your system or locking up your system. Some policies may cover it, but they weren’t always written for it. There’s also business email compromise (BEC) or social engineering fraud, and that may not involve hacking at all, but tricking you into sending money to the wrong place. That is a common claim, but finding which policy might cover it can be a challenge.”
Why Hire an Attorney?
It is important to note that every policy and state insurance law is different. So if you have questions about whether your existing policies will protect you in the event of a customer data breach, it is best to speak with a qualified Oregon insurance attorney.
When a client is hit, Row investigates the issue and cause, and packages the facts to best present the claim to the insurance company. Often, as part of your insurance package, the insurance company will have its own lawyer do an investigation and data forensics to figure out your exposure, send out mailings, staff a call center and more. But sometimes the insurer will question if an incident falls under your plan, or the amount of people exposed from your incident. That’s when you need a negotiator.
So why would you want an attorney as opposed to an insurance broker or data security consultant? “If you’re working with an attorney, everything stays privileged and confidential, until you’re ready to release it to the public,” Row says. “If you’re talking to a broker, or IT security vendor, that could get out. So in case you’re sued later, it’s good to have an attorney quarterback in the beginning.”
If you'd like more general information about this area of the law, see our insurance law overview.