Can You File an Insurance Claim for a Data Security Breach?

How lawyers help protect and insure your data

By Super Lawyers staff | Reviewed by Canaan Suitt, J.D. | Last updated on August 22, 2023 Featuring practical insights from contributing attorney Seth H. Row

Use these links to jump to different sections:

Any small business that stores personal information regarding customers or employees needs to understand its legal obligations in the event of a data breach.

What is a Data Breach?

A “data breach,” broadly speaking, can be any incident where sensitive information is accessed, disclosed, or otherwise retrieved without your permission.

Every state has laws requiring businesses to notify affected customers when a data breach occurs. Depending on the number of customers affected by the privacy breach, you may be required to notify the state attorney general’s office as well. For example, under Oregon law, if the breach impacted more than 250 customers, you have to notify the AG.

In some cases, a data breach may involve so many customers that individual notice proves to be impractical. In such cases, it’s possible to notify customers generally through your website or by notifying statewide media. However, you want to do so in compliance with state law and on your own terms, as opposed to responding to leaked information. This is where an attorney can come in handy.

If you’re working with an attorney, everything stays privileged and confidential, until you’re ready to release it to the public. If you’re talking to a broker, or IT security vendor, that could get out. So in case you’re sued later, it’s good to have an attorney quarterback in the beginning.

Seth H. Row

Does Your Business Need Separate Cyber Liability Insurance?

Beyond the costs of notifying customers, a data breach also creates a risk of liability for damages. Can you file a cyber insurance claim for such damages? The answer, of course, depends on the type of cyber insurance policy you have and the exact language of your policy.

“A lot of companies are buying cyber-insurance now,” says Seth H. Row, an insurance coverage attorney at Miller Nash Graham & Dunn in Portland, Oregon. “Most brokers are advising commercial clients to buy it unless they’re a mom-and-pop grocery store or something similar. Claims are excluded from other policies, generally speaking, so they’ve been trying to get people to get cyber insurance.”

What Does Liability Insurance Cover?

Cyber liability coverage can provide both first-party and third-party coverage:

  • First-party coverage protects you against the direct costs of notifying customers of the breach and managing the immediate crisis.
  • Third-party coverage provides protection if you are sued by individual customers over the data breach.

If you do not have cyber liability insurance, you may still be covered for a data breach under your commercial general liability (CGL) or business owners’ insurance policy. It will vary based on the state and policy language. But some courts have held such policies cover data breaches.

Stay Up to Date on Cyber Threats and Vulnerabilities

Doing your research beforehand to choose the best insurance policy is obviously important, as is reviewing it annually as technology changes and hackers shift schemes.

“Data security incidents and cyber-breaches keep changing,” Row says. “Cyber criminals keep coming up with new ways to try to make money… The problem is which insurance policy will respond to it. That can be a difficult question.”

For example, in January 2020, a federal judge in Maryland held that the issuer of a business owner’s insurance policy was liable for damages sustained by a customer in a ransomware attack. The policy in question covered “direct physical loss of or damage” to the business owner’s computer systems, including any “data stored on such media.” The judge held that this language required the insurer to cover the “replacement cost” of the policyholder’s entire computer system following the data breach.

“The problem, sometimes, is that these policies are written for the world as it was maybe five years ago—for instance, when they hacked into Target to get credit card numbers. That doesn’t happen a lot anymore,” Row says.

“Now there’s ransomware, where people are messing with your system or locking up your system. Some policies may cover it, but they weren’t always written for it. There’s also business email compromise (BEC) or social engineering fraud, and that may not involve hacking at all; instead, it tricks you into sending money to the wrong place. That is a common claim, but finding which policy might cover it can be a challenge.”

Why Hire an Attorney?

It is important to note that every policy and state insurance law is different. So if you have questions about whether your existing policies will protect you in the event of a customer data breach, it is best to speak with a qualified attorney.

When a client is hit, Row investigates the issue and cause and packages the facts to best present the claim to the insurance company.

Often, as part of your insurance package, the insurance company will have its own lawyer do an investigation and data forensics to figure out your exposure, send out mailings, staff a call center, and more. But sometimes, the insurer will question if an incident falls under your plan or the amount of people exposed from your incident. That’s when you need a negotiator.

So why would you want an attorney as opposed to an insurance broker or data security consultant? “If you’re working with an attorney, everything stays privileged and confidential until you’re ready to release it to the public,” Row says. “If you’re talking to a broker, or IT security vendor, that could get out. So in case you’re sued later, it’s good to have an attorney quarterback in the beginning.”

If you’d like more general information about these areas of law, see our overviews of insurance law and technology transactions and related content. To find an attorney experienced in cybersecurity, visit the Super Lawyers’ technology transaction attorney directory.

What do I do next?

Enter your location below to get connected with a qualified attorney today.

State Technology Transactions articles

Find top lawyers with confidence

The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.

Find a lawyer near you