A recent U.S. federal court ruling has highlighted the issue of cybersecurity and the fact that American businesses have not taken the steps needed to fully protect themselves from this threat. This issue was made even more significant when considering that the court ruling came only two days before the beginning of October, which is ironically Cybersecurity Awareness Month.
The court ruled that data breach losses are not covered by commercial general liability (GCL) insurance policies, which are purchased by businesses to protect them in cases involving personal injuries, property damage and other losses. The case that was the center of the ruling involved the company Rosen Millennium. The firm provided security services for Rosen Hotels & Resorts, which in 2016 discovered a security breach stemming from the installation of malware, or malicious software, in its computerized payment system. This breach represented a potential threat to the customers of the resort business, which faulted Rosen Millennium for the lapse and initiated legal action against the security firm. Millennium in turn sought assistance from the St. Paul Fire & Marine Insurance Company, from which it had obtained two GCL policies that it believed would provide liability protection in such cases.
The “personal injury” protections that were supposedly insured included the coverage of damages resulting from the publication of personal material. In this case, the personal material was the customer credit card information and its publication came from the act of hacking the computerized data. However, the court ruled that this protection was not extended in cases where the information was obtained or released by a third party, which is this case would have been the computer hacker. Basing its ruling on a precedent set in a previous hacking incident, the court in this case determined that Rosen Millennium could not make a claim for damages using the personal injury requirement. Rosen Millennium subsequently purchased insurance that covered such cyber attacks, but was again denied help because the plan did not retroactively cover the incident involving Rosen Hotels & Resorts. The security firm has decided to appeal the original case, but further court action was considered unlikely by legal experts.
First proclaimed in 2004, Cybersecurity Awareness Month is an attempt by the U.S. Department of Homeland Security to warn the nation of the threat of electronic crimes, including the theft of personal information. Some security experts consider insurance protection against cyber breaches to be as important as preventive measures, especially considering that a certain degree of illicit activity is inevitable. Despite the threat, a 2017 survey showed that only about half of the businesses in the United States have any type of cyber insurance and fewer than one in five are covered for every potential risk. Furthermore, only about a quarter of the American executives even expressed interest in obtaining such coverage. The United States was also found to lag behind other countries in this area, with some 60 percent of the companies in both Canada and Great Britain possessing cyber insurance.