Companies and the lawyers who represent them are justifiably concerned about the many risks associated with cyber security threats. In today’s economy, data breaches invariably result in the loss or improper disclosure of consumer data and litigation consistently ensues. Complaints frequently allege privacy-related claims, including the common law tort of unreasonable publicity given to private facts and negligence. Some jurisdictions have legislated privacy protections that either provide a statutory cause of action or can support a negligence claim. Some states and federal regulatory agencies also impose reporting obligations on companies when a data breach occurs. These consequences of a data breach represent significant expenses that should be contemplated by a company’s cyber insurance strategy. Coverage may potentially be available under commercial general liability insurance, but the terms of these policies and judicial interpretation thereof increasingly preclude coverage for cyber events. The emerging market for cyber policies has resulted in diverse insurance products. Coverage under these new policies mostly remains untested in the courts. Accordingly, these products require close study to ensure that post-breach litigation is among the covered harms.
David J Baldwin, Jennifer Penberthy Buckley and D Ryan Slaugh, Insuring Against Privacy Claims Following A Data Breach, Penn State Law Review, Volume 122, Issue 3 (2018).