Companies need to be diligent when protecting against cybercrime

If you have never been a victim of identity theft, it’s not because you’re immune to the risk, says Lucas M. Blower, Attorney at Law at Brouse McDowell.

“The reason may be that there are just too many people to get to,” Blower says. “It’s not necessarily because you’re more protected than someone else. It’s just difficult to get to everybody.”

Cybercrimes such as identity theft and data hacking are a reality in today’s world, and there is only so much that companies can do to protect their valuable data, Blower says.

From a liability standpoint, however, you need to be cognizant of the actions that you openly agree to take to secure the interests of your company and its customers.

“If you don’t have proper controls in place for your customers’ data and there is a data breach, you can be held liable under federal law,” Blower says. “In addition, if you put something on your website that explains how you’re going to protect customer data, you need to actually do it.”

Smart Business spoke with Blower about cyberrisks and what you need to know in order to protect your company.

Why is cyberrisk a difficult topic for both companies and the courts?

One problem is that some companies may believe they are insured against cyberrisks as a result of their general liability policies. They have a good argument, at least under the language of some policies, according to Blower.

Many insurance companies, though, are arguing that these policies should be read narrowly, so that they do not apply to cyberrisks. At least some courts have sided with the insurance companies. Even where they haven’t, insurance companies have been putting new exclusions into the policies that would prevent coverage.

What’s happening is policy holders are getting pushed into a market that has a bunch of language that is far less litigated and far more uncertain than the language in the general liability policies.

We’ve been living with general liability policies for a long time. We know what they say and we know what they mean. What policyholders need to know whenever they are buying these cyber insurance policies is that the normal rules of insurance interpretation will still apply.

What can you do to protect your business?

The first thing you need to do is ensure you’re following through with whatever actions you’ve told employees or customers that you’re taking to protect their information. If you don’t comply with the system you’ve agreed to set up and an incident occurs, your insurance carrier could tell you that the loss is excluded from your policy.

In some policies, there is a policy exclusion for a ‘failure to follow minimum required practices.’ So it’s good practice to continuously reassess your exposure to information security and privacy threats.

What about the risk of human error?

There are commonsense steps you can take to protect your company, but the reality is you’re still facing two problems: first, you can’t protect against missteps where people don’t do what they are supposed to do.

Second, you’re not always equipped to respond to the sort of attacks that are coming at you. The threats evolve and change as new defenses are put in place. Given those two areas of vulnerability, there’s no way to manage your risk without an insurance component.

Fortunately for policyholders, there are a number of pro-policyholder rules governing the interpretation of insurance policies that are going to apply to cyber policies as well.

There is a rule that insurance policy language is construed strictly against the drafting party, which is the insurance company. If there’s any ambiguity in the language and you can construe that ambiguity in favor of the policyholder, that’s how you read the contract.

There are protections built into the law that prevent insurance companies from avoiding obligations based on an over-technical reading of their policies after the loss report comes in and is bigger than expected. Insurers aren’t going to have many customers if they’re selling a product that doesn’t actually cover you when you need it.

Insights Legal Affairs is brought to you by Brouse McDowell