Exclusively from Foa & Son
As a general rule insurance policies won’t provide coverage for legal or regulatory fines and penalties imposed on a policyholder. Regarded as a punishment for some violation or shortcoming, these have generally been considered not insurable by underwriters. In many jurisdictions they might also be deemed uninsurable as a matter of law, precedent or public policy.
Cyber insurance is different, in a way that really enhances its value to those with this exposure. As we have previously pointed out, a wide assortment of different regulatory authorities, both public and private, assert jurisdiction over some aspect of data privacy, data security, and network vulnerability. One of the (often significant) direct costs a breached organization will incur is the costs of a governmental or regulatory investigation, and resulting costs of fines and penalties that might be assessed or imposed by one or more of these authorities.
A variety of governmental agencies have the ability to investigate data security breaches and to issue fines and penalties. Here are a few examples:
• The Federal Trade Commission has used its power under various statutes to regulate unfair or deceptive acts relating to data security. The FTC is also actively lobbying Congress for more authority to impose civil penalties for data breaches.
• The U.S. Department of Health and Human Services and state attorneys general enforce the penalty provisions of HIPAA, under which penalties can be millions of dollars for data breaches relating to protected health information.
• The Federal Communications Commission has levied sizeable fines for violations of the privacy requirements of the Communications Act of 1934.
• State attorneys general (sometimes working together) actively investigate data breaches and may impose fines or penalties.
The good news is that many cyber policies will cover fines and penalties. Common conditions for such coverage to attach would specify that the fines or penalties must be imposed by a governmental agency, they must be paid to a governmental entity or a consumer redress fund, and they must be insurable under applicable law.
To this last point, insurance policy language may expressly grant coverage for fines and penalties, but there is always a question as to whether such items can legally be insured. The answer to this question depends on laws applicable in each specific jurisdiction and on the specific circumstances of each case. There is no single right answer, but some general observations are possible. Fines or penalties that are based on findings of intentional or willful misconduct are likely to be challenged based upon public policy arguments. Those that might be more generally regarded as punitive in nature (intended as punishment for some conduct) are more likely to be challenged than those that are compensatory in nature. Penalties that are assessed vicariously against a policyholder (such as when a corporation is held liable for an unauthorized act of its employee) are less likely to be challenged.
It is also important to note that policies that provide coverage for cyber related fines and penalties typically will also provide coverage for costs incurred in connection with related governmental or regulatory investigations and pursuit of claimed violations. This will typically be a coverage grant that covers legal fees and other costs associated with a “Regulatory Proceeding”, usually defined as an action by one of the above listed agencies or commissions.
Costs for investigations and defense arising from these proceedings can be substantial, so this coverage can also be quite beneficial. It also is important to realize that defense and investigatory costs are not subject to the question of insurability mentioned above, so even if any ultimate fines or penalties do undergo such scrutiny, these expenses can still be paid.
Insurance for certain fines and penalties imposed as a result of privacy breaches is widely available and can be a useful part of a cyber risk mitigation plan. Likewise, coverage for the defense and investigative expenses incurred during a regulatory action also can substantially defray the economic impact of a breach. However, coverage for fines and penalties involves questions of law regarding insurability that can not be directly addressed in insurance policy terms. Like everything else related to the complex and evolving field of cyber risk and insurance, it’s complicated. Give us a call if we can be of help.