Data Breach Coverage Under Other Policies:
The legal malpractice insurance policies offers limited coverage for a data breach. Standard property, general liability and crime policies will not cover damage to or loss of intangible assets such as data and systems.
Business Owners Policy
Many small firms have this type of policy, which generally combines Property, General Liability and Workers Compensation insurance.
Property insurance covers only tangible assets, such as computing equipment and office furniture. Since data can’t be touched or felt, it isn’t tangible, and won’t be covered by a property policy.
Some insurers offer an endorsement that covers only third-party claims. It will likely cover legally mandated notification costs and attorney’s fees after a breach has occurred, but not the first party expenses the firm will likely incur, i.e., data restoration by IT experts, lost revenue from business interruption during and after the breach, and crisis management services to protect and rebuild the business’s damaged reputation.
Too, the typical endorsement has a limit of $50,000 to $100,000. But if a cyber liability claim is made, defense costs and fees can quickly exceed those limits, as can notification costs to individuals whose data has been compromised, which generally costs from $50 – $150 per record.
Non-BOP commercial property policy: If you have an all-risks policy that treats data as physical property, then you do have coverage, for example, if your servers have a malfunction or their storage facility is flooded—as long as you don’t have an applicable exclusion.
Comprehensive General Liability
CGL policies cover loss to “tangible” property, which may trigger coverage for a data breach that harms a third-party in certain instances.
A data breach may also be covered under the “personal injury” coverage section of the policy, if the breached data is published, as in the Ashley Madison hack, and the policy’s insuring agreement obligates the insurer to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” which is defined to include the “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
However, nearly all insurers will argue that coverage for a data breach is beyond the scope of the CGL policy, and will likely deny coverage for any claim and then litigate the coverage issue. This means that the firm will have to pay all damages owed to third parties and the cost to litigate the coverage issue.
It would be easier and cheaper to for your firm to buy cyber insurance.
Legal Malpractice Insurance
Your firm’s Lawyers’ Professional Liability policy will cover a legal malpractice claim against your firm, which arises out of a data breach your firm incurs that harms your clients, just as it would cover a non-cyber loss or theft of client.
Further, the coverage doesn’t include ‘first-party’ losses, such as business income your firm loses due reputational risk or lost opportunity costs following a data breach, or the cost to recreate/rebuild your firm’s data and software.