Government Contracting

The breach of credit bureau Equifax, potentially exposing the credit data of as many as 143 million Americans, has been nonstop news in recent weeks. Apart from requiring many of us to safeguard our own credit, it teaches two lessons for advising companies on cyberinsurance.

First, typical cyberinsurance coverage may often prove inadequate. Several lawsuits seeking class-action status on behalf of affected Equifax consumers have already been filed, or announced. Equifax now also faces investigations by the Federal Trade Commission, more than 30 states’ attorneys-general, and from other federal regulators in the US, Canada, and the UK. Georgia has also announced a criminal investigation into the sale of stock in Atlanta-based Equifax, by two senior executives.

Press reports indicate that Equifax holds a policy that could cover between $100 million to $150 million in claims and costs. However, Equifax acknowledged in its annual report that insurance may not cover all claimed losses. In fact, even though total costs of the breach won’t be known for years, they could be orders of magnitude higher, based upon previous breaches at companies like Yahoo, according to press accounts.

Companies far from the daily news may also underestimate the costs of a cyber breach. Investigations, claims by third parties, business interruption and other expenses may well exceed available insurance coverage. Despite the cost of cyberinsurance, the Equifax debacle may lead companies to reexamine policy limits.

Second, seemingly-innocuous exclusions in cyberinsurance policies may prove disastrous. Press reports say that Equifax neglected to apply an urgent security patch for months, making penetration relatively easy.

Applying security patches promptly, when released by software publishers, is certainly good, perhaps even essential, IT policy. More importantly, some cyberinsurance policies may require “prompt” compliance with recommended updates, and if the insured does not comply, the insurer may deny coverage.

The Equifax experience shows that close attention to fine-print exclusions in a company’s cyberinsurance policy may be indispensable, because that overlooked exclusion could result in assertions by the insurer that there is no coverage. The Equifax experience may also lead counsel to re-examine with clients the level of coverage.

This alert was written by Daniel S. Koch in the Government Contracts practice group at Miles & Stockbridge.

Any opinions expressed and any legal positions asserted in the article are those of the author(s) and do not necessarily reflect the opinions or positions of Miles & Stockbridge P.C. or its other lawyers. This article is for general information purposes and is not intended to be and should not be taken as legal advice on any particular matter. It is not intended to and does not create any attorney-client relationship. Because legal advice must vary with individual circumstances, do not act or refrain from acting on the basis of this article without consulting professional legal counsel. If you would like additional information on the subject matter of this article, please feel free to contact any of the lawyers listed above. If you communicate with us, whether through email or other means, your communication does not establish an attorney-client relationship with either Miles & Stockbridge P.C. or any of the firm's lawyers. At Miles & Stockbridge P.C., an attorney-client relationship can be formed only by personal contact with an individual lawyer, not by email, and requires our agreement to act as your legal counsel together with your execution of a written engagement agreement with Miles & Stockbridge P.C.