Does your company rely on mobile workers? If it does, the worker likely is a “+1,” an employee who carries both a mobile device and a tablet And those mobile workers who need to access data may be using a consumer cloud like Dropbox, SkyDrive or Google Drive to get that access.
This mass migration of data to the consumer cloud, however, all happening without much IT oversight and control, may give rise to potential exposure to unknown security risks to the company. If you follow the industry, you’ve seen that there have been data breaches at consumer cloud providers.
The cloud also has given rise to lawsuits. For example, Dropbox was sued in federal court in California in a class action suit regarding alleged data security issues; the case was dropped later that year. And LinkedIn, a cloud provider of a different nature, was sued in federal court in a proposed class action arising out of an alleged hack, although it recently won a motion to dismiss the action.
Sony’s PlayStation Network, another form of the cloud, was hacked, allegedly facilitated by another cloud provider, and Sony was sued both by consumers and some of its insurance companies. Sony’s general liability insurance company, Zurich American Insurance Company, then added insult to injury by suing Sony rather than providing coverage. Zurich has asked the court to rule that other Sony insurance policies would cover the claim before Zurich’s policy, in addition to asking for rulings that Sony’s general liability insurance policies do not provide coverage for the data breach claims.
So what kind of risk do companies face when their mobile workers are using the cloud, and will their insurance cover cloud-based risks? Let’s take a look.
What are the risks?
There are two general categories of risks and potential liabilities for users of the cloud: first-party risks and third-party risks. Generally speaking, first-party risks include lost income or business because of a cloud outage, the inability to access the cloud, or lost data. Third-party risks include the cloud user’s potential liability to customers or to various governmental or regulatory entities. These potential risks include lawsuits or claims from third parties resulting from a data breach or other cyber event. Other risks, which may be seen as both first- and third-party costs, include the costs to provide notifications after data breaches (if those costs are not the responsibility of the cloud provider), payment card industry (PCI) liabilities, and other data breach- and privacy-based costs.
Will your insurance cover the risks?
When considering a move to the cloud, give thought to one of your company’s most important assets – its insurance policies. The importance of time spent with your broker and outside insurance coverage counsel to discuss and understand the potential scope of coverage under your company’s insurance policies as it relates to cyber and privacy risks is amplified when thinking about moving to the cloud.
The best place to start this analysis is, first, by reviewing your company’s cyberinsurance policy. (Haven’t bought a cyber insurance policy yet? Click here for some helpful tips for when your company does consider purchasing that type of insurance policy.)
Next, take a close look at your company’s entire portfolio of insurance policies. Coverage may be available under traditional forms of insurance such as commercial crime, first-party property, and commercial general liability (CGL) policies. Regarding commercial crime policies in particular, the U.S. Court of Appeals for the Sixth Circuit found coverage for a data breach (though not necessarily related to the use of the cloud) under a computer fraud endorsement to a crime insurance policy for certain costs relating to a data breach. Also consider whether business interruption or contingent business interruption coverage within a first-party property insurance policy would provide coverage for a cloud-based interruption.
Companies should not assume that their insurance companies will agree that coverage for cyber risks related to the cloud is provided by so-called traditional forms of insurance. To protect against such risks, companies may look to cyber insurance policies that are marketed expressly as providing coverage for cyber-related loss.
What should companies look for when considering insurance for cloud-related risks?
Cyber insurance comes in many forms and variations. This growing insurance marketplace has led to a variation in forms and coverages being offered by insurance companies.
1. Look at whether cloud computing is covered specifically, and, if not, how broadly the coverage is written.
In the past, it was rare to see cloud computing in a cyber insurance policy, but now certain insurance carriers have started using that term in their forms. If the insurance policy specifically references the cloud, determine whether any special terms and conditions apply. Consider whether there are specific exclusions or coverage limitations specific to cloud-based risks.
For those policies that do not use the term “cloud” or “cloud computing” specifically, pay close attention to terms such as “network” or “computer system,” as those terms may affect directly the scope of coverage for cloud-based risks. Also, pay attention to limitations on the use of outsourcing, vendors, or other third-party service providers. Those terms may be written in a way that could encompass the outsourcing of hosting or support. If so, the insured should have a strong argument that cloud services are covered.
2. Determine whether sublimits and deductibles or retentions apply to cloud-related risks.
Modern insurance policies typically have limits of coverage that apply, capping the total amount of insurance that is available under the policy. Some policies have sublimits. Policies that contain sublimits of coverage may result in lower insurance policy limits being available for certain risks or types of claims. For example, an insurance policy may have a total policy limit of $10 million, but a sublimit of $5 million for cloud-based claims.
Also note that certain insurance policies have deductibles or self-insured retentions that apply to cloud-based risks. If so, that could limit the total amount of true coverage available for claims.
3. Consider the geographic scope of coverage.
Some cyber-security insurance policies, like first-party property insurance policies, may contain coverage based on events or incidents that take place in a certain territory, such as the United States, or for events or incidents that take place within a certain distance from the policyholder’s place of business. Considering the geographic limitations of a cybersecurity insurance policy is critical, in light of cloud providers and other vendors that may host data and software outside of the United States, as well as the increased amounts of global travel for company employees.
For companies based outside of or doing business outside of the United States, consider the issue in reverse: will the insurance policy cover any risks related to data sovereignty issues for countries outside the United States, for data hosted inside the United States (and outside those countries’ borders)?
4. Consider the scope of coverage for first-party risks relating to the cloud.
Companies should pay close attention to the scope of insurance coverage afforded for first-party losses relating to the cloud. If the company is unable to access the cloud for data, applications, or other purposes, how will the insurance apply?
Would another insurance policy, such as a first-party all risks insurance policy, apply if the risk was based on a weather-related incident? Would the cybersecurity insurance policy apply if there was a denial of service attack at the cloud provider? How long must the service be unavailable before the insurance policy provides coverage, and must the outage be continual?
5. Analyze the terms and conditions of contracts with cloud providers.
Companies also should look carefully at their contract with their cloud provider to understand what it will and won’t do for them in case of future issues. Cloud users should consider which company bears the risk of a data breach, and how much liability is transferred or retained for first-party risks, such as cloud unavailability. That knowledge will help companies in their risk transfer processes.
Scott Godes is an attorney with Dickstein Shapiro LLP. He is the Leader of the Intellectual Property Insurance Practice within the Insurance Coverage Group. He devotes a significant portion of his practice to representing corporate policyholders and insureds in complex disputes with their insurance companies. He also counsels policyholders regarding risk management and insurance coverage issues. He may be reached at firstname.lastname@example.org. Mr. Godes also writes the award winning Corporate Insurance Blog and is on Twitter @insurancecvg.
Image credit: The Geffen Company