In an article published in the Bloomberg BNA Privacy and Security Law Report, Kelley Drye senior associate Ken Kronstadt analyzes the insurance coverage landscape for physical damage that results from a data breach or hacking event.
Internet-connected devices have become increasingly prevalent, and there is no sign that this trend is slowing. However, this soaring level of internet connectivity poses a risk of physical damage to property or bodily injury as a result of a breach—a risk far less likely to be covered under a cybersecurity insurance policy than traditional breach-response and litigation costs. The idea of hacking into web connected devices, cars, or even medical devices is already a reality. Furthermore, hackers have exploited security vulnerabilities within the manufacturing, energy, and utilities industries in recent years, causing massive physical damage and significant losses, and placing human lives at risk.
Cyber insurance policies are increasing in popularity, and policyholders often assume that these types of policies provide comprehensive coverage for all damages and liabilities related to a data breach or hacking event. However, even though coverage under cyber insurance policies is still evolving and varies greatly between carriers, such policies nearly universally exclude coverage for physical damage resulting from a breach event.
Policyholders often assume that the types of policies typically called upon to provide coverage for property damage – commercial general liability (CGL) or property policies – will cover physical damage resulting from a breach event, but such policies often do not. CGL policies almost universally exclude coverage for virtually all data breaches and hacking events. Property insurance policies come in two basic forms: named peril policies and “all risk” policies. Named peril policies rarely, if ever, include a cybersecurity event as a covered cause of loss. And while an “all risk” property insurance policy is far more likely to cover physical damage stemming from a cyberattack or hacking event, some carriers are still reluctant to take on such risks.
To read the full article, click here.