General liability insurance is not a substitute for a specialized cyber crime insurance
In a recent case, a General Liability Insurance (CGL) was provided by The Hanover Ins. Co to Innovak Int’l, Inc.. The clause in the policy mentioned “injury … arising out of … [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” The plaintiff suffered a #data #breach losing
Social Security numbers, addresses, telephone numbers, dates of birth, and other personal information of their customer database. The defendant refused to cover the plaintiff towards the class action and foreseeable damages. The court ruled in favor of the insurer reliving them of their liabilities. Furthermore, the court found the plaintiff to be negligent for not been able to safeguard information.
[N]egligence [is] the failure to exercise due or reasonable care. In order to prevail on a claim for negligence, a plaintiff must prove [among other things] the existence of a duty of care [and] a breach of that duty.
Now in Innovak Int’l, Inc. v. The Hanover Ins. Co. After the plaintiff suffered the class action lawsuit it is highly unlikely that a court would allow to shift the burden. Additionally, the court also found during the summary judgement that the insured be a publisher of sensitive information in order to trigger the coverage.
The burden of proof on Innovak Int’l, Inc was to show contractually obligated under a commercial general liability insurance policy to defend Plaintiff in a class action filed against Plaintiff in the United States District Court for the Middle District of Alabama styled as Bohannon, et al. v. Innovak International, Inc, during the called for summary judgment. However, they failed and turns out this would become precedence for upcoming cases.
Goes to show the importance of:
Due diligence. This is where the company should have sat down and analyzed their all risks.
Involving the right people. Involving legal and compliance during such product purchase to ensure that all the risks are mitigated or reduced to a great extent.
Risk Assessment. risk assessment, amongst other things, of the data, nature of data, how is used, how it is stored, and means of access. The risk as witnessed in this case was the omission of contractual liability. Though the policy had the right words it did not have the right measure to invoke the same.