Late to the party I know, but a really interesting case came down from the 7th Circuit that confirmed that data breach coverage is not included in a homeowners policy. Cyber insurance, or cyber liability insurance, is a separate insurance product, much like auto or boat insurance and isn’t usually in the same policy. Cyber liability insurance has mostly been bought by companies and hospitals that are worried about data breaches and the regulations requiring notification and remediation i.e. state data breach laws and HIPAA/HITECH security, privacy, and data breach rules.
In this case in particular, an accountant was seeking coverage under his homeowners insurance after having PII stolen from his car (Shocker!). The company – a pension fund - he worked for was required to notify the affected individuals from the data breach, but then came after the accountant for the cost of breach notification and monitoring which was in the $200,000 range.
The accountant tendered the claim to her homeowners insurance carrier but Nationwide denied coverage. Since the CD was “in the care of” the insured at the time of the theft, an exclusion applied and no coverage was found. Nationwide then filed this declaratory judgment action. The District Court ruled no coverage existed and an appeal was filed. The 7th Circuit affirmed that the “in care of” exclusion barred coverage because while the data was not in the insured’s personal possession, the CD was in her exclusive control and care at the time of the theft. The Court also held that the business exclusion precluded coverage for losses arising out of, or in connection with, a business conducted by an insured.
Now it would have been smarter for the pension fund to have had cyber liability insurance as a way to cover the risk of this kind of data breach – to cover not only their employees but external risk as well – but instead of being proactive they had to be reactive.
You can read the full article here: FEDERAL COURT HOLDS NO DATA BREACH COVERAGE UNDER A HOMEOWNERS POLICY