There was a time when general contractors and subcontractors were considered low-risk hacking targets since their networks are not vast repositories of traditional hacker targets like credit card numbers.
The advent of sophisticated hacking tools like ransomware (where your network data is encrypted and cannot be accessed unless you pay a ransom) and the fact that little technical knowledge is now needed in order to become a hacker due to hacking tools sold at low prices on the Internet mean that all businesses of any significant size are at serious risk. So, if your business does not have cyber insurance, you should consider it.
But what happens if you are hacked, the personal information of your employees is spread all over the Internet and you don’t have cyber insurance? Is all lost?
Not necessarily. In the major recent decision Travelers Insurance v. Portal Healthcare Solutions, a federal court of appeals held that a cyber incident was covered, at least in part, by the victim company’s commercial general liability ("CGL") policy. While policy forms and endorsements vary, a common CGL form covers “personal and advertising injury,” which includes “oral or written publication, in any manner, of material that violates a person’s right of privacy.” In the federal court case, the insurer argued that “publication” meant publication by the insured, not by a hacker, but the court said in effect that “publication is publication” and found coverage.
Even if your firm has cyber insurance, that coverage is sometimes designed to integrate with your CGL, and you may need to make claims against both policies if you suffer an incident.
The purpose of this article is not to disparage cyber insurance and encourage reliance on CGL alone. The coverage offered by CGL, if any, for a cyber incident is limited to certain specific circumstances, and a good cyber insurance policy provides much broader coverage, including protections against resulting costs like internal investigations that do not relate to a claim of legal liability usually required to trigger CGL coverage. However, it is buyer beware while shopping for cyber insurance since (unlike CGL) the policy forms are not at all standardized and, in poor policies, exclusions buried in the fine print can negate many of the expected benefits. Obtaining experienced advice in shopping for a cyber policy is highly recommended.
But if your firm suffers a breach, don’t forget the old standby that every contractor has: commercial general liability. It may save the day.