A Close Look at Identity Theft Coverage

The rash of recent media reports about the personal information of millions of individuals being exposed to potentially unscrupulous people has focused new attention on the risks of storing that kind of information. It is also bringing attention to insurance coverages that may help manage those risks.

The news stories have come weekly, if not daily. ChoicePoint, the records of 145,000 people; California State University, Chico, 59,000 people; Boston College, 120,000; Bank of America Corp., 1.2 million federal workers; shoe retailer DSW for 1.4 million customers; LexisNexis, originally reported to be 32,000 people but actually turning out to be 310,000; and Polo Ralph Lauren Corp., more than 180,000 customers.

From a third-party liability perspective, producers and buyers need to carefully review available forms because the coverage for security breaches and identity theft varies considerably from policy to policy, when available at all.

A random survey of 16 technology E&O forms found that 62 percent of them provided no coverage or only partial coverage in their base forms for what is often referred to as unauthorized access, unauthorized use and associated coverages. The coverage is more widely available in the base forms of internet E&O policies, where 67 percent of the forms reviewed provide coverage.

But the variation in language, even among the companies that do provide at least some coverage, warrants a careful review by the buyer and producer. Most forms will require that the security breach, however it is phrased, take place when the insured is providing insured services for others. But there are significant differences among policies.

A few things to think about:

At least one technology E&O form limits coverage to breaches of the systems of the insured’s customers while excluding coverage for a breach of the insured’s own system. That could be troublesome for a company that maintains customer data on its systems in the course of performing insured services for the customers and is sued for failure to adequately secure the data.

Another form, this one providing internet coverage, states that it covers unauthorized access to or use of a system, but it also contains some interesting exclusions. One example is an exclusion for claims related to an insured’s failure to take reasonable measures to establish, use and maintain security.

Every carrier wants its insureds to take reasonable precautions, and most companies will make their underwriting decisions based on an evaluation of the adequacy of the applicant’s level of care. But the prospect of judging reasonableness of security procedures with a 20-20 hindsight view in an area as volatile as computer security could be an uncomfortable prospect for an insurance buyer.

One company’s internet policy covers liability for failing to prevent non-insureds from gaining unauthorized access, but not for failing to prevent an insured party from unauthorized access. This distinction raises interesting issues given that studies indicate the largest group of unauthorized access and use comes from insiders.

In the ChoicePoint situation, reports indicate that con artists signed up with the company to purchase its reports, providing a clear path to buying sensitive data on individuals. In the aftermath, ChoicePoint reportedly is tightening its procedures on qualifying its customers.

However, consider the situation if an E&O carrier states in its coverage agreement that it covers claims arising from “unauthorized access to” and “unauthorized use of” systems and information. In one sense, the access to and purchase of the information was authorized, albeit authorization was granted under false pretenses. Could an insurance carrier argue that there is no coverage since the claim arose from an authorized access, rather than an unauthorized one? If taken, such a position surely would spark a debate over whether authorization under illicit circumstances is authorization at all. Better for the insured, however, that a policy specifically state that it covers identity theft and/or credit card fraud, or that the policy at least grant coverage for negligence generally in the performance of insured services and not contain an applicable exclusion.

Another company makes clear that it provides no security coverage in the base form of its technology policy. Extremely clear. It goes so far as to state that if someone suffers injury related to a security breach or unauthorized access or use of any computer equipment or programs or data, then the insurance does not apply. The policy does not apply to any injury related to that security breach or unauthorized access, regardless of whether the insurance would otherwise have applied to all or part of the injury.

Every policy has its limitations. Every carrier knows what kinds of risks it is willing to assume in exchange for a premium. It’s not likely that any policy will provide a complete solution to all risks. But it takes a careful review of the policy and of each insured’s particular needs to determine what policy will be most suitable for each buyer.