More and more companies – both big and small – are migrating and storing their data in the cloud. While cloud computing offers benefits over traditional storage methods, such as flexibility, accessibility and capacity, cloud computing comes with its own set of data-security risks. The most high profile of these risks is the good old-fashioned data breach, which, in 2014 alone, struck such trusted household names as Target, Home Depot, Google, Neiman Marcus and JP Morgan Chase. See Bank Info Security, Infographic: 2014’s Top Breaches So Far. These breaches can also result in hundreds of millions of dollars in losses and send a publicly-traded company’s share price tumbling. See Forbes.Com, Target Shares Tumble as Retailer Reveals Cost of Data Breach. But, data breaches are just the tip of the iceberg when it comes to cloud-security threats. Other risks can be far less nefarious, such as a data loss, which can be the result of simple human error or negligence. For example, over one weekend in 2011, many Amazon Web Service customers lost data as AWS’s EC2 cloud suffered a “mirroring storm” due to human operator error. See InformationWeek, 9 Worst Cloud Security Threats.
To meet the emerging threats relating to cyber-security risks, insurers have developed a myriad of insurance products to protect policyholders for both their own first-party losses as well as potential third-party liability. However, coverage for cyber risks is far from standard; terms and conditions of these policies vary from insurer to insurer and from policy to policy. Indeed, a closer inspection of these insurance products reveals that they may not fully protect a policyholder for loss or liability resulting from cloud security risks.
For example, coverage under technology liability policies typically hinges on whether or not a loss results from an insured’s “Technology Activities” or “Technology Services,” which are typically defined terms under the policy. The problem, however, is that while an insured’s data is being hosted or transmitted by a third-party cloud-service provider, that third-party’s services may be outside the policy’s definition of “Technology Activities” or “Technology Services.” Moreover, many technology liability insurance policies are ambiguous as to whether a cloud-service provider’s hosting services fall within such definitions.
For coverage to apply for a loss in connection with, for example, a “data loss” or a “data breach” while the insured’s data is being stored or transmitted by a third-party cloud-service provider, the insured must make certain that its policy’s definition of “Technology Activities” or “Technology Services” specifically includes the hosting of data relating to the insured’s services, whether that data is hosted by the insured or by a third-party provider or vendor.
Another critical issue in reviewing coverage is determining whether a technology liability policy contains any exclusions that could nullify coverage for cloud-security risks. An exclusion seen in some technology liability policies precludes coverage for the “failure or default by a third party to supply any service.” To address this exclusion for our clients, we routinely request an exception to the exclusion for “Insured Computer Systems,” (or the analogous term) to make sure that any systems operated by an IT service provider, such as a cloud computing vendor, are covered.
These are but two examples of the numerous insurance issues that may be encountered with respect to a decision to move data to the cloud. Other additional issues may also be relevant, depending on proposed policy language.
If your organization is storing data in the cloud, or is considering such a move, standard cyber coverage products may not afford adequate protection. The best way to address the problem is to specifically negotiate coverage for cloud-based risks. Many insurance brokers, however, don’t recognize the problem, or are unable to propose language that will solve the problem. Other insurance brokers may be uncomfortable suggesting changes to a policy, given their close financial and business relationships with the insurers that issue the policy. Accordingly, seeking input from qualified insurance coverage counsel prior to a cyber-disaster may be the best course of action.
Miller Friel, PLLC is a specialized insurance coverage law firm whose sole purpose is to help corporate clients maximize their insurance coverage. Our Focus of exclusively representing policyholders, combined with our extensive Experience in the area of insurance law, leads to greater efficiency, lower costs and better Results. Further discussion and analysis of insurance coverage issues impacting policyholders can be found in our Miller Friel Insurance Coverage Blog and our 7 Tips for Maximizing Coverage series. For additional information about this post, please email or call Miles Karson (KarsonM@MillerFriel.com, 202-760-3165).