A recent lawsuit highlights the importance of a data breach insurance policy that specifically covers the losses suffered during an IT security incident.
In 2005, DSW Shoe Warehouse was the victim of a data breach in which hackers stole financial information of more than 1.4 million customers, causing an estimated $5 million of damage to DSW.
The company tried to get compensation for those costs from its insurance policy — however, the insurance company refused to pay.
Though lacking data breach insurance, DSW’s general crime policy contained a clause providing coverage for losses “resulting directly” from a data breach incident. According to the insurance company, the $5 million included money for customer communications, public relations campaigns, funding for investigations, legal fees, etc. — which did not directly result from the data breach.
In other words, since the hackers didn’t directly steal money from DSW during the breach, the company wasn’t owed any reimbursement under the policy. DSW disagreed and took the insurance company to court.
A panel of judges agreed with DSW and ordered the insurance company to pay (Cite: Retail Venture, et. al v. National Union Fire Insurance). According to the court, the wording of the policy was ambiguous and should therefore be interpreted in the insured party’s favor.
Although DSW won in the end, many observers warn that the case could have gone either way and that the long legal battle shows why companies should have data breach insurance policies that specifically provide coverage for losses due to IT security incidents.
Since DSW’s breach, insurance companies have changed the way policies are worded, and experts say it could be even tougher now to get reimbursement for data breach losses under a general policy.
Does that mean all companies need data breach insurance? A survey from earlier this year showed businesses are mostly split, with just under half (46%) purchasing cyber insurance policies. Experts recommend companies assess their own cybersecurity risk and look into the cost of those insurance premiums and compare that to the potential costs of a data breach at their organization.