Over the past few years, there has been a rapid increase in cloud data storage and hosting availability. As a result, many businesses find that switching to these services provides a cost-effective solution for their information technology needs. The incentive to change is incredibly real for smaller companies, who don’t have the funds nor the need for a large and complex self-hosted information technology system. At a glance, the switch to a third-party data host may provide businesses with countless benefits. However, many companies do not consider the potential risks of storing their data with another party. And as a result, they fail to recognize the need to insure themselves from the dangers of using a third-party data host.
For many businesses, their stored data is their livelihood, and they would face dramatic consequences if they lost access or otherwise have their data impaired. When using a third-party host, protecting their data is out of their hands, but third-party data hosts are not immune to storage failures, data breaches, and other business issues, which may jeopardize the data’s safety. When using a third-party storage provider, businesses may think that they have transferred the risk to the host, but this is frequently untrue. Thus, when using a third-party data host, businesses should ensure that they have adequate insurance coverage to protect against any loss or damage to their data stored on the other parties’ services.
Generally speaking, the data owner’s commercial general liability insurance would not protect against any data loss. In October 2001, the Insurance Services Office expressly excluded electronic data from “tangible” property damage coverage in their commercial general liability forms. Kendall Bodden, Tangible Cash for an Intangible Loss? Insurance Coverage for Damage or Loss of Third-Party Data, 1 Shidler J. L. Com. & Tech. 6, 2 (2005). Consequently, many businesses purchase standalone “cyber insurance,” believing that such a policy would protect them from data loss.
However, cyber insurance policies are not ‘one-size fits all’ solutions, and policyholders must assure that their policy covers their organization’s needs. Small distinctions plague cyber insurance policies, which create dangerous pitfalls for policyholders. Accordingly, a policyholder should carefully analyze their policy to make sure it aligns with their needs. Specifically, for businesses that are hosting their data on a third-party service, they should ensure that their coverage protects them from the damages from data loss data and any subsequent business interruption caused by the loss.
When seeking to protect themselves from the loss of data stored on a third-party system, the policyholder should confirm that their cyber insurance policy covers them against third-party liability costs. In particular, a policy should contain language that would protect the insured from harm caused by the acts, errors, or omissions of third-party subcontractors, vendors, and “cloud” providers. Some insurers may be hesitant to include this language, and some providers go as far as to exclude it expressly. Roberta Anderson, Viruses, Trojans, and Spyware, Oh My! The Yellow Brick Road to Coverage in the Land of Internet Oz, 49 Tort & Ins. L.J. 529. Thus, policyholders or prospective purchasers must closely read and examine their policy to confirm that the policy includes this protection.
Besides specific language targeted towards third-party cloud providers, a cyber insurance policy should contain language outlining ‘Contingent Business Interruptions’ (CBI). Unlike traditional business interruption coverage, CBI coverage protects the policyholder concerning incidents involving not the insured’s property, but the property of another partner or entity. As such, CBI is the most promising coverage for losses caused by cloud contingent business operations. Lon Berk, CBI for the Cloud, 21 A.B.A. COMM. INS. LITIG. COVERAGE 1, 7 (2011). In most cases, harm caused by loss of access to the cloud is covered under ‘legacy’ contingent business interruption forms. Id. However, it is still important to closely review the complete policy to ensure that cloud interruptions are included in your specific policy.
While having proper insurance coverage is a crucial part of protecting against data loss and other issues with the cloud, purchasers of cloud-based services should confirm that the vendor has sufficient insurance coverage themselves. At a minimum, businesses should confirm that their vendors have both a cyber insurance and errors and omissions policy and that those policies cover both the cost to repair the data breach, any lost profits or business interruption losses due to the breach, and any damages incurred to third parties (e.g. customers or clients) due to the breach. Ensuring that the provider has adequate insurance coverage increases the likelihood that the data owner is fully compensated and protected in case of a breach or other data loss incident.
Cloud-based storage solutions are, more frequently than not, a cost-effective and relatively safe solution for businesses. However, cloud storage systems are not bullet-proof, and business owners must protect themselves from the risks of data loss and other cloud-related issues. Therefore, purchasers of cloud services should carefully examine both their vendors and their own insurance policies to ensure they have sufficient coverage to mitigate their cyber risk. The attorneys at Rose & deJong have experience analyzing cyber insurance policies and negotiating agreements between businesses and storage providers to assure that both parties have ample protection against data loss and other complications.