Cyber Risk Management For Businesses

By Michael Salad, Esq. and Peter Fu, Esq.
Increased reporting about data breaches
in the popular media has caused the
mistaken belief that cyber risks are
limited to the sphere of e-commerce.
In reality, cyber risks are broad –
represented by virtual hazards that
individuals and organizations encounter
on a daily basis. As modern society
increasingly relies on data technologies,
the magnitude of virtual hazards
continues to grow correspondingly.
The continuous evolution of the
electronic data continuum often leaves
users overwhelmed and unable to
understand the impact that cyber risks
have on professional and personal lives.
To simplify the landscape, this paper
compartmentalizes cyber risks in to
three traditional categories of liability:
government enforcement, insurance
coverage and litigation defense.
Government Enforcement – Federal
Cyber risks associated with government
enforcement are the indirect risks of
utilizing data technologies. This type
of risk is often the greatest potential
liability that users encounter because
the threat of fines, penalties or loss of
license are far more likely to occur than
a data breach.
Federally, cyber risks generally consist
of liabilities relating to finance, health
and national security data. Financial
professionals are required to comply
with the Gramm Leach Bliley Act
(“GLBA”), which requires financial
institutions to implement standards
to limit the purposeful disclosure or
unauthorized access to consumer
nonpublic information. These standards
require consumers to be notified of
authorized and unauthorized disclosure
of nonpublic information. The Health
Insurance Portability and Accountability
Act (“HIPAA”) requires most of the
healthcare industry to comply with
federal data retention and storage
laws. Congress authorized national
defense and intelligence agencies to
compel data disclosure by businesses
that store personally identifying data,
including daily financial penalties from
failures to comply.
Federal laws regarding cyber risk
are industry specific, which causes
companies that provide hybrid
services to become highly vulnerable
to regulatory liabilities. For example,
the GLBA provides that unauthorized
access of data requires notification to
the affected customers. However, under
HIPAA, only wrongful transmission of
data requires the same notification.
Government Enforcement –
New Jersey
The State of New Jersey mandates
similar requirements to GLBA and
HIPAA. New Jersey law also requires
notification to the New Jersey State
police, certain credit monitoring
bureaus, as well as to consumers in
the event of an electronic data breach.
New Jersey law defines a breach as
any unauthorized access to consumer
personal information.
Additionally, New Jersey legislators
have recently proposed legislation
that would subject online service
providers and businesses that utilize
any electronic platform subject to sales
and use tax.
Insurance Coverage
Cyber risks associated with insurance
coverage are also indirect risks
of utilizing data processing and
retention technologies. Cyber risk is a
comprehensive concept that includes
mechanical failures in hardware to
malicious third party actions.
Prior to 2014, adverse electronic data
events were highly disputed among
regulators and insurance consumers.
The only insurable electronic data
events under a general commercial
liability policy were events that were
directly incident to the physical
destruction or physical theft of data
processing or retention devises. An
enormous gap in insurance coverage
was created for businesses facing
increasingly common cyber risks such
as data breach or loss.
For example, an accounting firm with
standard general commercial liability
coverage could not claim a business
loss for a loss of customer data, even
if the losses arose from the physical
destruction of a server or computer.
Similarly, loss of customer data that
arose from virtual destruction of a
server or computer were not covered
by insurance.
In 2014, insurance regulators in all but
four states in the United States agreed
to permit the Insurance Service Office,
the insurance industry conglomeration
responsible for promulgating all
standard insurance coverage forms,
to specifically exclude all cyber events
from general commercial liability
policies, effective May 2014. As such,
cyber risks have become akin to flood
risk but without the safety net of
federal flood insurance.
Cyber events are widely treated as
catastrophic events by insurance
companies. Accordingly, negotiating
a reasonable cyber risk insurance
policy can be very complex. Businesses
and individuals unfamiliar with the
electronic data life cycle should seek
professional assistance to ensure
appropriate coverage for cyber events.
Litigation Costs of Cyber Risks
Cyber risks associated with litigation
are direct risks that arise from data
processing and retention technology.
These risks are broader than data
breaches and encompass consequential
costs of utilizing technology. The
best way to mitigate cyber risks is
to contractually agree to alternative
dispute resolution for all contracts
involving the exchange of electronic
data. Along with reduced litigation
costs, the adjudicator in such disputes
is often selected due to an expertise
with cyber risks, minimizing the risk of
judges or juries unfamiliar with data
processing and retention capabilities.
1] 15 U.S.C.A. § 6801
[2] 15 U.S.C.A. § 6802
[3] 42 U.S.C.A. § 1320d-1
[4] 6 U.S.C.A. § 1861
[5] 6 U.S.C.A. § 121
[5] 6 U.S.C.A. § 121
[6] N.J. Stat. Ann. § 56:8-163
Michael Salad can be reached at 609.572.7616
or [email protected]
Peter Fu can be reached at 609.572.7556 or
[email protected]