The Expert Podcast

Here's another reason why you might want to look very seriously at cyber liability insurance: the Consumer Finance Protection Bureau, an arm of the federal government, has promulgated new clarification of the rules about liability for being hacked. In fact, it says that financial institutions and their service providers can be held liable for maintaining insufficient data protection or for information security.

For example, if your company gets hacked and the fraudster, the hacker, gets your entire customer list—maybe with addresses, emails, social security numbers, credit card numbers, maybe even driver's license copies—and that information goes out into the dark web, you could be held liable as a company for not maintaining sufficient data protection. What does that mean? Well, that's very subjective. The fact that the data was stolen probably indicates that you didn't have sufficient data protection—that proves it right there. So now you're on the hook for whatever losses, damages, fines, expenses, and penalties you have to pay.

You might want to look at a cyber liability policy that pays those. Not every policy pays those expenses, so you want to make sure that if that's the kind of coverage you want, that that's what you're getting from your insurance provider. Because not every cyber policy is going to pay those fines, you want to get one that pays those if that's what you're looking for. It might cost a little more. At the same time, that cyber policy will probably also have requirements that you have to follow to keep the policy in force that will keep this from happening. It will make sure that it monitors your network and your best practices so that you're less likely to have this type of event hit your company.

Here’s the official wording from the Consumer Finance Protection Bureau. It was issued August 11th of this year. The circular came out that says insufficient data protection or security for sensitive customer information. The question: can entities violate the prohibition on unfair acts when they have insufficient data protection? The Consumer Finance Protection Act (CFPA) says that it’s an unfair act or practice if you do certain things. Well, now they’ve included insufficient data protection in that answer. Yes, in addition to other federal laws, Gramm-Leach-Bliley Act, CPFA, inadequate security for sensitive customer information can constitute an unfair practice in violation of U.S. Code.

How big of a deal is that? Well, these requirements often overlap, but they are not co-extensive, meaning that they can hit you with both acts or practices that aren’t fair when they cause or are likely to cause substantial injury that is not reasonably avoidable. “Reasonably avoidable”—that’s your key right there. So, if you take reasonable efforts to avoid it, this might give you a little bit of a reprieve from the penalties. How do you reasonably avoid it? Well, if you have best practices, what are those best practices? How do you know that your practices are the best practices that are reasonable?

If you are a client of a cyber liability company and they tell you one of the best practices in the industry, you might be able to use that as a defense against these claims. Remember, we’re not attorneys, we’re not giving you legal advice; you want to get that from a licensed, qualified attorney, not an insurance agent. But here are some examples: inadequate authentication, inadequate password management, software update policies. Are you updating your software? Practices are likely to cause substantial injury to consumers; it’s not avoidable by consumers. The consumer can’t avoid the loss once they give you the information they’re trusting your company to keep that information safe, and if you don’t take reasonable care, that could be not just a violation, but an unfair business practice.

What they’re going to say is you used this lackadaisical business practice to be at an advantage over your competition. If you’re not taking the time and care and effort to pay attention to your customer data, now you have an advantage in the marketplace. It’s unfair because everybody else has to do it, and you don’t. That puts you at an advantage, which isn’t fair.

CFPA defines an unfair act as an act or practice that causes or is likely to cause substantial injury, which is not reasonably avoidable and not outweighed by countervailing benefits to consumers or competition. This is something to be very, very aware of. Your company more than likely collects consumer information—almost every company does—and if you have it in your possession, you retain it, you’re responsible for it. Now it’s on you. So, make sure that however you're doing it, you execute best practices in your industry and you get external feedback on what those practices are, whether it’s from an insurance company, from a tech company, or from an attorney, to make sure that your practices are not accidentally putting your customers at risk.

And it doesn’t have to be big volume. A practice causes substantial injury when it causes significant harm to a few customers or a small amount of harm to many customers. So, if you have a thousand customers that are slightly inconvenienced, that could be substantial injury. If you have two customers that are devastated, that could be substantial injury. So you can’t get out of this by just saying, “Well, they didn’t have that much damage done to them.” They just had to freeze their credit for a month or maybe get a new credit card number. Well, if it happens to 10,000 customers or 1,000 customers, that could be substantial injury. Or you might say, “Well, it only happened to two customers.” Well, if they had to, you know, they couldn’t get a mortgage because their credit score was ruined, that could be substantial injury.

Here’s where it gets worse: actual injury is not required to satisfy this prong in every case. A significant risk of harm is also sufficient. Think about that—you don’t actually have to have customers that are harmed, but just that they are at risk of harm. “Likely to cause” is the key. If what you’re doing makes the customer likely to have harm done to them, you could be in trouble. So make sure you’re aware of this. Take whatever action you think is appropriate in your company. These Consumer Financial Protection circulars are issued to all parties with authority to enforce federal consumer financial law. So this is enforcing a law; this isn’t just an administrative thing. It’s a very serious governmental oversight. And sometimes it doesn’t happen directly. Sometimes they may find out from a customer; they may find out because they’re looking into something else in your company.

So you want to make sure you have best practices. A couple of recommended ways of doing it: get good legal advice, get a very good cyber liability insurance partner. They can tell you best practices and put them in place, and have coverage if, God forbid, something happens. Because if something does happen, even if you can say or try a defense that says, “Look, I used best practices. I tried to avoid this,” it’s up to the enforcer, judge, or jury to say whether you did or not. So you want to have coverage just in case things don’t go the way you thought they were. Because things change over time, what you think is best practice today could be very negligent three years from now. So having good coverage could be important, or getting good technical advice from a qualified tech company that knows what they’re talking about. But just make sure they have insurance too.