Any lawyer, consultant, and insurance provider involved in the cybersecurity field should be deeply familiar with personal data breach reporting obligations. In particular, every U.S. state has enacted a data breach notification law that requires organizations to provide notice of certain types of data privacy incidents to the individuals whose personal data has been compromised. The federal government has also imposed similar obligations on businesses within certain sectors (e.g., health care, financial). These laws are based on the common understanding that the earlier an organization notifies individuals that their personal data has been compromised, the earlier the individuals can implement security measures to better protect themselves from identify theft and other harm.  

Accordingly, one of the core issues to consider regarding a cyber insurance policy is the extent to which it covers the expenses a business incurs when drafting and transmitting these breach notification letters to affected individuals. Depending on the exact policy and the circumstances of a covered breach, these expenses can include costs for retaining breach counsel, publishing notice of the incident in media outlets, printing and mailing breach notification letters to the affected parties, maintaining customer/contact service centers, and furnishing affected parties with identity theft and credit monitoring services. These are often referred to as Privacy Event Expenses because they are directly related to the compromised privacy of an individuals personal data.  

However, several federal laws and regulations require organizations within specific business sectors to report data security incidents to government agencies, regardless of whether any personal data has been compromised in the incident. Here are just a few examples:  

  • Chemical Sector. Certain types of chemical facilities that are determined to be high risk must comply with the Chemical Facility Anti-Terrorism Standards (CFATS) regulations, which include a cybersecurity component (see 6 CFR 27.230(15)). The CFATS regulations require covered facilities to establish protocols for identifying and reporting significant cyber incidents to appropriate facility personnel, local law enforcement, and the U.S. Department of Homeland Security (DHS) in accordance with their site security plans.
  • Maritime Entities. The U.S. Coast Guard (USCG) has issued several cybersecurity requirements to operators of vessels and facilities that are subject to the Maritime Transportation Security Act (MTSA), which include mandates that these entities report suspicious cyber activities and breaches of security to federal authorities and other security personnel in accordance with their facility site plans (see USCG, 5P Policy Letter).
  • Supply Chain. Organizations that (voluntarily) enroll in the Customs Trade Partnership Against Terrorism (C-TPAT) agree to work with U.S. Customs and Border Protection (CBP) to safeguard the supply chain and implement specific related security measures and best practices. CBP has created minimum security criteria for C-TPAT members, which include developing and maintaining systems to identify unauthorized access of their IT systems/data and reporting potential threats to, and security breaches within, international supply chains to federal authorities and others.
  • Government Contractors. A broad range of government contractors are required to comply with stringent cybersecurity standards and report cybersecurity incidents involving sensitive government data in their custody or control to their contracting agency. These notification timelines vary by federal agency and can range from 1 hour incident notification timeframes for certain DHS and Department of Energy contractors to 72 hours for Defense Department contractors.

And the list of these types of (non-personal data) federal cybersecurity reporting obligations continues to grow. DHS is currently drafting regulations for how critical infrastructure-related entities must disclose when they suffer cyber incidents or make certain types of ransom payments. The Securities and Exchange Commission (SEC) is close to finalizing similar cybersecurity requirements for publicly traded companies. These DHS and SEC cybersecurity reporting obligations are not solely contingent on personal data being compromised during the cybersecurity event and could impose federal reporting obligations even in scenarios when no personal data is compromised whatsoever.  

In some instances, organizations may feel compelled to voluntarily notify federal authorities of data security incidents in order to be good corporate citizens, notwithstanding the absence of any formal regulatory requirement to report the event. Of course, the federal government has been encouraging this type of voluntarily reporting for several years.  

Unlike personal data breach notification laws where the intent is to provide notice to individuals who can undertake measures to protect themselves, these federal cybersecurity incident response requirements (i.e., CFATS, MTSA, C-TPAT) are primarily intended to enable federal authorities to gather intelligence about the cyber threats arising from foreign adversaries and other malicious actors. The more information federal authorities are able to ascertain from cybersecurity incidents, the better they will understand cyberattack tactics, techniques, and procedures, and information technology vulnerabilities. The government hopes to use this information to enhance its cybersecurity strategies, policies, and operations. It can also share cybersecurity threat intelligence with the private sector and state and local authorities so they, in turn, can implement security controls to mitigate their own risk profile.  

However, reporting a cybersecurity incident to federal authorities may require a considerable amount of time and expense. For instance, organizations often retain outside counsel to submit their initial cybersecurity incident reports to federal agencies in an attempt to maintain attorney-client privilege related to the information contained in the report (notwithstanding the third-party disclosure). Thereafter, these organizations may receive several follow-up questions, audit requests, and similar inquiries related to the incident from the federal agency that has oversight over their business sector or from federal law enforcement authorities, which may necessitate spending additional resources for assistance from digital forensic and incident response consultants and legal counsel. They may need to retain large amounts of records and data about the incident to comply with retention schedules, regulatory requirements, and legal holds, and such retention could be costly when using third-party data storage solutions. In some instances, these organization may have to spend time and resources undergoing certain federally mandated training programs to ensure they have the proper clearance to even access sensitive data related to the incident or the cybersecurity incident reporting platform itself, such as the Defense Industrial Base Cybersecurity Portal.  

In turn, organizations should assess whether they are subject to federal cybersecurity reporting requirements and, if so, whether it has the proper insurance coverage to address all the expenses that may arise after such an event (and not just coverage to address Privacy Event Expenses). This may require organizations to re-assess their current insurance coverage, and work directly with their counsel, brokers, or carriers to address any potential coverage gaps.  This is especially important as the federal government continues looking to expand (non-personal data) cybersecurity incident reporting obligations across business sectors.

Meet the Authors

John Butler
Director Cyber/Errors & Omissions Industry Leader
CNA

Johns current role at CNA leads and directs an underwriting group and is accountable for business results through overall management, profitability, and business development of our Cyber and E&O market segments.

John has worked in the insurance industry for 20 years in various underwriting and leadership roles.  As the globe pushes for more autonomous technology into the infrastructure of our society and work product, Johns development and growth has lead him in collaborating on past initiatives regarding emerging technology and the impact this has on the insurance marketplace. 
John has received two insurance designations, RPLU+ and CPLP, from the Professional Liability Underwriting Society.  He earned a bachelor’s degree from Illinois State University and Masters of Business Administration from Keller Graduate School of Management.

John is involved with the Professional Liability Underwriting Society as a Cyber Trend Advisor and sits on the CPLP committee, which is responsible for on-demand learning products in the CPLP designation program and future content for PLUS members.
 
Steve Stranksy
Partner
Thompson Hine LLP

Steven G. Stransky is a partner at Thompson Hine LLP and the Co-Chair of its Privacy and Cybersecurity practice group. He primarily assists clients in complying with data protection laws and regulations and with responding to ransomware attacks, business email compromises, and other cybersecurity events. Prior to joining Thompson Hine, Mr. Stransky served for over ten years in the federal government, including as a Deputy Legal Adviser to the Presidents National Security Council and as an Attorney (Intelligence Law) at the U.S. Department of Homeland Security.
Thora Knight
Attorney
Thompson Hine LLP

Thora Knight is an attorney in the Privacy and Cybersecurity practice group at Thompson Hine LLP and has strong practical and academic experience in the areas of information security, privacy, emerging technologies, and intellectual property. Thora regularly assists clients respond to a variety of cybersecurity events, including ransomware, phishing and man-in-the-middle attacks.
 
 
News Type

PLUS Blog

Business Line

Cyber Liability

Topic

Professional Liability (PL) Insurance

Contribute to

PLUS Blog

Contribute your thoughts to the PLUS Membership consisting of 38,000+ Professional Liability Practitioners.

Related Podcasts

Related Articles

May 23, 2024

Executive Summary: The Betterley Report’s Intellectual Property and Media Liability Market Survey 2024

Protect Your Clients—Don’t Overlook IP and Media Liability Insurance  Are you hearing…

March 19, 2024

Exploring Insights from the PLUS Symposium Series 2024

The Professional Liability Underwriting Society (PLUS) recently convened its much-anticipated Symposium Series…

Empty conference room with large whiteboard and projectors
February 20, 2024

Cyber University Spring 2024: Expanding Knowledge

Last week, PLUS celebrated another successful Cyber University with sessions taking place…