Photo of Brian Himmel

Brian Himmel

Subscribe to Brian Himmel's Posts
Contact:Read more about Brian Himmel

One of the top issues facing business today is the risk of business interruption resulting from a cyber-related attack. Regardless of the form of attack – ransomware, denial of service, data theft, or other form of malware – any resulting failure of an organization’s network systems can have severe consequences, financial and otherwise. These may include loss of productivity, lack of or impaired access to websites, and, importantly, loss of sales or income.

Given the potential for significant losses, a strategy for calculating and minimizing losses, and maximizing insurance recoveries for damage from a business interruption should be part of every organization’s cyber incident response plan.  Because every business is unique, there is no “one size fits all” plan that will neatly apply to all businesses or to all business interruption claims. Nevertheless, certain best practices exist and can be applied and adapted to individual businesses to facilitate an efficient and effective response to a cyber-related business interruption.

1. Know your insurance coverage

The first step to maximizing recovery for business interruption is understanding the coverage provided under the applicable insurance policies. Many stand-alone cyber liability insurance policies provide coverage for lost net profits and mitigation costs, and may also cover continuing expenses, such as employee salaries, resulting from a cyber incident. However, there are also certain limitations to such coverage common in most cyber policy forms, even though they are far from standardized. For example, most business interruption coverage includes a waiting period of a certain number of hours before coverage begins. The length of that waiting period can be critical as losses attributable to the business interruption may continue to grow until the network system and level of service has been fully restored.  Insurers also may limit the “period of interruption,” the period of time for which the policy will pay for losses. Depending on the policy language, coverage may end before operations are fully restored.

It is important to understand these limitations when purchasing cyber insurance and to obtain the insurance that best fits the needs of your business. For this reason, we recommend involving insurance coverage counsel to assist in the insurance placement and renewal process.Continue Reading Responding to a cyber-related business interruption: best practices

Recently, the Commonwealth Court of Pennsylvania gave policyholders another victory in the continuing battle with insurers over application of the “multiple trigger” doctrine.  In Pennsylvania Manufacturers’ Association Insurance Co. v. Johnson Matthey, Inc., the Commonwealth Court held that the multiple-trigger approach – which expands the number of policies potentially available to provide coverage for long-tail

The October 21, 2016 DDoS attack on the internet’s domain name system infrastructure underscores the need to consider cyberliability insurance coverage as a critical component of your company’s security and privacy breach response plan, and if your company carries cyberliability insurance, to ensure that your coverage will respond to a network business interruption, security breach

In an encouraging development for insureds, the United States Court of Appeals for the Fourth Circuit held that a health care company’s general liability insurer was required to defend the company against claims stemming from an alleged failure to secure electronic medical records. In The Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C., No. 14-1944 (4th Cir. Apr. 11, 2016), the Fourth Circuit held that the breach resulted in a “publication” of medical records, thus falling within the scope of the general liability policy issued to Portal Healthcare Solutions, L.L.C. (“Portal”).  The decision reaffirms that insureds that experience adverse cyber events are not limited to cyber-specific policies as the source of potential insurance coverage.

Portal’s insurer, The Travelers Indemnity Company of America (“Travelers”), commenced litigation in the United States District Court for the Eastern District of Virginia, seeking a determination that it was not required to defend Portal against a putative class action alleging that Portal negligently failed to secure a server hosting medical records, which resulted in those records becoming available on the Internet. Ruling on cross-motions for summary judgment, the District Court sided with Portal, reasoning that the allegations “at least potentially or arguably” alleged a “publication” of private medical information that either (a) gave “unreasonable publicity” to the patient’s private life, or (b) “disclose[d] information” about the patient’s private life.  Either circumstance triggered a coverage obligation under the Travelers policies.Continue Reading Court Upholds Coverage Under General Liability Policy for Claim Alleging Failure to Protect Data

One year ago today, the Pennsylvania Supreme Court issued the first two of four important insurance-coverage law opinions that it would hand down in 2014 and 2015. Those four decisions – which address a number of topics including insurer bad faith, trigger of coverage, policy exclusions, and settlements and reservations of rights – significantly impacted the legal landscape in the commonwealth.

While much has already been written about the specific holding in each of those cases, policyholders can still learn more from each of the decisions. Now – 365 days later – is a good time to reflect on those lessons:Continue Reading 365 Days Later: Lessons Learned from the Pennsylvania Supreme Court

Last week, the United States Court of Appeals for the Third Circuit issued a ruling that may make it more difficult for Pennsylvania policyholders to obtain coverage for the misappropriation of advertising ideas under standard commercial general liability policies. In The Hanover Insurance Company v. Urban Outfitters, Inc., No. 14-3705 (Oct. 23, 2015), the Third

Businesses in the dietary supplement supply chain are taking cover after the New York Attorney General (NYAG) ordered four major retailers to cease and desist the sale and alleged mislabeling of certain herbal supplements. After genetically testing store-brand product samples of Ginko Biloba, St. John’s Wort, Ginseng, Garlic, Echinacea, and Saw Palmetto, the NYAG alleged that the supplements were unrecognizable or contained substances other than those disclosed on their packaging labels. Class action lawsuits already have been filed, and the NYAG directed the targeted retailers to provide it with detailed information regarding the manufacturing, testing, and procurement of the herbal supplements, and announced that it may bring charges for alleged deceptive practices in advertising.
Continue Reading Pursuing Insurance Coverage for Alleged Mislabeling of Dietary and Herbal Supplement Products

On December 19, the U.S. Centers for Disease Control and Prevention (CDC) recommended that U.S. consumers not eat any commercially produced, prepackaged caramel apples and that retailers not sell or serve them as they continue to investigate an outbreak of listeria monocytogenes which has infected at least 28 people from 10 states. The CDC has yet to identify the producer of the contaminated apples. Accordingly, the number of market players in the supply chain who will be affected by this recommendation – from farms through supermarkets – remains unknown.
Continue Reading Another Listeria Outbreak Reminds Food Industry to Revisit Insurance Program

A recent study reports that the median amount of time between a breach of a company’s computer network and the discovery of the incident is 229 days. But some cyberliability policy forms require that both the breach event and discovery of loss (or resulting claim) occur during the policy period. So what happens when a breach is discovered three months into the policy period but, unbeknownst at the time, the intrusion actually occurred six months before, or even earlier? If your company’s cyberliability insurance policy excludes breach events occurring before the inception of the policy period, the company could find itself without coverage for an otherwise-covered claim or loss.
Continue Reading Hackers Don’t Care About Your Insurance

The evolving market for cyberliability insurance coverage reveals significant differences in the scope of coverage afforded under available policies. A coverage gap that may exist under some policies is for insider cyber attacks. While external attacks receive substantial news coverage, a recent study finds that businesses may be far less equipped to stave off attacks involving insiders: employees, vendors, suppliers and others who may have authorized access to critical or sensitive data.
Continue Reading Beware Of Gaps In Your Cyber Risk Policy – Are You Covered In the Event of an Insider Attack or Data Breach?