Earlier this week, HBO announced that it had suffered a "cyber incident" which meant a compromise of "proprietary information" that reportedly includes upcoming episodes and scripts from popular HBO tests such as Game of Thrones. The HBO violation is the latest in a growing list of cyber security issues facing the Hollywood studios this year. In an e-mail to HBO employees, CEO Richard Plepler called the cyber attack "disturbing, disturbing and disturbing".
We have previously outlined the importance of a robust coverage for cyber events on this blog. Given that the HBO data breach was just revealed, it is unclear whether any third party claims can arise due to the alleged theft of programming data. But HBO's data breach raises questions about the extent of potential coverage for many first-party losses, such as lost revenue and intrinsic value of stolen IP.
Generally speaking, cyber policy focuses primarily on investigation and response to infringements that result in the disclosure of personally identifiable, non-public information. Many stand-alone cyber policies cover coverage for losses that often occur in these situations, such as the costs of depreciation of privacy, extortion or redemption costs and other "crisis management" costs (such as forensic investigators and PR consultants). Thus, policyholders who are facing cyber theft of proprietary information such as the current information in the HBO infringement may be subject to the Cyber Policy for significant cost of investigating and responding to the infringement.
However, most cyber policies do not provide coverage for indirect or "soft" costs arising from a data breach, including loss of future business, customer goodwill, or depreciated IP anything that may be involved in HBO's software theft depending on the species and the extent of the stolen data. The inability to assure reputation and other property losses in connection with cyber policy following a breach of information allows for significant coverage deficiencies.
However, many of these losses can be covered by traditional commercial crime or even commercial property rights. As stated in previous posts (here and here), the comprehensive "cyber" programs must include both adequate protection for Internet protection and appropriate third-party criminal and property protection. While insurers have begun to offer new products that provide a clearer and broader coverage for cybersecurity, the HBO infringement underlines the importance of maintaining a robust internet insurance program that includes both cyber and "inheritance" protection.
We may not have seen the last of the HBO infringement, because the hacker claimed they had received the information, claiming that more would "come soon". In spite of the increase in highly publicized data breaches, policyholders should not focus solely on "cyber" coverage under the false assumption that it includes all possible losses that result from a data breach. Internet computing should rather be evaluated as just part of a company's overall risk program, which should include other types of cover that can fill potential gaps in cyber policy. In a new interview, the head of our insurance practice and recovery exercise discusses Walter Andrew's several ways that companies can maximize their recovery after a cyber attack. Consultation with an experienced advisor to perform a cyber policy analysis can help identify and mitigate cyber risks.
News sources :
NBC News, July 31