The US has experienced a number of high-profile “cyberthreat” or privacy breach cases, including lawsuits brought against Sony and LinkedIn. Testifying before Congress, FBI Director Robert Mueller said cyberthreats will soon surpass terrorism as the country’s biggest threat. It is already a costly one: the average cost of a data breach in 2010 was $7.2 million. There is the perception that such cases simply do not happen in Canada. Most companies do not view privacy breaches or cyberthreats as a major risk because litigation has been muted thus far. These companies do not have comprehensive coverage against such risks, leaving them very much exposed.
The truth is privacy breaches are becoming commonplace in Canada; recently, Calgary-based Telvant was a target of a cyber-attack. The IT company has a hand in managing 60 percent of all gas and oil pipelines in North America and Latin America. Such attacks, says Travis Davies of the Canadian Association of Petroleum Producers, are “the new normal.” The big exposures are for small and medium enterprises, which do not have the resources or processes in place to handle a policy breach. These breaches could be covered by other, general insurance policies, but typically, they are not.
In the US, for instance, Sony attempted to claim coverage under its Commercial General Liability policies with Zurich Insurance Group. Zurich refused, claiming its policies only covered “bodily injury” or “property damage” caused by occurrences other than the type cyber-breaches Sony experienced. Companies that think they have specialized coverage under their general policies likely do not. If they do have some sort of coverage in place, they do not have the specialized breach response program that is necessary. Sony found this out only after a catastrophic breach had occurred.
- Crisis Management Plan
- A call centre for concerned and affected parties
- Credit monitoring in place that can begin to work immediately
- Lawyers to respond to class actions, if necessary
A lawyer or someone with specified knowledge of wording and language concerning privacy breaches is charged with sending notifications to affected parties, if needed.
A crisis management plan is implemented which includes:
Privacy insurance has not gained real traction in Canada, again, because we have not seen those multimillion-dollar awards yet. Yet is the key, though, because as breaches become the “new normal,” litigation will catch up. High-profile lawsuits involving Honda Canada, Eastern Health, Sony, and other companies are ongoing and are pushing Canada toward litigation of the magnitude seen in the US. Many companies will be unprepared for the challenges they will face in responding to these events. This is an emerging market for insurers, and one that has incredible potential.