What's in the Texas Cyber Liability Policy? Security Breach Coverage

The Texas ISO Commercial Cyber Insurance Policy (CY 00 01 01 18) covers six risks.  The first is for a “security breach,” which occurs when:

• a person not authorized to have access to such information acquires “personal information,” or
• a person authorized to have access discloses the “personal information” without authorization.  

​Key to both definitions is the word, “authorize,” which means, “to grant authority,”[1] or, “to give official permission for or approval to.”[2]  The policy’s definition uses the past tense (-ed) meaning permission was granted before the triggering event. 

To illustrate this concept, I’ll use two fictional characters: John Smith and Main Street Bank or “MSB.”  As part of a standard loan application, Mr. Smith granted MSB the right to perform a credit check.  In doing so, Mr. Smith signs a document allowing MSB to use Mr. Smith’s social security number.  The bank performs the check but keeps Mr. Smith’s number on electronic file.

Two years later, the bank is hacked by a third party.  The hack is performed from foreign soil where MBS has no employees nor any subcontractor relationship.  This clearly triggers coverage number one.

Two years later, the loan officer who performed the due diligence for the loan has his laptop stolen.  Mr. Smith’s social security number is still on the computer.  The person who stole the laptop successfully hacks the computer and sells Mr. Smith’s data.  This triggers coverage number two.       
Security Breach coverage specifically applies to “personal information,” which has two factors

• “Any information not available to the general public for any reason,”
• “through which and individual may be identified.”

Available means, “able to be obtained,”[3] or something which is, “at hand.”[4]  “Not” is “used to express negation,”[5] which means the information isn’t easily obtained.  Public is “open knowledge to all,”[6] while general means, “whole or every member of a category.”[7]  A "reason" is a “justification”[8] while “any” means, “one or some regardless of kind or quantity.”[9]  Combining all these definitions, we get information that any person not personally close to the insured would have any knowledge of regardless of the justification they offered.  Here, a good argument can be made that the public would include all people not specifically authorized to have the data.

The key word in the next sentence is, “identified” which means, “the collective aspects of the set of characteristics by which an individual is recognizable.”[10]  The policy then specifically names certain common identifying data such as a driver’s license numbers, social security numbers, HIPPA protected information, financial account numbers, and the like.  The point is that there is key data which can be used to specifically identify an individual. 
   
Loss specifically includes the cost of forensics to “establish whether a “security breach” has occurred or is occurring, the cost to notify parties “affected by the security breach,” overtime salaries paid to employees “to handle inquiries from the parties affected,” costs to run a call center to handle inquiries, post-event monitoring, and “any other reasonable expense, incurred by the insured with the written consent of the insurer.
     


[1] The American Heritage Dictionary, Second College Edition, © 1985, pg. 142

[2] The Concise Oxford English Dictionary, © 2004, pg. 88

[3] Oxford, pg. 90

[4] American Heritage, pg. 144

[5] American Heritage, pg. 849

[6] Oxford at 1160

[7] American Heritage, pg. 552

[8] Oxford, pg. 1198

[9] American Heritage, pg. 117

[10] American Heritage, pg. 639