The Texas ISO Commercial Cyber Insurance Policy (CY 00 01 01 18) covers six risks. The first is for a “security breach,” which occurs when:
Key to both definitions is the word, “authorize,” which means, “to grant authority,” or, “to give official permission for or approval to.” The policy’s definition uses the past tense (-ed) meaning permission was granted before the triggering event.
To illustrate this concept, I’ll use two fictional characters: John Smith and Main Street Bank or “MSB.” As part of a standard loan application, Mr. Smith granted MSB the right to perform a credit check. In doing so, Mr. Smith signs a document allowing MSB to use Mr. Smith’s social security number. The bank performs the check but keeps Mr. Smith’s number on electronic file.
Two years later, the bank is hacked by a third party. The hack is performed from foreign soil where MBS has no employees nor any subcontractor relationship. This clearly triggers coverage number one.
Two years later, the loan officer who performed the due diligence for the loan has his laptop stolen. Mr. Smith’s social security number is still on the computer. The person who stole the laptop successfully hacks the computer and sells Mr. Smith’s data. This triggers coverage number two.
Security Breach coverage specifically applies to “personal information,” which has two factors
Available means, “able to be obtained,” or something which is, “at hand.” “Not” is “used to express negation,” which means the information isn’t easily obtained. Public is “open knowledge to all,” while general means, “whole or every member of a category.” A "reason" is a “justification” while “any” means, “one or some regardless of kind or quantity.” Combining all these definitions, we get information that any person not personally close to the insured would have any knowledge of regardless of the justification they offered. Here, a good argument can be made that the public would include all people not specifically authorized to have the data.
The key word in the next sentence is, “identified” which means, “the collective aspects of the set of characteristics by which an individual is recognizable.” The policy then specifically names certain common identifying data such as a driver’s license numbers, social security numbers, HIPPA protected information, financial account numbers, and the like. The point is that there is key data which can be used to specifically identify an individual.
Loss specifically includes the cost of forensics to “establish whether a “security breach” has occurred or is occurring, the cost to notify parties “affected by the security breach,” overtime salaries paid to employees “to handle inquiries from the parties affected,” costs to run a call center to handle inquiries, post-event monitoring, and “any other reasonable expense, incurred by the insured with the written consent of the insurer.
 The American Heritage Dictionary, Second College Edition, © 1985, pg. 142
 The Concise Oxford English Dictionary, © 2004, pg. 88
 Oxford, pg. 90
 American Heritage, pg. 144
 American Heritage, pg. 849
 Oxford at 1160
 American Heritage, pg. 552
 Oxford, pg. 1198
 American Heritage, pg. 117
 American Heritage, pg. 639
Link From Our Previous Blog
The Law Office of Hale Stewart
734A E. 29th Street
Houston, Texas 77009