How To T-Mobile Insurance Data Breach Win
T-Mobile Insurance Data
T-Mobile Data Breach Victory Clears the Way for Cyber Insurance Disputes in January 2023 In Washington state court, US Inc. won the right to use money from a third-party data breach settlement to pay for cyber insurance deductibles.
All About
A Washington appeals court ruled Nov. 28 that the telecom company paid a $10 million cyber policy deductible with payments from a 2015 data breach vendor.
Zurich’s claim that a policyholder can’t use a third-party payment as a deductible was rejected, and the insurer must cover the T-breach-related Mobile’s costs.
Insurance brokers and lawyers think that the decision will give businesses more power in their insurance negotiations at a time when most cyber attacks come from third-party vendors and deductibles are high.
They say that policyholders are becoming more aggressive as cyberattacks target the weaknesses of third parties and deductibles go up.
The courts haven’t helped companies with data breach insurance claims. Most cyber coverage rulings relate to liability or property insurance. Daniel Healy, an Anderson Kill partner, said the T-Mobile judgment will be useful for future cyber insurance battles.
Healy said more policyholders are prepared to sue their providers for cyberattacks. The T-Mobile verdict allows policyholders to counter an insurer’s position that they can’t get full coverage if they get third-party recovery.
According to the Risk Management Society, more than 60% of data breaches can be linked to third parties.
“The T-Mobile verdict gives policyholders some reassurance and peace of mind,” said Andrea DeField, a partner at Hunton Andrews Kurth. She said it pushes them to use recoveries to pay cyber deductibles.
Cyberattacks target vendors’ security shortcomings, says Honigman LLP lawyer Emily Garrison. Businesses have indemnity agreements with third parties on service contracts, she added.
High Cyber Deductible
Mobile’s $15 million in data breach coverage includes a $10 million deductible. After a leak in 2015 exposed the credit information of millions of T-Mobile users, the company had to pay $17.3 million to settle class-action lawsuits and answer questions from the government.
Experian gave T-Mobile a settlement of $10.75 million, but its insurance company refused to pay the rest of the costs. Zurich claimed that T-losses, including those of Mobile and Experian, were less than $7 million, which was less than the $10 million deductible.
The Washington court of appeals decided that Experian’s payment covered the deductible, so Zurich must pay $7.3 million.
Many companies’ cyber insurance plans have the same deductible threshold as T-Mobile’s, and DeField said that many of them are too expensive.
In response to rising hacks and losses, cyber insurers have boosted rates and deductibles, she said.
“Companies with $10 million deductibles now have $1 million or less until 2020, and those with $250,000 deductibles pay at least $1 million immediately,” says insurance negotiator DeField.
DeField’s team has seen cyber deductibles as high as $25 million for international firms.
With larger cyber deductibles at stake, there will be more conflicts over what a corporation can use to pay, said Louisa Weix, a partner at TittmanWeix who represents insurers in coverage disputes.
Cyber insurers who wrote policies with a similar deductible requirement as T-Mobile’s want to change conditions to restrict third-party recovery, she said.
T-Mobile said Allianz SE, The Travelers Companies, Fairfax Financial’s Hudson Insurance, and Lloyd’s of London policies ban third-party recovery as deductibles. Weix said Zurich’s policies didn’t.
Read: What Does Renters Insurance Cover And Not Cover? 2022
Third-Party Risks
Evan Bundschuh, vice president of GB&A Insurance, said it’s “very typical” for a third-party attack to spread to another organization’s network.
He said that, for instance, hackers got into the software company’s system and sent a fake update to 1,500 Kaseya users.
In 2020, criminals hacked SolarWinds’ network and delivered a bogus update to software users. Thousands of government, private, and US Treasury networks were down for hours.
The situation affects other organizations. Toyota stopped car production in February after a supplier’s data leak.
Connecticut, New York, and Colorado school districts sued Illuminate Education, which makes software to track students’ progress, after a cyberattack put the records of 800,000 students in New York alone at risk.
“More and more claims have the same fact pattern and scenario:
“The vendor, whether it’s a cloud service provider or someone you outsource payroll or customer services to, gets breached, and policyholder firms are responsible,” said DeField.
She suggested T-Mobile may have the greatest cybersecurity controls.
“The vendor could be your weakest link,” DeField added.
