High-profile hacks: Talk Talk
High-profile hacks are regularly in the press, but the Talk Talk hack gives an insight into many of the legal issues in this complex area.
When the Talk Talk hack news story broke on 23 October, it seemed that this “significant and sustained” attack might have affected all of its four million customers. It was feared that highly sensitive information including dates of birth, credit card and bank details had been stolen. As the story unfolded, there was talk of it being part of a terrorist attack from Russian-based Islamic jihadists and ransom notes being sent.
When the first arrest took place, that of a 15 year old boy, the story took on a different turn. Reports then suggested that the method of hacking (it seems a flaw in Talk Talk’s website) was not perhaps the most sophisticated possible. It also emerged that it was the third time that Talk Talk had been targeted by hackers this year and that some of the information hacked was unencrypted. Rumours spread in the insurance market as to what insurance cover Talk Talk had or did not have, and whether pure cyber or an extension to a professional indemnity policy.
It then became clear that the hack was not as serious as first feared, Dido Harding, the CEO of Talk Talk, announcing that it was “much smaller than we originally suspected”.
Even so, the losses remain enormous –the total number of customers affected is said to be about 157,000, including over 15,500 whose bank account numbers and sort codes were hacked. Talk Talk’s share price plummeted a massive 30% in the immediate aftermath of the incident and has not fully recovered. Reports have suggested that the loss to the company could run to between £30m and £35m, in terms of response to the incident and forensic and IT costs. Other costs have included a free upgrade to all customers. And it appears that this does not include loss of business.
Cyber policies and coverage issues
What makes Talk Talk particularly interesting from an insurance lawyer’s perspective is not so much that fact that there has been yet another high profile hack, but more the legal issues, as the story has unfolded. Even the rumours have raised interesting coverage questions.
Cyber insurance is relatively new as a product to the London insurance market and while an increasing body of experience is now building up, there remains an enormous variety in the different wordings and coverage available.
We are frequently seeing cyber bolt-ons to professional indemnity or other general liability policies. In many instances, this can offer quite limited cover and so policyholders whose business involves the storage of valuable and sensitive customer information may need to scrutinise what coverage is offered and if necessary, consider pure cyber insurance in some form. In particular, the cyber extensions in PI policies that I have seen often do not cover first party risks (these would generally be covered under a pure cyber policy). This may include business interruption, data recovery and crisis management costs including PR costs and customer notification expenses. Some policies cover business interruption, others not.
The early rumour that terrorists were behind the hack and ransom notes had been sent raises other interesting issues. Some pure cyber policies cover data extortion; some policies exclude terrorism. Kidnap and Ransom insurance may also come into play and there could be dual insurance questions.
Another issue that the Talk Talk hack, or at least the press stories about it, brings into sharp focus is cyber security. Ensuring that policyholders have installed the best security systems and that these systems are regularly updated is absolutely essential to underwriting cyber risk and any underwriter would want to know what measures are in place - just as a property insurer would want to know about window and door locks or a burglar alarm. Cyber policy wordings currently achieve this by a variety of methods from basis of contract clauses and warranties to conditions precedents and exclusions. Whatever method is chosen, it is important that it should have teeth, not only so insurers can assess the risk properly before taking it on but to ensure compliance by the policyholder.
Effects of the Insurance Act 2015
This will change when the Insurance Act 2015 comes into force in August 2016. Basis of contract clauses are automatically outlawed so will not be an option. The power of warranties has also been diluted. In particular, insurers cannot rely on non-material warranties where there has been a breach; so for example, if there is a warranty to install window locks and a loss is caused by fire, insurers cannot rely on the breach of warranty. Section 11 of the Act provides that if a term (note: not just a warranty and it could include a condition precedent, for example) is designed to prevent loss of a of a particular kind, at a particular location, or at a particular time, the insurer cannot rely on non-compliance if it would not have increased the loss which actually occurred in the circumstances in which it occurred. So for example, if the policyholder breaches a warranty to install particular software which would have prevented a hack by method A, but the hackers got in by method B, insurers would probably not be allowed to rely on the breach.
There is an important carve out to Section 11 where the non-material terms “define the risk as a whole”. In the BILA mock trial on the Insurance Act which was held this summer before Lord Mance, we took as the scenario a warranty requiring monthly searches of the IT system where even had such searches taken place, it is unlikely that the virus would have been revealed. Counsel for insurers argued that the warranty “defined the risk as a whole” but Lord Mance did not accept the argument. This was only a mock trial and Lord Mance stressed that his “judgment” should not be regarded as binding, or even guidance, in any way.
The question remains open and in my view, security goes so to the root of underwriting this risk that cyber insurers may well want to take this argument in a real case. This is also an area where insurers may want to contract out of the Insurance Act.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.