In late December, a lawsuit opened a new realm of potential liability exposures for IT businesses that provide cybersecurity services. According to ArsTechnica, Affinity Gaming, which runs casinos, sued security service provider Trustwave, alleging that the latter failed to properly investigate a data breach and prevent security holes from causing ongoing damage.
On one level, the lawsuit is a fairly standard Errors & Omissions case: Affinity is apparently suing because it believes Trustwave did a subpar job investigating a security breach. In fact, the lawsuit goes so far as to suggest that Trustwave failed to eliminate threats from Affinity’s system after claiming it had done just that.
What’s notable is that this case is one of the first of its kind. In other words, the lawsuit is opening up new potential avenues for errors and omissions lawsuits against technology professionals who provide cybersecurity services.
3 Steps to Avoiding Cybersecurity E&O Lawsuits
So how can you avoid finding yourself on the wrong side of an E&O lawsuit over cybersecurity services? These three steps will help keep your business safe.
- Review your Errors & Omissions Insurance policy to see whether third-party cyber liability is covered. Most of the E&O policies TechInsurance writes for technology professionals include this coverage, but it’s not universal. (Visit our blog for a breakdown of first-party vs. third-party cyber risks.)
- If you don’t have this coverage and are currently providing cybersecurity services or advice, consider contacting your agent about adding it.
- If you do have it, check to see if there are any sub-limits associated with that particular coverage. Again, your agent can help you determine whether these limits are appropriate for the kind of work you’re doing.
- If you decide to add third-party cyber coverage to an existing E&O policy, ask your agent about including a retroactive date of inception (often called a “retro date”). This will allow you to extend coverage to the time you started offering your security services.
- Verify the language in your client contracts. It’s important to work with legal counsel to nail down the language you use for client contracts to ensure that you’ve appropriately limited the scope of your services. Adding this limitation may not prevent a lawsuit, but it can strengthen your case if you’re ever sued. In addition, consider implementing a policy for getting client signoff on all changes to a project in progress. The good news is that 71 percent of TechInsurance applicants already do this. If you’re among the 29 percent who don’t, now is a great time to start. (Need some starter contract language? Check out our free sample contract templates.)
- Update your client conflict resolution policy. This is a simple, inexpensive way to prevent small misunderstandings from turning into expensive lawsuits, but only 47 percent of our applicants currently have a written policy in place. Remember: lawsuits often happen when people feel as if they can’t get attention any other way. Having a policy in place for addressing issues as soon as they arise can save time, money, and aggravation.
What Happens If You’re Sued for Cybersecurity?
If, despite your best efforts at prevention, you end up facing a client lawsuit like the one currently pending against Trustwave, there is some good news: your Errors & Omissions Insurance may very well cover the costs associated with defending your business. The key to having coverage when you need it is to work with your agent to verify that he or she understands the services you provide and finds a policy that covers the associated risks.