Just days after news broke that ISIS hackers forced the shutdown of the U.S. Central Command’s Twitter account, President Obama met with congressional leadership, members of the Federal Trade Commission and the Department of Homeland Security to unveil a proposal to facilitate increased cooperation between the private sector and government to combat growing cybersecurity threats. Citing concerns with preserving national security, public safety and public health, the President proposed new federal cybersecurity legislation, emphasizing that although our digital economy “creates enormous opportunities,” it also “creates enormous vulnerabilities for us as a nation” that are growing and costing us billions of dollars. In remarks on Tuesday at the National Cybersecurity Communications Integration Center, the President further acknowledged the serious legal and liability issues involved with private companies sharing information with the government, and argued that his proposed legislation “includes essential safeguards to ensure that [the] government protects privacy and civil liberties” and other liability protections for companies that share information on cyber threats.
President Obama’s remarks also reflect growing regulatory concerns about consumer protection and whether consumers are being promptly notified of breach incidents. The proposed federal legislation creates a national standard requiring companies to notify consumers of actual or potential breaches of their personal and financial data within 30 days.
Timely notice to cyberliability insurers providing coverage for first-party and third-party losses caused by or related to data breaches should also quickly follow any cyber event. Many data security and privacy risk policies offering coverage for third-party claims arising from a data security event require notice to the cyberliability insurer as soon as practicable or within a specified period of time after the claim is made. Likewise, certain first-party cyberliability coverages require notice of an event (and possibly submission of a proof of loss) within a specified period of time following an insured’s discovery of the data breach or loss. Identifying all potential sources of insurance coverage in advance of a breach, and understanding the insurance notice requirements if a breach occurs or a claim is made, are critical components of any data breach response plan.