The Law on Insurance and Information Technology
Disputes and discussions regarding the liability of the network security provider have been active for several years now. The precedents being set by American and European practices receive the most attention. This refers to cases in which, in the settlement of losses, the courts sided with the insurance company, causing much discontent among clients who hoped to be reimbursed for their losses. However, it is too early to talk about such precedents being established in the Russian legal framework.
Cyber insurance is still a new field in Russia and in all countries of Eastern Europe. Newly-introduced local cyber security legislation remains lacking in several key areas. This is one of the main obstacles standing in the way of active involvement of world leading providers in this type of insurance in Russia. The main arbiters of insurance cases remain the existing legal framework and current judicial practice.
The Law on Insurance of the Russian Federation stipulates that an insured event is an event provided for by an insurance contract or law, and upon the occurrence of such event, the insurer is obliged to make a payment to the company, to the beneficiary, or to any other third parties that acquired the insurance policy.[1]
The key indicator used to determine the scope of liability is the terms of contract between the parties involved. That is also what determined the scope of liability of a network security provider.
It is worth noting that there are two types of cyber liability insurance, namely the first-party and third-party insurance. However, some insurance companies offer policies that combine both types of insurance.
The key characteristics of first-party liability insurance are the notification about security breaches and insurance coverage of retaliation measures.
These include losses incurred as a result of:
- breaches of confidentiality or security or harmful media reporting.[2]
- notification the injured party or notification on behalf of the party for which the policy holder is liable
- court costs
- credit monitoring costs
- IT expertise costs
- costs of setting up a call center
- advertising and mail costs
Insurance coverage may also include the costs of hiring a PR advisor to prevent reputational damage to the company.
Third-Party Cyber Liability Policy
One of the most important third-party coverages has to do with liability for the maintenance of safety and privacy. It includes responsibility for the protection of third-party claimants invoking liability for damages that results from:
- violations of security or personal privacy, including failure to protect confidential information.[3]
- unauthorized access to a computer system with personal information and personal data (in accordance with International and European standards, such as the PCI DSS (Payment Card Industry Data Security Standard) or the popular GDPR (General Data Protection Regulation)).
- failure to protect online or offline information.
- failure to prevent a DDoS attack or transmission of malicious code capable of infecting a third-party computer system
- failure to prevent intellectual property rights violations [4]
The network security provider has to determine whether the insurance policy covers contractual liability for damages resulting from certain abusive practices, such as misuse of multimedia, security or privacy breaches, by issuing a written release of the liability agreement or indemnity agreement. Such coverage will facilitate insurance indemnity of the insurance commitment under the third-party service contract, and provide coverage for direct liability for the third party.
It should be noted that sometimes network security policies exclude any coverage for contractual liability, release of liability agreements or indemnity agreements.
Among the most notable problems in this area is the insurance coverage of exceptions related to the inability of the insured party to maintain the security of his/her network or computer system in accordance with industry standards or rules, as well as the lack of insurance coverage for unencrypted mobile devices. In fact, such exceptions stand in the way of cyber insurance standardization.
In accordance with abusive practices included in the scope of coverage, some policies also include coverage of losses resulting from inadvertent violation of contract terms, relating to technology services provided for a charge. For example:
- if the services provided do not meet the earlier stipulated requirements or standards
- if the services were provided carelessly or using faulty material
- lack of compliance with legal and regulatory requirements or other applicable standards
- no warranty or declaration has been provided as to whether these services do not violate the intellectual property rights [5] of other parties
- if the services have resulted in a breach of an exclusivity or confidentiality agreement
Getting back to the subject of the indemnity agreement, it is worth noting that such an agreement is not classified as an insurance. An insurance is a separate agreement that is not regulated by other contracts. The indemnity agreement and the insurance policy fulfill separate and independent functions. In other words, the insurance underwriter has no liability under the contract concluded between the other client and his client, unless the indemnified party is defined and added to the insurance policy as another insured party.
However, even if the customer’s civil liability under the contract has been accepted by his network security provider, the insurer will not pay the invoices for an information security breach without conducting a preliminary investigation of the insured party’s liability for the incident and without verifying these expenses are justified.
Given the above-mentioned facts, we would like to provide you with our recommendations in order to protect your rights and interests as much as possible:
Adhere to the provisions of subsection 2 (General provisions on the contract) of Part One of the Civil Code of the Russian Federation [6] and Chapter 48 of Part Two of the Civil Code of the Russian Federation [7]
When concluding a contract, it is important to clarify the most important points related to its conclusion, signing and execution. Anticipate all the main issues of forthcoming cooperation.
The contract draft should be developed independently rather than by the counterparty in question. When drafting the terms of the contract, it is best to involve lawyers and other experts in the relevant fields.
Research your counterparty. Make sure that the organization you are going to cooperate with exists and operates legally. To do this, you should examine its founding documents and the Certificate of Incorporation.[8] We advise you to conduct basic research on the founders, check whether revenue has been generated and how much, where the office (not just the legal address) is located, which bank has this organization as a client, its overall financial situation and reputation.
When negotiating and signing the contract, make sure that the counterparty’s representative has the legal right and authority to sign the document (there is a tendency among some counterparties unwilling to comply with their contractual obligations and responsibilities to declare that the signatory was not authorized to sign the contract).
The organization’s Director normally acts as a counterparty’s representative. So please read the appointment order and/or any other protocols on who the founding parties are. If the representative acts under the power of attorney[9], pay close attention to the scope of the granted power and whether the power of attorney has all the necessary attributes, namely the signature of the grantor, seal, date, period of validity.
In a legally-binding contract, every word matters. When establishing the terms of the contract, there should be no ambiguity or vague phrases. It is important to keep in mind that in an event of a dispute over contractual terms and conditions, the counterparty will attempt to interpret any such ambiguous wording in the contract to their benefit. Moreover, your counterparty may intentionally include ambiguous statements and provisions in the contract that can be against your best interests.
When laying out conditions for exemption from liability – the so-called “force majeure clauses” – a number of potential scenarios should be considered, which may result in a reduction or increase in the property liability of the contractual party.
Pay close attention to liability issues related to copyright and intellectual property rights[10], as well as confidential and personal information (data). In case you are responsible for such violations under the terms of the contract, your liability will go beyond the scope of the contract, in accordance with the legislation of the Russian Federation and International and European standards.
Before signing the contract, we strongly recommend that you consult a qualified and independent professional in the relevant field (lawyer).
[1] Law of the Russian Federation dated November 27, 1992 No. 4015-1 (ed. on November 28, 2018) “On the organization of insurance business in the Russian Federation [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_1307/9446fe3d61daf193e7cc8c8f4ab465fe482a1563/]
[2] The Criminal Code of the Russian Federation dated June 13, 1996 No. 63-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_10699/] Administrative Offences Code of the Russian Federation dated December 30, 2001 No. 195-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_34661/]
[3] The Criminal Code of the Russian Federation dated June 13, 1996 No. 63-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_10699/]
Administrative Offences Code of the Russian Federation dated December 30, 2001 No. 195-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_34661/]
[4] Civil Code of the Russian Federation (part four) dated November 30, 1994 No. 51-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_64629/]
[5] Civil Code of the Russian Federation (part four) dated November 30, 1994 No. 51-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_64629/]
[6] Civil Code of the Russian Federation (part one) dated November 30, 1994 No. 51-FZ [Electronic access mode: http://www.consultant.ru/cons/cgi/online.cgi?req=doc&base=LAW&n=329339&fld=134&dst=101982,0&rnd=0.08242746869322914#08366781539396457]
[7]Civil Code of the Russian Federation (part one) dated November 30, 1994 No. 51-FZ [Electronic access mode: http://www.consultant.ru/cons/cgi/online.cgi?req=doc&ts=2111450823040580104791709704&cacheid=817F09744A128EBE22368D4C613C3422&mode=splus&base=LAW&n=300853&dst=101979&rnd=46D9EFA5026832744A27AF950E65A0A7#2560r0j7qw8]
[8] Civil Code of the Russian Federation (part one) dated November 30, 1994 No. 51-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_5142/f11a61a64fa641d0caa90223bed69aeaf7240cbc/]
[9] Civil Code of the Russian Federation (part one) dated November 30, 1994 No. 51-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_5142/deb1e7bbc3371002688161fcfd76eafcd9c94c99/]
[10] Civil Code of the Russian Federation (part four) dated November 30, 1994 No. 51-FZ [Electronic access mode: http://www.consultant.ru/document/cons_doc_LAW_64629/]