Beazley Breach Response Policy

THIS POLICY’S LIABILITY INSURING AGREEMENTS PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY TO CLAIMS FIRST MADE AGAINST THE INSURED DURING THE POLICY PERIOD OR THE OPTIONAL EXTENSION PERIOD (IF APPLICABLE) AND REPORTED TO THE UNDERWRITERS IN ACCORDANCE WITH THE TERMS OF THIS POLICY. AMOUNTS INCURRED AS CLAIMS EXPENSES UNDER THIS POLICY WILL REDUCE AND MAY EXHAUST THE LIMIT OF LIABILITY AND ARE SUBJECT TO RETENTIONS.

Please refer to the Declarations, which show the insuring agreements that the named insured purchased. If an insuring agreement has not been purchased, coverage under that insuring agreement of this Policy will not apply.

The Underwriters agree with the named insured, in consideration of the payment of the premium and reliance upon the statements contained in the information and materials provided to the Underwriters in connection with the underwriting and issuance of this Insurance Policy (hereinafter referred to as the "Policy") and subject to all the provisions, terms and conditions of this Policy:

Insuring Agreements back to top

Breach Response

To provide breach response services to the insured organization because of an actual or reasonably suspected data breach or security breach that the insured first discovers during the policy period.

First Party loss

To indemnify the insured organization for:

Data recovery costs

Data recovery costs that the insured organization incurs as a direct result of a security breach that the insured first discovers during the policy period.

Liability

Data & Network Liability

To pay damages and claims expenses, which the insured is legally obligated to pay because of any claim first made against any insured during the policy period for:

a data breach;
a security breach;
the insured organization’s failure to timely disclose a data breach or security breach;
failure by the insured to comply with that part of a privacy policy that specifically:

prohibits or restricts the insured organization’s disclosure, sharing or selling of personally identifiable information;
requires the insured organization to provide an individual access to personally identifiable information or to correct incomplete or inaccurate personally identifiable information after a request is made; or
mandates procedures and requirements to prevent the loss of personally identifiable information;
provided the insured organization has in force, at the time of such failure, a privacy policy that addresses those subsections above that are relevant to such claim.

Regulatory Defense & penalties

To pay penalties and claims expenses, which the insured is legally obligated to pay because of a regulatory proceeding first made against any insured during the policy period for a data breach or a security breach.

Payment Card Liabilities & Costs

To indemnify the insured organization for PCI fines and expenses and costs which it is legally obligated to pay because of a claim first made against any insured during the policy period.

Media liability

To pay damages and claims expenses, which the insured is legally obligated to pay because of any claim first made against any insured during the policy period for media liability.

eCrime

To indemnify the insured organization for any direct financial loss sustained resulting from:

that the insured first discovers during the policy period.

Criminal Reward

To indemnify the insured organization for criminal reward funds.

Exclusions back to top

The coverage under this Policy will not apply to any loss arising out of:

Bodily Injury or Property Damage

physical injury, sickness, disease or death of any person, including any mental anguish or emotional distress resulting from such physical injury, sickness, disease or death; or
physical injury to or destruction of any tangible property, including the loss of use thereof; but electronic data will not be considered tangible property;

Trade Practices and Antitrust

Any actual or alleged false, deceptive or unfair trade practices, antitrust violation, restraint of trade, unfair competition (except as provided in the media liability insuring agreement), or false or deceptive or misleading advertising or violation of the Sherman Antitrust Act, the Clayton Act, or the Robinson-Patman Act; but this exclusion will not apply to:

the Breach response insuring agreement; or
coverage for a data breach or security breach, provided no member of the control group participated or colluded in such data breach or security breach;

Gathering or Distribution of Information

the unlawful collection or retention of personally identifiable information or other personal information by or on behalf of the insured organization; but this exclusion will not apply to claims expenses incurred in defending the insured against allegations of unlawful collection of personally identifiable information; or
the distribution of unsolicited email, text messages, direct mail, facsimiles or other communications, wire tapping, audio or video recording, or telemarketing, if such distribution, wire tapping, recording or telemarketing is done by or on behalf of the insured organization; but this exclusion will not apply to claims expenses incurred in defending the insured against allegations of unlawful audio or video recording;

Prior Known Acts & Prior Noticed claims

any act, error, omission, incident or event committed or occurring prior to the inception date of this Policy if any member of the control group on or before the continuity date knew or could have reasonably foreseen that such act, error or omission, incident or event might be expected to be the basis of a claim or loss;
any claim, loss, incident or circumstance for which notice has been provided under any prior policy of which this Policy is a renewal or replacement;

Racketeering, Benefit Plans, Employment Liability & Discrimination

any actual or alleged violation of the Organized Crime Control Act of 1970 (commonly known as Racketeer Influenced and Corrupt Organizations Act or RICO), as amended;
any actual or alleged acts, errors or omissions related to any of the insured organization’s pension, healthcare, welfare, profit sharing, mutual or investment plans, funds or trusts;
any employer-employee relations, policies, practices, acts or omissions, or any actual or alleged refusal to employ any person, or misconduct with respect to employees; or
any actual or alleged discrimination;

but this exclusion will not apply to coverage under the breach response insuring agreement or parts 1., 2. or 3. of the data & Network Liability insuring agreement that results from a data breach; provided no member of the control group participated or colluded in such data breach;

Sale or Ownership of securities & Violation of securities Laws

the ownership, sale or purchase of, or the offer to sell or purchase stock or other securities; or
an actual or alleged violation of a securities law or regulation;

Criminal, Intentional or Fraudulent Acts

Any criminal, dishonest, fraudulent, or malicious act or omission, or intentional or knowing violation of the law, if committed by an insured, or by others if the insured colluded or participated in any such conduct or activity; but this exclusion will not apply to:

claims expenses incurred in defending any claim alleging the foregoing until there is a final non-appealable adjudication establishing such conduct; or
with respect to a natural person insured, if such insured did not personally commit, participate in or know about any act, error, omission, incident or event giving rise to such claim or loss.
For purposes of this exclusion, only acts, errors, omissions or knowledge of a member of the control group will be imputed to the insured organization;

Patent, Software Copyright, Misappropriation of Information

infringement, misuse or abuse of patent or patent rights;
infringement of copyright arising from or related to software code or software products other than infringement resulting from a theft or unauthorized access or use of software code by a person who is not a past, present or future employee, director, officer, partner or independent contractor of the insured organization; or
use or misappropriation of any ideas, trade secrets or third party information (i) by, or on behalf of, the insured organization, or (ii) by any other person or entity if such use or misappropriation is done with the knowledge, consent or acquiescence of a member of the control group;

Governmental Actions

A claim brought by or on behalf of any state, federal, local or foreign governmental entity, in such entity’s regulatory or official capacity; but this exclusion will not apply to the Regulatory Defense & penalties insuring agreement;

Other Insureds & Related Enterprises

A claim made by or on behalf of:

any insured; but this exclusion will not apply to a claim made by an individual that is not a member of the control group under the data & Network Liability insuring agreement, or a claim made by an additional insured; or
any business enterprise in which any insured has greater than 15% ownership interest or made by any parent company or other entity which owns more than 15% of the named insured;

Trading losses, loss of money & Discounts

any trading losses, trading liabilities or change in value of accounts;
any loss, transfer or theft of monies, securities or tangible property of the insured or others in the care, custody or control of the insured organization
the monetary value of any transactions or electronic fund transfers by or on behalf of the insured which is lost, diminished, or damaged during transfer from, into or between accounts; or
the value of coupons, price discounts, prizes, awards, or any other valuable consideration given in excess of the total contracted or expected amount;
but this exclusion will not apply to coverage under the eCrime insuring agreement;

Media-Related Exposures

With respect to the media liability insuring agreement:

any contractual liability or obligation; but this exclusion will not apply to a claim for misappropriation of ideas under implied contract;
the actual or alleged obligation to make licensing fee or royalty payments;
any costs or expenses incurred or to be incurred by the insured or others for the reprinting, reposting, recall, removal or disposal of any media material or any other information, content or media, including any media or products containing such media material, information, content or media;
any claim brought by or on behalf of any intellectual property licensing bodies or organizations;
the actual or alleged inaccurate, inadequate or incomplete description of the price of goods, products or services, cost guarantees, cost representations, contract price estimates, or the failure of any goods or services to conform with any represented quality or performance;
any actual or alleged gambling, contest, lottery, promotional game or other game of chance; or
any claim made by or on behalf of any independent contractor, joint venturer or venture partner arising out of or resulting from disputes over ownership of rights in media material or services provided by such independent contractor, joint venturer or venture partner;

First Party loss

With respect to the First Party loss insuring agreements:

seizure, nationalization, confiscation, or destruction of property or data by order of any governmental or public authority;
costs or expenses incurred by the insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or computer systems to a level beyond that which existed prior to a security breach, system failure, dependent security breach, dependent system failure or extortion threat;
failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control; or
fire, flood, earthquake, volcanic eruption, explosion, lightning, wind, hail, tidal wave, landslide, act of God or other physical event.

Limit of Liability and Coverage back to top

Limits of Liability

The Policy Aggregate Limit of Liability listed in the Declarations (the "policy aggregate limit of liability") is the Underwriters’ combined total limit of liability for all loss, other than breach response services, payable under this Policy.

The limit of liability payable under each insuring agreement will be an amount equal to the policy aggregate limit of liability unless another amount is listed in the Declarations. Such amount is the aggregate amount payable under this Policy pursuant to such insuring agreement and is part of, and not in addition to, the policy aggregate limit of liability.

All dependent business loss payable under this Policy is part of and not in addition to the business interruption loss limit listed in the Declarations.

The Underwriters will not be obligated to pay any damages, penalties, PCI fines and expenses and costs or claims expenses, or to defend any claim, after the policy aggregate limit of liability has been exhausted, or after deposit of the policy aggregate limit of liability in a court of competent jurisdiction.

Breach Response Limits

Coverage for breach response services under this Policy is in addition to the policy aggregate limit of liability.

The Notified Individuals limit listed in the Declarations is the maximum total number of individuals to whom notification, call center and credit or identity monitoring services will be provided (or attempted) for all incidents or series of related incidents giving rise to an obligation to provide breach response services.

The Legal, Forensic & Public Relations/Crisis Management limit listed in the Declarations is the aggregate limit of coverage for all services and costs covered under parts 1., 2., 3. and 7. of the definition of breach response services.

Except as provided in the Additional Breach Response Limits clause below, the Underwriters will not be obligated to provide any breach response services after the number of individuals to whom services are provided under part 4. of the definition of breach response services reaches the Notified Individuals limit listed in the Declarations. If the total number of individuals to be notified under the Policy exceeds the Notified Individuals limit listed in the Declarations, the insured will be responsible for notifying and providing call center services and credit or identity monitoring services to such additional individuals in accordance with the processes described in the Information Packet.

Additional Breach Response Limits

Notwithstanding the foregoing, if:

the total number of individuals to whom services described in parts 4., 5. and 6. of the definition of breach response services are provided exceeds the amount listed in Notified Individuals limit listed in the Declarations; or
the dollar amount of the services described in parts 1., 2., 3. and 7. of the definition of breach response services provided to the insured organization exceeds the Legal, Forensic & Public Relations/Crisis Management limit listed in the Declarations;

this Policy will cover the costs, fees and expenses incurred to provide such breach response services up to an amount equal to the policy aggregate limit of liability (the "additional breach response limit").

The Additional Breach Response Limit is part of, and not in addition to, the policy aggregate limit of liability and will be reduced and may be exhausted by payments under either limit. Upon exhaustion of the additional breach response limit, there will be no further coverage under this Policy for any costs, fees or expenses covered thereunder.

Retentions back to top

The Retention listed in the Declarations applies separately to each incident, event or related incidents or events giving rise to a claim or loss. The Retention will be satisfied by monetary payments by the named insured of covered loss under each insuring agreement. If any loss arising out of an incident or claim is subject to more than one Retention, the Retention for each applicable insuring agreement will apply to such loss, provided that the sum of such Retention amounts will not exceed the largest applicable Retention amount.

The Retention for breach response services listed in the Declarations applies separately to each incident, event or related incidents or events, giving rise to legal, forensic and public relations/crisis management services and costs covered under parts 1., 2., 3. and 7. of the definition of breach response services. The Retention will be satisfied by monetary payments by the named insured for such services and costs.

Coverage for business interruption loss and dependent business loss will apply after the waiting period has elapsed and the Underwriters will then indemnify the named insured for all business interruption loss and dependent business loss sustained during the period of restoration in excess of the Retention.

Satisfaction of the applicable Retention is a condition precedent to the payment of any loss under this Policy, and the Underwriters will be liable only for the amounts in excess of such Retention.

Optional Extension Period back to top

Upon non-renewal or cancellation of this Policy for any reason except the non-payment of premium, the named insured will have the right to purchase, for additional premium in the amount of the Optional Extension Premium percentage listed in the Declarations of the full Policy Premium listed in the Declarations, an Optional Extension Period for the period of time listed in the Declarations. Coverage provided by such Optional Extension Period will only apply to claims first made against any insured during the Optional Extension Period and reported to the Underwriters during the Optional Extension Period, and arising out of any act, error or omission committed before the end of the policy period. In order for the named insured to invoke the Optional Extension Period option, the payment of the additional premium for the Optional Extension Period must be paid to the Underwriters within 60 days of the termination of this Policy.

The purchase of the Optional Extension Period will in no way increase the Policy Aggregate Limit of Liability or any sublimit of liability. At the commencement of the Optional Extension Period the entire premium will be deemed earned, and in the event the named insured terminates the Optional Extension Period for any reason prior to its natural expiration, the Underwriters will not be liable to return any premium paid for the Optional Extension Period.

All notices and premium payments with respect to the Optional Extension Period option will be directed to the Underwriters through entity listed for Administrative Notice in the Declarations.

General Conditions back to top

Notice of claim or loss

The insured must notify the Underwriters of any claim as soon as practicable, but in no event later than: (i) 60 days after the end of the policy period; or (ii) the end of the Optional Extension Period (if applicable). Notice must be provided through the contacts listed for notice of claim loss or circumstance in the Declarations.

With respect to breach response services, the insured must notify the Underwriters of any actual or reasonably suspected data breach or security breach as soon as practicable after discovery by the insured, but in no event later than 60 days after the end of the policy period. Notice must be provided to the breach response services Team listed in the Declarations. Notice of an actual or reasonably suspected data breach or security breach in conformance with this paragraph will also constitute notice of a circumstance that could reasonably be the basis for a claim.

With respect to cyber extortion loss, the named insured must notify the Underwriters via the email address listed in the Notice of claim, loss or Circumstance in the Declarations as soon as practicable after discovery of an extortion threat but no later than 60 days after the end of the policy period. The named insured must obtain the Underwriters’ consent prior to incurring cyber extortion loss.

With respect to data recovery costs, business interruption loss and dependent business loss the named insured must notify the Underwriters through the contacts for Notice of claim, loss or Circumstance in the Declarations as soon as practicable after discovery of the circumstance, incident or event giving rise to such loss. The named insured will provide the Underwriters a proof of data recovery costs, business interruption loss and dependent business loss, and this Policy will cover the reasonable and necessary costs, not to exceed USD 50,000, that the named insured incurs to contract with a third party to prepare such proof. All loss described in this paragraph must be reported, and all proofs of loss must be provided, to the Underwriters no later than 6 months after the end of the policy period.

The named insured must notify the Underwriters of any loss covered under the eCrime insuring agreement as soon as practicable, but in no event later than 60 days after the end of the policy period. Notice must be provided through the contacts listed for notice of claim loss or circumstance in the Declarations.

Any claim arising out of a loss that is covered under the Breach Response, First Party loss or eCrime insuring agreements and that is reported to the Underwriters in conformance with the foregoing will be considered to have been made during the policy period.

Notice of Circumstance

With respect to any circumstance that could reasonably be the basis for a claim (other than a data breach or security breach noticed under the Breach Response insuring agreement) the insured may give written notice of such circumstance to the Underwriters through the contacts listed for Notice of claim, loss or Circumstance in the Declarations as soon as practicable during the policy period. Such notice must include:

the specific details of the act, error, omission or event that could reasonably be the basis for a claim;
the injury or damage which may result or has resulted from the circumstance; and
the facts by which the insured first became aware of the act, error, omission or event.

Any subsequent claim made against the insured arising out of any circumstance reported to Underwriters in conformance with the foregoing will be considered to have been made at the time written notice complying with the above requirements was first given to the Underwriters during the policy period.

Defense of claims

Except with respect to coverage under the Payment Card Liabilities & Costs insuring agreement, the Underwriters have the right and duty to defend any covered claim or regulatory proceeding. Defense counsel will be mutually agreed by the named insured and the Underwriters but, in the absence of such agreement, the Underwriters’ decision will be final.

With respect to the Payment Card Liabilities & Costs insuring agreement, coverage will be provided on an indemnity basis and legal counsel will be mutually agreed by the named insured and the Underwriters and will be selected from one of the firms listed in the Information Packet.

The Underwriters will pay actual loss of salary and reasonable expenses resulting from the attendance by a corporate officer of the insured organization at any mediation meetings, arbitration proceedings, hearings, depositions, or trials relating to the defense of any claim, subject to a maximum of $2,000 per day and $100,000 in the aggregate, which amounts will be part of and not in addition to the policy aggregate limit of liability.

Settlement of claims

If the insured refuses to consent to any settlement recommended by the Underwriters and acceptable to the claimant, the Underwriters’ liability for such claim will not exceed:

the amount for which the claim could have been settled, less the remaining Retention, plus the claims expenses incurred up to the time of such refusal; plus
sixty percent (60%) of any claims expenses incurred after the date such settlement or compromise was recommended to the insured plus sixty percent (60%) of any damages, penalties, PCI fines and expenses and costs above the amount for which the claim could have been settled;

and the Underwriters will have the right to withdraw from the further defense of such claim.

The insured may settle any claim where the damages, penalties, PCI fines and expenses and costs and claims expenses do not exceed the Retention, provided that the entire claim is resolved and the insured obtains a full release on behalf of all insureds from all claimants.

Assistance and Cooperation

The Underwriters will have the right to make any investigation they deem necessary, and the insured will cooperate with the Underwriters in all investigations, including investigations regarding coverage under this Policy and the information and materials provided to the underwriters in connection with the underwriting and issuance of this Policy. The insured will execute or cause to be executed all papers and render all assistance as is requested by the Underwriters. The insured agrees not to take any action which in any way increases the Underwriters’ exposure under this Policy. Expenses incurred by the insured in assisting and cooperating with the Underwriters do not constitute claims expenses under the Policy.

The insured will not admit liability, make any payment, assume any obligations, incur any expense, enter into any settlement, stipulate to any judgment or award or dispose of any claim without the written consent of the Underwriters, except as specifically provided in the Settlement of claims clause above. Compliance with a breach notice law will not be considered an admission of liability.

Subrogation

If any payment is made under this Policy and there is available to the Underwriters any of the insured’s rights of recovery against any other party, then the Underwriters will maintain all such rights of recovery. The insured will do whatever is reasonably necessary to secure such rights and will not do anything after an incident or event giving rise to a claim or loss to prejudice such rights. If the insured has waived its right to subrogate against a third party through written agreement made before an incident or event giving rise to a claim or loss has occurred, then the Underwriters waive their rights to subrogation against such third party. Any recoveries will be applied first to subrogation expenses, second to loss paid by the Underwriters, and lastly to the Retention. Any additional amounts recovered will be paid to the named insured.

Other Insurance

The insurance under this Policy will apply in excess of any other valid and collectible insurance available to any insured unless such other insurance is written only as specific excess insurance over this Policy.

Action Against the Underwriters

No action will lie against the Underwriters or the Underwriters’ representatives unless and until, as a condition precedent thereto, the insured has fully complied with all provisions, terms and conditions of this Policy and the amount of the insured’s obligation to pay has been finally determined either by judgment or award against the insured after trial, regulatory proceeding, arbitration or by written agreement of the insured, the claimant, and the Underwriters.

No person or organization will have the right under this Policy to join the Underwriters as a party to an action or other proceeding against the insured to determine the insured’s liability, nor will the Underwriters be impleaded by the insured or the insured’s legal representative.

The insured’s bankruptcy or insolvency of the insured’s estate will not relieve the Underwriters of their obligations hereunder.

Change of Law, Unavailability of breach response services

If there is a change of law, regulation or enforcement that prevents the Underwriters or its providers from providing all or part of the breach response services, or if a provider is unable to or does not provide breach response services, the Underwriters will make reasonable efforts to procure similar services from other sources. In such event, the maximum the Underwriters will pay for the costs of procuring and providing all breach response services, including substitute products and services, will be no more than USD 10,000,000 in the aggregate for the policy period, which amount will be in addition to the policy aggregate limit of liability. If it is not reasonably possible for the Underwriters to procure substitute products or services, the Underwriters will not be obligated to provide such services.

Entire Agreement

By acceptance of the Policy, all insureds agree that this Policy embodies all agreements between the Underwriters and the insured relating to this Policy. Notice to any agent, or knowledge possessed by any agent or by any other person, will not effect a waiver or a change in any part of this Policy or stop the Underwriters from asserting any right under the terms of this Policy; nor will the terms of this Policy be waived or changed, except by endorsement issued to form a part of this Policy signed by the Underwriters.

Mergers or Consolidations

If during the policy period the named insured consolidates or merges with or is acquired by another entity, or sells more than 50% of its assets to another entity, then this Policy will continue to remain in effect through the end of the policy period, but only with respect to events, acts or incidents that occur prior to such consolidation, merger or acquisition. There will be no coverage provided by this Policy for any other claim or loss unless the named insured provides written notice to the Underwriters prior to such consolidation, merger or acquisition, the named insured has agreed to any additional premium and terms of coverage required by the Underwriters and the Underwriters have issued an endorsement extending coverage under this Policy.

Assignment

The interest hereunder of any insured is not assignable. If the insured dies or is adjudged incompetent, such insurance will cover the insured’s legal representative as if such representative were the insured, in accordance with the terms and conditions of this Policy.

Cancellation

This Policy may be canceled by the named insured by giving written notice to the Underwriters through the entity listed for Administrative Notice in the Declarations stating when the cancellation will be effective.

This Policy may be canceled by the Underwriters by mailing to the named insured at the address listed in the Declarations written notice stating when such cancellation will be effective. Such date of cancellation will not be less than 60 days (or 10 days for cancellation due to non-payment of premium) after the date of notice.

If this Policy is canceled in accordance with the paragraphs above, the earned premium will be computed pro rata; but the premium will be deemed fully earned if any claim, or any circumstance that could reasonably be the basis for a claim or loss, is reported to the Underwriters on or before the date of cancellation. Payment or tender of unearned premium is not a condition of cancellation.

Singular Form of a Word

Whenever the singular form of a word is used herein, the same will include the plural when required by context.

Headings

The titles of paragraphs, clauses, provisions or endorsements of or to this Policy are intended solely for convenience and reference, and are not deemed in any way to limit or expand the provisions to which they relate and are not part of the Policy.

Representation by the insured

All insureds agree that the statements contained the information and materials provided to the Underwriters in connection with the underwriting and issuance of this Policy are true, accurate and are not misleading, and that the Underwriters issued this Policy, and assume the risks hereunder, in reliance upon the truth thereof.

Named insured as Agent

The named insured will be considered the agent of all insureds, and will act on behalf of all insureds with respect to the giving of or receipt of all notices pertaining to this Policy, and the acceptance of any endorsements to this Policy. The named insured is responsible for the payment of all premiums and Retentions and for receiving any return premiums.

“additional insured”: additional insured means any person or entity that the insured organization has agreed in writing to add as an additional insured under this Policy prior to the commission of any act for which such person or entity would be provided coverage under this Policy, but only to the extent the insured organization would have been liable and coverage would have been afforded under the terms and conditions of this Policy had such claim been made against the insured organization.

“breach notice law”: breach notice law means any statute or regulation that requires notice to persons whose personal information was accessed or reasonably may have been accessed by an unauthorized person. breach notice law also includes any statute or regulation requiring notice of a data breach to be provided to governmental or regulatory authorities..

“breach response services”

breach response services means the following fees and costs in response to an actual or reasonably suspected data breach or security breach:

for an attorney to provide necessary legal advice to the insured organization to evaluate its obligations pursuant to breach notice laws or a merchant services agreement and in connection with providing the breach response services described below;
for a computer security expert to determine the existence, cause and scope of an actual or reasonably suspected data breach, and if such data breach is actively in progress on the insured organization's computer systems, to assist in containing it;
for a PCI Forensic Investigator to investigate the existence and extent of an actual or reasonably suspected data breach involving payment card data and for a Qualified Security Assessor to certify and assist in attesting to the insured organization's PCI compliance, as required by a merchant services agreement;
to notify those individuals whose personally identifiable information was potentially impacted by a data breach exceeding the notified individuals threshold;
to provide a call center to respond to inquiries about a data breach that exceeds the notified individuals threshold;
to provide a credit monitoring, identity monitoring or other solution listed in the Information Packet to individuals whose personally identifiable information was potentially impacted by a data breach exceeding the notified individuals threshold; and
public relations and crisis management costs directly related to mitigating harm to the insured organization which are approved in advance by the Underwriters in their discretion.

Breach response services will be provided by providers listed in the Information Packet, will be subject to the terms and conditions of this Policy and the Information Packet, and will not include any internal salary or overhead expenses of the insured organization. Breach response services also includes assistance from the BBR Services Team and access to education and loss prevention tools.

“business interruption loss”

business interruption loss means:

Actually sustained during the period of restoration as a result of the actual interruption of the insured organization’s business operations caused by a security breach or system failure. Coverage for business interruption loss will apply only after the waiting period has elapsed.

Business interruption loss will not include (i) loss arising out of any liability to any third party; (ii) legal costs or legal expenses; (iii) loss incurred as a result of unfavorable business conditions; (iv) loss of market or any other consequential loss; (v) dependent business loss; or (vi) data recovery costs.

“claim”

claim means:

a written demand received by any insured for money or services;
with respect to coverage provided under the Regulatory Defense & penalties insuring agreement only, institution of a regulatory proceeding against any insured; and
with respect to coverage provided under part 1. of the data & Network Liability insuring agreement only, a demand received by any insured to fulfill the insured organization's contractual obligation to provide notice of a data breach pursuant to a breach notice law;

Multiple claims arising from the same or a series of related, repeated or continuing acts, errors, omissions or events will be considered a single claim for the purposes of this Policy. All such claims will be deemed to have been made at the time of the first such claim.

“claims expenses”

claims expenses means:

all reasonable and necessary legal costs and expenses resulting from the investigation, defense and appeal of a claim, if incurred by the Underwriters, or by the insured with the prior written consent of the Underwriters; and
the premium cost for appeal bonds for covered judgments or bonds to release property used to secure a legal obligation, if required in any claim against an insured; provided the Underwriters will have no obligation to appeal or to obtain bonds.

claims expenses will not include any salary, overhead, or other charges by the insured for any time spent in cooperating in the defense and investigation of any claim or circumstance that might lead to a claim notified under this Policy, or costs to comply with any regulatory orders, settlements or judgments.

“computer systems”

computer systems means computers, any software residing on such computers and any associated devices or equipment:

operated by and either owned by or leased to the insured organization; or
with respect to coverage under the Breach Response and Liability insuring agreements, operated by a third party pursuant to written contract with the insured organization and used for the purpose of providing hosted computer application services to the insured organization or for processing, maintaining, hosting or storing the insured organization's electronic data.

“continuity date”

continuity date means:

the continuity date listed in the Declarations; and
with respect to any subsidiaries acquired after the continuity date listed in the Declarations, the date the named insured acquired such subsidiary.

“control group”: control group means any principal, partner, corporate officer, director, general counsel (or most senior legal counsel) or risk manager of the insured organization and any individual in a substantially similar position.

“criminal reward funds”: criminal reward funds means any amount offered and paid by the insured organization with the Underwriters' prior written consent for information that leads to the arrest and conviction of any individual(s) committing or trying to commit any illegal act related to any coverage under this Policy; but will not include any amount based upon information provided by the insured, the insured's auditors or any individual hired or retained to investigate the illegal acts. All criminal reward funds offered pursuant to this Policy must expire no later than 6 months following the end of the policy period.

“cyber extortion loss”

cyber extortion loss means:

any extortion payment that has been made by or on behalf of the insured organization with the Underwriters' prior written consent to prevent or terminate an extortion threat; and
reasonable and necessary expenses incurred by the insured organization with the Underwriters' prior written consent to prevent or respond to an extortion threat.

“damages”

damages means a monetary judgment, award or settlement, including any award of prejudgment or post-judgment interest; but damages will not include:

future profits, restitution, disgorgement of unjust enrichment or profits by an insured, or the costs of complying with orders granting injunctive or equitable relief;
return or offset of fees, charges or commissions charged by or owed to an insured for goods or services already provided or contracted to be provided;
taxes or loss of tax benefits;
fines, sanctions or penalties;
punitive or exemplary damages or any damages which are a multiple of compensatory damages, unless insurable by law in any applicable venue that most favors coverage for such punitive, exemplary or multiple damages;
discounts, coupons, prizes, awards or other incentives offered to the insured's customers or clients;
liquidated damages, but only to the extent that such damages exceed the amount for which the insured would have been liable in the absence of such liquidated damages agreement;
fines, costs or other amounts an insured is responsible to pay under a merchant services agreement; or
any amounts for which the insured is not liable, or for which there is no legal recourse against the insured.

“data”: data means any software or electronic data that exists in computer systems and that is subject to regular back-up procedures.

“data breach”: data breach means the theft, loss, or unauthorized disclosure of personally identifiable information or third party information that is in the care, custody or control of the insured organization or a third party for whose theft, loss or unauthorized disclosure of personally identifiable information or third party information the insured organization is liable.

“data recovery costs”: data recovery costs means the reasonable and necessary costs incurred by the insured organization to regain access to, replace, or restore data, or if data cannot reasonably be accessed, replaced, or restored, then the reasonable and necessary costs incurred by the insured organization to reach this determination.

data recovery costs will not include: (i) the monetary value of profits, royalties, or lost market share related to data, including but not limited to trade secrets or other proprietary information or any other amount pertaining to the value of data; (ii) legal costs or legal expenses; (iii) loss arising out of any liability to any third party; or (iv) cyber extortion loss.

“Dependent business”: dependent business means any entity that is not a part of the insured organization but which provides necessary products or services to the insured organization pursuant to a written contract.

“Dependent business loss”

Dependent business loss means:

income loss; and
extra expense;

actually sustained during the period of restoration as a result of an actual interruption of the insured organization's business operations caused by a dependent security breach or dependent system failure. Coverage for dependent business loss will apply only after the waiting period has elapsed.

dependent business loss will not include (i) loss arising out of any liability to any third party; (ii) legal costs or legal expenses; (iii) loss incurred as a result of unfavorable business conditions; (iv) loss of market or any other consequential loss; (v) business interruption loss; or (vi) data recovery costs.

“dependent security breach”: dependent security breach means a failure of computer security to prevent a breach of computer systems operated by a dependent business.

“dependent system failure”: dependent system failure means an unintentional and unplanned interruption of computer systems operated by a dependent business.

dependent system failure will not include any interruption of computer systems resulting from (i) a dependent security breach, or (ii) the interruption of computer systems that are not operated by a dependent business.

“digital currency”

Digital currency means a type of digital currency that:

requires cryptographic techniques to regulate the generation of units of currency and verify the transfer thereof;
is both stored and transferred electronically; and
operates independently of a central bank or other central authority.

“education and loss prevention tools”: education and loss prevention tools means information and services made available by the Underwriters from time to time and includes access to beazleybreachsolutions.com, a dedicated portal through which insureds can access news and information regarding breach response planning, data and network security threats, best practices in protecting data and networks, offers from third party service providers, and related information, tools and services. insureds will also have access to communications addressing timely topics in data security, loss prevention and other areas.

“extortion payment”: extortion payment means money, digital currency, marketable goods or services demanded to prevent or terminate an extortion threat.

“extortion threat”

extortion threat means a threat to:

alter, destroy, damage, delete or corrupt data;
perpetrate the unauthorized access or use of computer systems;
prevent access to computer systems or data;
steal, misuse or publicly disclose data, personally identifiable information or third party information;
introduce malicious code into computer systems or to third party computer systems from computer systems; or
interrupt or suspend computer systems;

unless an extortion payment is received from or on behalf of the insured organization.

“extra expense;”: extra expense; means reasonable and necessary expenses incurred by the insured organization during the period of restoration to minimize, reduce or avoid income loss, over and above those expenses the insured organization would have incurred had no security breach, system failure, dependent security breach or dependent system failure occurred.

“financial institution”: financial institution means a bank, credit union, saving and loan association, trust company or other licensed financial service, securities broker-dealer, mutual fund, or liquid assets fund or similar investment company where the insured organization maintains a bank account.

“Forensic Expenses”: Forensic Expenses means reasonable and necessary expenses incurred by the insured organization to investigate the source or cause of a business interruption loss.

“fraudulent instruction”

fraudulent instruction means the transfer, payment or delivery of money or securities by an insured as a result of fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions provided by a third party, that is intended to mislead an insured through the misrepresentation of a material fact which is relied upon in good faith by such insured. fraudulent instruction will not include loss arising out of:

fraudulent instructions received by the insured which are not first authenticated via a method other than the original means of request to verify the authenticity or validity of the request;
any actual or alleged use of credit, debit, charge, access, convenience, customer identification or other cards;
any transfer involving a third party who is not a natural person insured, but had authorized access to the insured's authentication mechanism;
the processing of, or the failure to process, credit, check, debit, personal identification number debit, electronic benefit transfers or mobile payments for merchant accounts;
accounting or arithmetical errors or omissions, or the failure, malfunction, inadequacy or illegitimacy of any product or service;
any liability to any third party, or any indirect or consequential loss of any kind;
any legal costs or legal expenses; or
proving or establishing the existence of fraudulent instruction.

“funds transfer fraud”

funds transfer fraud means the loss of money or securities contained in a transfer account at a financial institution resulting from fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions by a third party issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by the insured organization at such institution, without the insured organization's knowledge or consent.

funds transfer fraud will not include any loss arising out of:

the type or kind covered by the insured organization's financial institution bond or commercial crime policy;
any actual or alleged fraudulent, dishonest or criminal act or omission by, or involving, any natural person insured;
any indirect or consequential loss of any kind;
punitive, exemplary or multiplied damages of any kind or any fines, penalties or loss of any tax benefit;
any liability to any third party, except for direct compensatory damages arising directly from funds transfer fraud;
any legal costs or legal expenses; or proving or establishing the existence of funds transfer fraud;
the theft, disappearance, destruction of, unauthorized access to, or unauthorized use of confidential information, including a PIN or security code;
any forged, altered or fraudulent negotiable instruments, securities, documents or instructions; or
any actual or alleged use of credit, debit, charge, access, convenience or other cards or the information contained on such cards.

“Income loss”

Income loss means an amount equal to:

net profit or loss before interest and tax that the insured organization would have earned or incurred; and
continuing normal operating expenses incurred by the insured organization (including payroll), but only to the extent that such operating expenses must necessarily continue during the period of restoration.

“individual contractor”: individual contractor means any natural person who performs labor or service for the insured organization pursuant to a written contract or agreement with the insured organization. The status of an individual as an individual contractor will be determined as of the date of an alleged act, error or omission by any such individual contractor.

“insured”

insured means:

the insured organization;
any director or officer of the insured organization, but only with respect to the performance of his or her duties as such on behalf of the insured organization;
an employee (including a part time, temporary, leased or seasonal employee or volunteer) or individual contractor of the insured organization, but only for work done while acting within the scope of his or her employment and related to the conduct of the insured organization's business;
a principal if the named insured is a sole proprietorship, or a partner if the named insured is a partnership, but only with respect to the performance of his or her duties as such on behalf of the insured organization;
any person who previously qualified as an insured under parts 2. - 4., but only with respect to the performance of his or her duties as such on behalf of the insured organization;
an additional insured, but only as respects claims against such person or entity for acts, errors or omissions of the insured organization;
the estate, heirs, executors, administrators, assigns and legal representatives of any insured in the event of such insured's death, incapacity, insolvency or bankruptcy, but only to the extent that such insured would otherwise be provided coverage under this Policy; and
the lawful spouse, including any natural person qualifying as a domestic partner of any insured, but solely by reason of any act, error or omission of an insured other than such spouse or domestic partner.

“Insureds”

insured means:

the insured organization;
any director or officer of the insured organization, but only with respect to the performance of his or her duties as such on behalf of the insured organization;
an employee (including a part time, temporary, leased or seasonal employee or volunteer) or individual contractor of the insured organization, but only for work done while acting within the scope of his or her employment and related to the conduct of the insured organization's business;
a principal if the named insured is a sole proprietorship, or a partner if the named insured is a partnership, but only with respect to the performance of his or her duties as such on behalf of the insured organization;
any person who previously qualified as an insured under parts 2. - 4., but only with respect to the performance of his or her duties as such on behalf of the insured organization;
an additional insured, but only as respects claims against such person or entity for acts, errors or omissions of the insured organization;
the estate, heirs, executors, administrators, assigns and legal representatives of any insured in the event of such insured's death, incapacity, insolvency or bankruptcy, but only to the extent that such insured would otherwise be provided coverage under this Policy; and
the lawful spouse, including any natural person qualifying as a domestic partner of any insured, but solely by reason of any act, error or omission of an insured other than such spouse or domestic partner.

“insured organization”: insured organization means the named insured and any subsidiaries.

“loss”: loss means breach response services, business interruption loss, claims expenses, criminal reward funds, cyber extortion loss, damages, data recovery costs, dependent business loss, PCI fines and expenses and costs, penalties, loss covered under the eCrime insuring agreement and any other amounts covered under this Policy.

Multiple losses arising from the same or a series of related, repeated or continuing acts, errors, omissions or events will be considered a single loss for the purposes of this Policy.

With respect to the Breach Response and First Party loss insuring agreements, all acts, errors, omissions or events (or series of related, repeated or continuing acts, errors, omissions or events) giving rise to a loss or multiple losses in connection with such insuring agreements will be deemed to have been discovered at the time the first such act, error, omission or event is discovered.

“media liability”

media liability means one or more of the following acts committed by, or on behalf of, the insured organization in the course of creating, displaying, broadcasting, disseminating or releasing media material to the public:

defamation, libel, slander, product disparagement, trade libel, infliction of emotional distress, outrage, outrageous conduct, or other tort related to disparagement or harm to the reputation or character of any person or organization;
a violation of the rights of privacy of an individual, including false light, intrusion upon seclusion and public disclosure of private facts;
invasion or interference with an individual's right of publicity, including commercial appropriation of name, persona, voice or likeness;
plagiarism, piracy, or misappropriation of ideas under implied contract;
infringement of copyright;
infringement of domain name, trademark, trade name, trade dress, logo, title, metatag, or slogan, service mark or service name;
improper deep-linking or framing;
false arrest, detention or imprisonment;
invasion of or interference with any right to private occupancy, including trespass, wrongful entry or eviction; or
unfair competition, if alleged in conjunction with any of the acts listed in parts 5. or 6. above.

“media material”: media material means any information, including words, sounds, numbers, images or graphics, but will not include computer software or the actual goods, products or services described, illustrated or displayed in such media material.

“merchant services agreement”: merchant services agreement means any agreement between an insured and a financial institution, credit/debit card company, credit/debit card processor or independent service operator enabling an insured to accept credit card, debit card, prepaid card or other payment cards for payments or donations.

“money”: money means a medium of exchange in current use authorized or adopted by a domestic or foreign government as a part of its currency.

“named insured”: named insured means the named insured listed in the Declarations.

“notified individuals threshold”: Notified individuals threshold means the number of individual persons listed in the Declarations.

“PCI fines and expenses and costs”: PCI fines and expenses and costs means the monetary amount owed by the insured organization under the terms of a merchant services agreement as a direct result of a suspected data breach. With the prior consent of the Underwriters, PCI fines and expenses and costs includes reasonable and necessary legal costs and expenses incurred by the insured organization to appeal or negotiate an assessment of such monetary amount. PCI fines and expenses and costs will not include any charge backs, interchange fees, discount fees or other fees unrelated to a data breach.

“penalties”

penalties means:

any monetary civil fine or penalty payable to a governmental entity that was imposed in a regulatory proceeding; and
amounts which the insured is legally obligated to deposit in a fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement of a regulatory proceeding (including such amounts required to be paid into a "Consumer Redress Fund");

but will not include: (a) costs to remediate or improve computer systems; (b) costs to establish, implement, maintain, improve or remediate security or privacy practices, procedures, programs or policies; (c) audit, assessment, compliance or reporting costs; or (d) costs to protect the confidentiality, integrity and/or security of personally identifiable information or other information.

The insurability of penalties will be in accordance with the law in the applicable venue that most favors coverage for such penalties.

“period of restoration”: period of restoration means the 180-day period of time that begins upon the actual and necessary interruption of the insured organization's business operations.

“personally identifiable information”

personally identifiable information means:

any information concerning an individual that is defined as personal information under any breach notice law; and
an individual's drivers license or state identification number, social security number, unpublished telephone number, and credit, debit or other financial account numbers in combination with associated security codes, access codes, passwords or PINs; if such information allows an individual to be uniquely and reliably identified or contacted or allows access to the individual's financial account or medical record information.

but will not include information that is lawfully made available to the general public.

“policy period”: policy period means the period of time between the inception date listed in the Declarations and the effective date of termination, expiration or cancellation of this Policy and specifically excludes any Optional Extension Period or any prior policy period or renewal period.

“privacy policy”: privacy policy means the insured organization's public declaration of its policy for collection, use, disclosure, sharing, dissemination and correction or supplementation of, and access to personally identifiable information.

“regulatory proceeding”: regulatory proceeding means a request for information, civil investigative demand, or civil proceeding brought by or on behalf of any federal, state, local or foreign governmental entity in such entity's regulatory or official capacity.

“securities”: securities means negotiable and non-negotiable instruments or contracts representing either money or tangible property that has intrinsic value.

“security breach”

security breach means a failure of computer security to prevent:

unauthorized access or use of computer systems, including unauthorized access or use resulting from the theft of a password from computer systems or from any insured;
a denial of service attack affecting computer systems;
with respect to coverage under the Liability insuring agreements, a denial of service attack affecting computer systems that are not owned, operated or controlled by an insured; or
infection of computer systems by malicious code or transmission of malicious code from computer systems.

“subsidiary”

subsidiary means any entity:

which, on or prior to the inception date of this Policy, the named insured owns, directly or indirectly, more than 50% of the outstanding voting securities ("Management Control"); and
which the named insured acquires Management Control after the inception date of this Policy; provided that:
1. the revenues of such entity do not exceed 15% of the named insured's annual revenues; or
2. if the revenues of such entity exceed 15% of the named insured's annual revenues, then coverage under this Policy will be afforded for a period of 60 days, but only for any claim that arises out of any act, error, omission, incident or event first occurring after the entity becomes so owned. Coverage beyond such 60 day period will only be available if the named insured gives the Underwriters written notice of the acquisition, obtains the written consent of Underwriters to extend coverage to the entity beyond such 60 day period and agrees to pay any additional premium required by Underwriters.
This Policy provides coverage only for acts, errors, omissions, incidents or events that occur while the named insured has Management Control over an entity.
“subsidiaries”
subsidiaries means any entity:
1. which, on or prior to the inception date of this Policy, the named insured owns, directly or indirectly, more than 50% of the outstanding voting securities ("Management Control"); and
2. which the named insured acquires Management Control after the inception date of this Policy; provided that:
  1. the revenues of such entity do not exceed 15% of the named insured's annual revenues; or
  2. if the revenues of such entity exceed 15% of the named insured's annual revenues, then coverage under this Policy will be afforded for a period of 60 days, but only for any claim that arises out of any act, error, omission, incident or event first occurring after the entity becomes so owned. Coverage beyond such 60 day period will only be available if the named insured gives the Underwriters written notice of the acquisition, obtains the written consent of Underwriters to extend coverage to the entity beyond such 60 day period and agrees to pay any additional premium required by Underwriters.
  This Policy provides coverage only for acts, errors, omissions, incidents or events that occur while the named insured has Management Control over an entity.
“system failure”

system failure means an unintentional and unplanned interruption of computer systems.

system failure will not include any interruption of computer systems resulting from (i) a security breach, or (ii) the interruption of any third party computer system.

“telephone fraud”

telephone fraud means the act of a third party gaining access to and using the insured organization's telephone system in an unauthorized manner.

“third party information”

third party information means any trade secret, data, design, interpretation, forecast, formula, method, practice, credit or debit card magnetic strip information, process, record, report or other item of information of a third party not insured under this Policy which is not available to the general public.

“transfer account”

Transfer account means an account maintained by the insured organization at a financial institution from which the insured organization can initiate the transfer, payment or delivery of money or securities.

“unauthorized access or use”

unauthorized access or use means the gaining of access to or use of computer systems by an unauthorized person(s) or the use of computer systems in an unauthorized manner.

“unauthorized disclosure”

unauthorized disclosure means the disclosure of (including disclosure resulting from phishing) or access to information in a manner that is not authorized by the insured organization and is without knowledge of, consent or acquiescence of any member of the control group.

“waiting period”

waiting period means the period of time that begins upon the actual interruption of the insured organization's business operations caused by a security breach, system failure, dependent security breach or dependent system failure, and ends after the elapse of the number of hours listed as the waiting period in the Declarations.

Insuring Agreements

Exclusions

Limit of Liability and Coverage

Retentions

Optional Extension Period

General Conditions

Insuring Agreements back to top

Breach Response

First Party loss

Business interruption loss

dependent business interruption loss

Cyber extortion loss

Data recovery costs

Liability

Data & Network Liability

Regulatory Defense & penalties

Payment Card Liabilities & Costs

Media liability

eCrime

Criminal Reward

Exclusions back to top

Bodily Injury or Property Damage

Trade Practices and Antitrust

Gathering or Distribution of Information

Prior Known Acts & Prior Noticed claims

Racketeering, Benefit Plans, Employment Liability & Discrimination

Sale or Ownership of securities & Violation of securities Laws

Criminal, Intentional or Fraudulent Acts

Patent, Software Copyright, Misappropriation of Information

Governmental Actions

Other Insureds & Related Enterprises

Trading losses, loss of money & Discounts

Media-Related Exposures

First Party loss

Limit of Liability and Coverage back to top

Limits of Liability

Breach Response Limits

Additional Breach Response Limits

Retentions back to top

Optional Extension Period back to top

General Conditions back to top

Notice of claim or loss

Notice of Circumstance

Defense of claims

Settlement of claims

Assistance and Cooperation

Subrogation

Other Insurance

Action Against the Underwriters

Change of Law, Unavailability of breach response services

Entire Agreement

Mergers or Consolidations

Assignment

Cancellation

Singular Form of a Word

Headings

Representation by the insured

Named insured as Agent

Definition