Skip to main content

When is a company responsible for the hack of an employee?

By October 17, 2011August 22nd, 2018

A recent suit filed by one New York real estate firm against another accused the defendant of hacking into the plaintiff’s computer system to steal exclusive information. What are the insurance and risk management implications of this scenario?

A new line of insurance has been created in the past decade, generally referred to as Cyber Insurance, to address a myriad of loss exposures that arise from acts such as a breach of privacy, failure to protect confidential data, copyright, trademark, or trade secret infringement, and some forms of personal injury. In the beginning, it was mostly technology firms that purchased the coverage but now virtually every business has some level of exposure to these potential losses.

Whether or not a commercial real estate firm purchased Cyber Insurance is one issue – but would the allegations in the case referenced above even be covered? Generally, intentional acts to commit an illegal activity by an “insured” are excluded. An “employee” usually falls under the definition of “insured” person. But if an employee acts outside the scope of their employment are they an “employee” for purposes of the action that led to the loss?

When an employee is held to have acted outside the scope of their employment, then the exclusion for intentional acts by an “insured” may not apply. In that scenario the policy will determine if it will cover an act by a non-insured for which the main insured (the company buying the insurance) is held legally liable.

Cyber insurance is one of the most sophisticated and, at times, confusing forms of insurance to purchase today. Please contact The Flanders Group for a discussion on your particular needs.