Ashley Madison Hack Raises Questions of Insurable Loss


By: Jessica Samford

By now most everyone should be familiar with the frenzy surrounding the recent hacking of the Ashley Madison website, making headlines due to its risqué premise—adultery. Hackers known as the “Impact Team” made available for download account data such as email addresses associated with website accounts, and the full impact so far is yet to be determined. Not only are there personal and financial data breach concerns, but there is also significant potential for reputational and invasion of privacy harm. It has been reported that there was no verification of email addresses used to create accounts, so some email addresses may even be on the list as a result of identity theft. Further, there have been news reports of a significant number of resignations in religious communities, as well as some reports of suicides related to the incident. When and where will the impact end?

This brings us to the next installment of the insurance law blog’s glossary of key insurance concepts. The first installment explained the “fortuity” principle behind insurance policies in that there be risk of an unanticipated event and that normally there is no insurable risk if the loss is already known to have occurred. The example provided was a man who bought car insurance after he had a car accident. In exceptional circumstances, however, there can still be insurable risk subsequent to a loss when the risk is not of the occurrence of the loss itself, which already happened, but rather, the cost of remediating the loss is the unknown risk. The concept is embodied in “stop-loss” insurance policies and often comes up in the context of environmental spills with unknown impact and cost of cleanup. Usually the impact and cost are projected, and coverage is triggered if costs exceed estimated amounts.

Similarly, the impact and clean-up cost from the Ashley Madison data spill are not yet known and could give rise to continuing and significant loss exposures akin to risks insured against in “stop-loss” policies. Only time will tell how much more expansive potential liability could be, given the unusual privacy and reputational harm at stake. Currently, most cyber liability policies provide coverage based on the occurrence of loss itself (occurrence-based coverage) and cannot be triggered by a known loss. With data breaches on the rise, stop-loss policies may become a viable option or the costs associated with data breaches may become better understood in evaluating and protecting against insurable loss. When businesses are assessing and managing their risks, prevention and prospective insurance protection will always be a more cost-effective strategy.