Cybersecurity and data loss risks are top concerns for the C-suite these days, and rightfully so. Companies of all types and sizes are exposed to a growing risk of attack. The now infamous Target cyber-attack demonstrates that no organization is immune from attack.
Because the resulting costs associated with a cyber-attack are potentially enormous, insurance should be a top consideration. The Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” recently reported that “the average total cost of a data breach for the companies participating in [its] research increased 15 percent to $3.5 million.” Id., at 1. Those costs arise on multiple fronts – from repairing damaged or compromised software and hardware systems, rebuilding relationships, notifying and reimbursing customers, and responding to government inquiries, to defending against third party lawsuits. A priority for any policyholder is to secure as much insurance coverage as possible to cover these costs.
Cyber coverage is an evolving legal landscape. On the one hand, Insurance carriers have developed a slew of new cyber insurance products, and have enlisted insurance brokers to sell those policies into the ever increasing demand. These cyber-specific policies can provide excellent coverage, but often require considerable rewrites to achieve the desired result. With all of the hype about new products, though, current standard-form business insurance can be overlooked.
The arguments for coverage under CGL coverage are simple and straight forward. Most General Liability policies contain a separate grant of coverage for “Personal and Advertising Injury.” This grant affords coverage for any “[o]ral and written publication, in any manner, that violates a person’s right to privacy.” Accordingly, if someone took private information, and released that to others, coverage should be provided.
Courts addressing coverage under Commercial General Liability (“CGL”) insurance policies for cyber liability have often found coverage. See Netscape Commc’ns. Corp. v. Fed. Ins. Co., 343 Fed. Appx. 271, 272 (9th Cir. 2009) (sending information to an affiliated entity about users’ internet activities without their knowledge violates a person’s right to privacy and is therefore a “publication,” triggering coverage); Zurich Am. Ins. Co. v. Fieldstone Mortg. Co., 2007 WL 3268460, at *5 (D. Md. Oct. 26, 2007); Am. Family Mut. Ins. Co. v. C.M.A. Mortg., Inc., 682 F. Supp.2d 879 (S.D. Ind. 2010).
In many of these cases, the main issue for dispute centers around “publication.” In Fieldstone, the insured sought coverage for claims that it improperly accessed and used credit information in order to send individuals prescreened credit offers. The Court determined that it was “publication” even if the party who improperly accessed certain credit information was the same as the party who received the information. All that is required is that there is some form of disclosure of data. Id. See also C.M.A. Mortgage, 682 F. Supp.2d at 884-85 (unauthorized access of credit reports meets the publication requirement).
Courts, however, struggle with coverage where there has been no disclosure of stolen data. See, e.g., Recall Total Information Management Inc. v. Federal Ins. Co., 147 Conn. App. 450, 463, 83 A.3d 664, 672 (Conn.App. Ct. 2014), cert. granted, 311 Conn. 925, 86 A.3d 469 (2014) (pending resolution). In the Recall case, a party responsible for transporting computer tapes containing sensitive information of past and current IBM employees sought coverage for costs resulting from its settlement agreement with IBM after those tapes fell off a truck and disappeared. Court agreed with the insurer’s denial based on lack of “publication,” relying upon evidence that the personal information on those stolen tapes could not be read by a personal computer, that no third party had accessed the information and that no IBM employee had suffered injuries from the loss of the tapes. “[A]ccess is a necessary prerequisite to the communication or disclosure of personal information….” Id.
In most cyber-attack situations, though, the arguments that publication has occurred, triggering coverage under CGL policies, are so simple and straight forward that coverage cannot be overlooked. Courts are generally aligned in favor of coverage, if data was disseminated to third parties. Given the favorable state of the law on coverage for cyber-attacks, an initial “no” from an insurer should never be the last word.
Miller Friel, PLLC is a specialized insurance coverage law firm whose sole purpose is to help corporate clients maximize their insurance coverage. Our Focus of exclusively representing policyholders, combined with our extensive Experience in the area of insurance law, leads to greater efficiency, lower costs and better Results. Further discussion and analysis of insurance coverage issues impacting policyholders can be found in our Miller Friel Insurance Coverage Blog and our 7 Tips for Maximizing Coverage series.
Check out CG 21 08 05 14 – Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only).
Yes, insurers are drafting exclusions cyber-exclusions, which is further indication that coverage is provided under the standard GL policy forms. It also highlights the importance of hiring insurance recovery counsel to make sure that such exclusions are not inadvertently added to client policies. Perhaps an even bigger problem is that insurers are denying coverage under cyber-specific policies as well.
“Yes, insurers are drafting exclusions cyber-exclusions, which is further indication that coverage is provided under the standard GL policy forms.”
No necessarily and often not usually. Limiting coverage only to “direct damage” to “tangible property” has historically been supported by case law to exclude cyber/data breach claims. However, some courts have creatively found coverage where none was every intended. As a result, “standards” organizations like ISO and individual insurers sometimes introduce less allegedly ambiguous wording to make it perfectly clear that no coverage is intended or provided.
Following Katrina, exclusionary “water damage” language was added, not because flooding following levee failures was ever covered or intended to be covered, but rather because some courts found some degree of coverage. ISO, for example, strengthened the exclusion, not because they were excluding it for the first time, but because they never intended there to be coverage and the language revision was necessary to convince the courts of this.
In other words, strengthening exclusionary language is not necessarily (or even usually) an admission that such losses were covered before.
Bill. Courts are not the problem. They only interpret what insurance carriers (and their trade associations, including your former employer, ISO) write. Everyone in the insurance industry is quick to offer advice on how claims are not covered, even in the face of legal decisions holding to the contrary. It is surprising how little voice corporate policyholders have. That is why we started this blog.