Cybersecurity and data loss risks are top concerns for the C-suite these days, and rightfully so. Companies of all types and sizes are exposed to a growing risk of attack. The now infamous Target cyber-attack demonstrates that no organization is immune from attack.
Because the resulting costs associated with a cyber-attack are potentially enormous, insurance should be a top consideration. The Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” recently reported that “the average total cost of a data breach for the companies participating in [its] research increased 15 percent to $3.5 million.” Id., at 1. Those costs arise on multiple fronts – from repairing damaged or compromised software and hardware systems, rebuilding relationships, notifying and reimbursing customers, and responding to government inquiries, to defending against third party lawsuits. A priority for any policyholder is to secure as much insurance coverage as possible to cover these costs.
Cyber coverage is an evolving legal landscape. On the one hand, Insurance carriers have developed a slew of new cyber insurance products, and have enlisted insurance brokers to sell those policies into the ever increasing demand. These cyber-specific policies can provide excellent coverage, but often require considerable rewrites to achieve the desired result. With all of the hype about new products, though, current standard-form business insurance can be overlooked.
The arguments for coverage under CGL coverage are simple and straight forward. Most General Liability policies contain a separate grant of coverage for “Personal and Advertising Injury.” This grant affords coverage for any “[o]ral and written publication, in any manner, that violates a person’s right to privacy.” Accordingly, if someone took private information, and released that to others, coverage should be provided.
Courts addressing coverage under Commercial General Liability (“CGL”) insurance policies for cyber liability have often found coverage. See Netscape Commc’ns. Corp. v. Fed. Ins. Co., 343 Fed. Appx. 271, 272 (9th Cir. 2009) (sending information to an affiliated entity about users’ internet activities without their knowledge violates a person’s right to privacy and is therefore a “publication,” triggering coverage); Zurich Am. Ins. Co. v. Fieldstone Mortg. Co., 2007 WL 3268460, at *5 (D. Md. Oct. 26, 2007); Am. Family Mut. Ins. Co. v. C.M.A. Mortg., Inc., 682 F. Supp.2d 879 (S.D. Ind. 2010).
In many of these cases, the main issue for dispute centers around “publication.” In Fieldstone, the insured sought coverage for claims that it improperly accessed and used credit information in order to send individuals prescreened credit offers. The Court determined that it was “publication” even if the party who improperly accessed certain credit information was the same as the party who received the information. All that is required is that there is some form of disclosure of data. Id. See also C.M.A. Mortgage, 682 F. Supp.2d at 884-85 (unauthorized access of credit reports meets the publication requirement).
Courts, however, struggle with coverage where there has been no disclosure of stolen data. See, e.g., Recall Total Information Management Inc. v. Federal Ins. Co., 147 Conn. App. 450, 463, 83 A.3d 664, 672 (Conn.App. Ct. 2014), cert. granted, 311 Conn. 925, 86 A.3d 469 (2014) (pending resolution). In the Recall case, a party responsible for transporting computer tapes containing sensitive information of past and current IBM employees sought coverage for costs resulting from its settlement agreement with IBM after those tapes fell off a truck and disappeared. Court agreed with the insurer’s denial based on lack of “publication,” relying upon evidence that the personal information on those stolen tapes could not be read by a personal computer, that no third party had accessed the information and that no IBM employee had suffered injuries from the loss of the tapes. “[A]ccess is a necessary prerequisite to the communication or disclosure of personal information….” Id.
In most cyber-attack situations, though, the arguments that publication has occurred, triggering coverage under CGL policies, are so simple and straight forward that coverage cannot be overlooked. Courts are generally aligned in favor of coverage, if data was disseminated to third parties. Given the favorable state of the law on coverage for cyber-attacks, an initial “no” from an insurer should never be the last word.
Miller Friel, PLLC is a specialized insurance coverage law firm whose sole purpose is to help corporate clients maximize their insurance coverage. Our Focus of exclusively representing policyholders, combined with our extensive Experience in the area of insurance law, leads to greater efficiency, lower costs and better Results. Further discussion and analysis of insurance coverage issues impacting policyholders can be found in our Miller Friel Insurance Coverage Blog and our 7 Tips for Maximizing Coverage series.