In the past year, multiple cases have disputed whether commercial general liability insurance policies provide coverage for lawsuits related to data breaches and data privacy incidents. At least two matters are on appeal. The question of whether there is CGL coverage for those lawsuits is quite significant, particularly to retailers that have suffered data privacy incidents involving payment cards (i.e., credit and debit cards). CGL coverage can provide overlapping coverage with cyberinsurance policies, if not its own independent coverage, and defense costs under CGL policies frequently do not erode policy limits.
As a starting point, standard-form CGL policies provide coverage for all sums that an insured is liable to pay as damages because of bodily injury, property damage and personal and advertising injury. Bodily injury typically includes bodily injury, sickness, disease or death, and, depending upon the policy, mental anguish. Property damage typically includes damage to tangible property (with many CGL policies specifically excluding electronic data from the definition of tangible property) and loss of use of tangible property. Personal and advertising injury typically includes oral or written publication, in any manner, of information that violates a person’s right of privacy.
Retailers should pay close attention to their CGL policy to determine whether there may be, at a minimum, a duty to defend lawsuits related to credit card data breaches. The suits may trigger coverage under both property damage and personal and advertising injury sections of their CGL insurance policies.
Credit Card Data Breaches as “Property Damage”
When plaintiffs bring lawsuits against retailers after a breach of payment cards, the plaintiffs may allege that they suffered many harms. One harm that plaintiffs often raise, in an effort to show damages and standing, is that they were without a credit or debit card for a period of time. Or, in insurance parlance, the loss of use of their credit cards and debit cards. Plaintiffs may allege, for example, that their credit and debit cards were canceled or shut off, and they were without cards until the replacements arrived.
There should be no argument that credit and debit cards are tangible property. If payment cards are tangible property, it follows that loss of use of payment cards is loss of use of tangible property. In short, those allegations should be viewed as triggering a CGL insurance carrier’s duty to defend as allegations of property damage.
Credit Card Data Breaches as “Personal and Advertising Injury”
Plaintiffs’ lawsuits for payment card breaches frequently allege that there was a violation of a right of privacy. Some suits even specifically include a cause of action alleging the violation of the plaintiffs’ right of privacy. Those allegations should trigger the duty to defend under a CGL policy’s personal and advertising injury coverage.
Was there Publication as a Result of a Credit Card Data Breach?
Insurance carriers often dispute whether there was a “publication,” because personal and advertising injury coverage typically requires “oral or written publication, in any manner, that violates a person’s right of privacy.” Recent decisions in California and Virginia have recognized that data breaches involving health care information involved “publication” after the information was made more widely available than it should have been. A trial court judge in New York explained that when a hacker got into the network and saw private data, that consisted of publication as well. (The Virginia and New York decisions are on appeal as of this writing.)
Does the Publication Have to be Committed by the Insured?
If there was publication and there were allegations of invasion of privacy, what is left for insurance carriers to raise in their efforts to avoid coverage? One argument that had success in a trial court in New York is whether the insurance policy requires the insured to have committed the publication or whether the publication may be done by a third party. That standard is not, and should not be, the law in other states. Nor should it be the standard in New York, in our opinion. Indeed, when other courts have considered the scope of personal and advertising injury coverage, where the insured did not commit the publication, the courts have found coverage nonetheless. See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs. (C.D. Cal. Oct. 7, 2013) (private information made available online by third party); Owners Ins. Co. v. European Auto Works Inc., 695 F.3d 814 (8th Cir. 2012) (Minnesota law) (finding coverage for invasion of privacy for insured that was sued for publication made by a third party), rehearing and rehearing en banc denied, (2012); Univ. Underwriters Ins. Co. v. Lou Fusz Automotive Network Inc., 300 F. Supp. 2d 888 (E.D. Mo. 2004) (Missouri law) (finding coverage for invasion of privacy for one insured that was sued for publication made by a third party and another insured that had denied that it performed any publication at all), aff’d, 401 F.3d 876 (8th Cir. 2005); Columbia Cas. Co. v. HIAR Holding LLC (Mo. Cir. Ct. May 18, 2011), aff’d 411 S.W.3d 258 (Mo. 2013) (en banc) (finding coverage when third party engaged in publication but the insured faced liability).
The standard-form CGL policy does not require the publication to be done by a third party. The entire premise of a CGL insurance policy is to defend against and pay the damages that an insured is legally obligated to pay because of personal and advertising injury. That is, CGL policies pay for what insureds become legally obligated to pay; CGL policies do not mirror and track the requirements of tort liability. Therefore, if an insured becomes obligated to pay because of personal and advertising injury that someone else committed, there is coverage (unless otherwise excluded).
Beyond that basic premise, the personal and advertising injury section of CGL policies has certain sections that are dependent upon what actions the insured took. For example, there are at least three exclusions in the personal and advertising injury coverage section that turn on whether they were done “by or at the direction of the insured.” There is no such restriction in the definition or coverage grant of personal and advertising injury coverage.
Could the Insured Actually Have Been the Publishing Entity (Unwittingly)?
Even if a court were to imply a requirement that the insured had to commit the publication, the facts related to payment card data privacy incidents may meet that standard. First, the complaints may allege that the insured was the entity that performed the publication. The complaints also may allege that the retailer/insured’s computer system was being used against it to capture and publish private information. A close read of the complaint is warranted, particularly if a court determines that the insured has been the publishing party.
For those retailers whose systems were compromised by malware, it is possible that the insured’s system was being used to publish information, rather than being dependent on third parties to publish. One type of malware that has been used against retailers is a Citadel Trojan. Citadel Trojans may be installed on a computer system after a user clicks on a bad link in a “phishing” email that is designed to install the malware. Citadel malware can infiltrate the victim’s system and bypass firewalls and other protections. Some Citadel Trojans may operate automatically and forces the victim’s computer to publish private information, including broadcasting details about network configurations, settings, and other information. Worse yet, Citadel Trojans may also be able to capture a user’s screen activities and to broadcast from the victim’s system as a movie to the malware owner.
Some reports indicate that Citadel malware may allow attackers to seek out card information, and use the victim’s network to send out (i.e., publicize) card information. One author has explained that the malware moves payment card numbers and sends out notification that the data is available to hackers. See Chris Poulin, What Retailers Need to Learn from the Target Breach to Protect Against Similar Attacks, Security Intelligence Blog. Another author explains that malware logs payment card information and sends it to a remote server. See Christine Blank, Thousands of Cards Compromised at Retailers’ POS, Fierce Retail IT.
In short, the facts may demonstrate that retailers who were hacked or affected by malware actually were the publishing party, whether they wanted to be or not. If the retailer was the publishing party, a requirement that the insured be the publishing party should be satisfied.
When companies suffer a data breach or a data privacy incident, particularly incidents involving payment cards, it is crucial to make certain that insurance companies will provide coverage for the resulting losses. Even relatively small incidents can cost retailers millions; large retailers have publicly disclosed that their payment card data privacy incidents cost them nine figures net of insurance.
Retailers should be thoughtful about pursuing the coverage that they purchased under their insurance policies. Expect insurance carriers to push back against providing a defense to claims under CGL policies, but there are solid reasons why coverage should apply. With defense costs outside of limits under CGL policies, this coverage is extraordinarily valuable. Insureds should think hard before taking no for an answer from their CGL insurance carriers.