October is National Cyber Security Awareness Month, which is an annual campaign led by the Department of Homeland Security, in order to raise awareness about cybersecurity. You may think that you and your business are fully aware of cybersecurity threats, and take adequate precautions to prevent hacks, phishing schemes, malware and ransomware attacks, and other cyber-attacks; but what if, against all preventative measures, you’ve been hacked? What if your company has suffered a data breach, and your data, or that of your clients or customers, has been compromised – stolen? The consequences of such a breach range from statutory penalties, to credit monitoring, to class action lawsuits, to business interruption losses, and all of this adds up. What is a company to do when it is facing such a loss? It files an insurance claim, and then waits for an investigation, and hopefully payment on the claim. But what if during the process of the investigation, the insurance company determines that there is no coverage for the damages suffered from the data breach? This is what some companies have been told, and they have turned to the courts to resolve these insurance coverage disputes.
While there are quite a few insurance companies offering cyber liability policies, many businesses and companies have not purchased these, and instead turn to their commercial general liability policies (“CGL”). This update will explore how various courts have ruled on whether CGL policies cover the losses claimed from cyber-attacks.
Traditional Business Insurance Coverage
What does the traditional insurance policy cover when it comes to cyber breaches, i.e., is loss of data covered? Courts have been inconsistent in their rulings on this subject, and it often comes down to the applicable policy language. For example, a traditional business insurance policy will cover property damage; however, some courts have found that loss of data will most likely not be considered property damage, and, therefore, not be covered. In Cincinnati Ins. Co. v. Prof'l Data Services, Inc., the court held that a CGL policy did not cover "loss of use of . . . the lost or corrupted patient account data" as "property damage" because neither "has any physical substance and neither is perceptible to the senses." A Virginia court made a similar ruling in holding that a CGL policy covering "physical damage to tangible property" did not cover AOL's damage to customer's software because software and data were not "capable of being touched or perceptible to the senses." A federal judge in Oklahoma ruled that an insurer owed no duty to defend against claims alleging its insured caused computer data loss because "computer data . . . is not tangible property".
Yet other courts have found claims for the loss of data or loss of use are covered by traditional property damage clauses. For example, the Eighth Circuit ruled that a CGL policy defining “property damage” as “physical injury to tangible property, including resulting loss of use of that property” covered a claim asserted by a third party for damages resulting from a spyware infection caused by the insured’s website. The Fourth Circuit held that the erasure of “vital computer files and databases” was covered under the policy as a “direct physical loss.”
Personal and Advertising Injury Coverage
CGL policies also typically cover third party losses for “personal and advertising injury.” This may include “oral or written publication of material” by the insured “that slanders, libels, disparages, or invades the right of privacy” or infringement on “another's copyright.” Courts have analyzed whether “publication” covers a hacker’s release of information with mixed results. By way of example, in Zurich Am. Ins. Co. v. Sony Corp. of Am., Sony purchased a policy from Zurich. Sony suffered a data breach and submitted a claim to Zurich. Zurich denied the claim and Sony brought suit seeking coverage of the claim. A New York state trial court held hackers and not Sony had “published” the information; thus, Sony was not covered by Zurich’s personal and advertising injury policy.
Another question courts have addressed with mixed results is whether the definition of “publication” requires stolen information to actually be accessed by a third-party? Courts are again split on this issue; with some holding that there was no “publication” of missing data because “[r]egardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information.” Whereas, other courts have held that an insurer was required to indemnify its insured for claims arising from the insured's inadvertent disclosure of private information on public search engines even though “no third party is alleged to have viewed the information” because “the definition of ‘publication’ does not hinge on third-party access.”
Courts have also grappled with the issue of whether coverage applies even if there is a policy exclusion for violation of federal and state statutes. West Coast courts have weighed in on this issue, with varying results. A Washington federal court held that an insurer was not obligated to defend suits alleging statutory privacy violations when the applicable CGL policy excluded coverage for “any loss [or] suit arising out of . . . any act that violates any statute, ordinance or regulation of any federal, state or local government”. On the other hand, a California federal court held the opposite, ruling that an insurer must cover these claims. The court held that even though the CGL policy excluded coverage for “personal and advertising injury . . . arising out of the violation of a person’s right to privacy created by any state or federal act,” the policy still covered statutory claims because statutes at issue codified existing privacy rights under the California constitution and common law.
What about other types of traditional coverage; what have the courts said with respect to the following losses, after a data breach?
This issue remains unclear; however, it appears that Business Interruption policies may not cover loss of electronically stored data because it does not result from direct physical loss or damage. However, an Arizona federal district court held the insured’s computer network was physically damaged when a power outage caused loss of all programming information and custom configurations.
Directors and Officers Coverage:
These policies may be used for coverage relating to a Director/Officer’s failure to implement adequate cyber security measures, but this theory has not yet been tested and remains open-ended.
These policies provide coverage for theft of money, securities or property, but often exclude theft of proprietary information, trade secrets, and other confidential information. Some of the areas of dispute include: (1) if there’s a hack, does policy language requiring damages to result directly from the cyber breach cover claims by credit card processors, customers and regulators against the insured?; and (2) does the exclusion for confidential information apply to customer information? The Sixth Circuit held in favor of the insured on both issues in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821, 834 (6th Cir. 2012).
The Eighth Circuit recently granted a summary judgment in favor of a bank that was seeking coverage for two fraudulent wire transfers under a financial institution bond, which totaled $485,000. The insurance company argued that the loss was not covered because of “employee-caused loss exclusions” contained in the applicable policy. The court held that the “overriding cause” of the loss was “criminal activity”, rather than the employees’ violations of policies and procedures. Using Minnesota’s “concurrent-causation” doctrine, the bank was entitled to payment for the loss, despite its employees’ negligent acts, because “an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the employees’ failure to follow proper computer security policies, procedures and protocols.”
Your company’s cyber security policies may come to light and cause issues when applying for coverage and when attempting to recover under a policy. Insurers may inquire as to whether prospective applicants follow specific standards of data protection. The insurer will then require its insureds to uphold any disclosed standards throughout the policy's term. Should a breach occur, an insurer may challenge the accuracy of the insured's application and its ongoing adherence to the disclosed cyber security protocol, as occurred in a 2015 lawsuit.