One need only turn on the nightly news or peruse the latest headlines of online news publications to notice the increasing concern over breaches of electronic data. While the widespread digitalization of businesses’ most sensitive and valuable data has vastly improved corporate efficiency and strengthened businesses’ client service capabilities, it also has exposed them to the risk of significant liability arising from data breaches.
Companies’ own negligence often contributes to data breach losses. For example, data breaches may be caused by an “oops,” negligent employee conduct, which includes failure to follow company policies and procedures, failure to maintain reasonable expertise in company software, website, and related applications, failure to maintain awareness of current threats to the company, and general carelessness in maintaining a secure work environment. Another cause is the “ghost in the machine,” system glitches, which include inherent design flaw in security software, processing error, imperfect software updates or patches, application failures, and inadvertent data dumps. According to a recent survey of United States companies, over half of commercial data breaches can be attributed to various types of human error by company employees.2 The Ponemon Institute’s 2015 Cost of Data Breach Study reports that 53% of the time, the root cause for the data breaches in its study were negligent in nature — either “system glitch” or “human error” as opposed to “malicious or criminal attack.”3
The Target data breach incident exemplifies the significant data breach risk exposure companies face from employee error. According to a Bloomberg Business article, “[h]ad the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.”4 Instead, Target has faced more than 90 lawsuits from customers and banks seeking millions of dollars in compensatory damages from the employee’s negligent conduct.5
Companies seeking to mitigate such risks traditionally turn to insurance. As most risk managers are now aware, however, traditional insurance policies often exclude or limit substantially a company’s “cyber” liability. Instead, over the past decade insurers have marketed specific cyber-insurance coverage aggressively to commercial policyholders as necessary coverage that will broadly protect them against the consequences of a data breach. For example, one carrier markets its product as a “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.” Another carrier states, with regard to its cyber product, “[w]hether it’s the use of credit card data or third-party data providers, data breaches or unintended privacy violations, you need insurance that will put your mind at ease . . . .”
Policyholders should be aware, however, that a number of cyber insurance forms contain certain exclusions that, if interpreted broadly, could operate to significantly limit or eliminate altogether coverage for losses created by the “oops” or the “ghost in the machine.” Some cyber coverage contains language seeking to exclude from coverage “any loss caused by an employee.” Other cyber policy forms seek to exclude loss arising from defects or incompatibility of software or equipment arising from use of third party products inconsistent with the intended use or warranties of the manufacturer of such products. Others exclude “any malfunction or error in programming or error or omission in processing.” Still other language seeks to exclude loss arising from “mechanical failure,” “error in design” or “gradual deterioration” of a computer system. By applying such exclusionary language broadly, insurers could seek to exclude virtually any data breach incident by attributing the breach to system failures, company employees’ negligent adoption of inadequate cyber security protocols, negligent implementation of the company’s adopted cyber security protocols, negligent training of company employees on cyber security protocols, and/or negligent failure to properly maintain and update the company’s cyber security software and related applications.
So, while the insurance industry commonly markets cyber insurance products to companies as comprehensive protection from the full breadth of cyber-related risks, in actuality many cyber policies are written on insurance forms that insurers may argue exclude coverage for over half of the traditional and common data breach scenarios stemming from honest employee mistakes and system glitches. We are already seeing the harbingers. Columbia Casualty Company recently filed a declaratory judgment action against one of its policyholders, asserting an exclusion for “[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance . . . .”6 According to Columbia Casualty, these failures included the “failure to replace factory default settings,” and “failure to regularly check and maintain security patches on its systems.”7
If faced with such arguments, however, policyholders are not without recourse. Through application of a number of well-established insurance policy interpretation principles, recent case law precedent suggests that a policyholder may be entitled to coverage under cyber liability policies for loss arising from data breach incidents stemming from the “oops” and the “ghost in the machine” notwithstanding broadly-worded exclusionary language potentially aimed at eliminating or severely curtailing coverage for such liability.
Concurrent Causation/Efficient Proximate Cause Doctrine
In the context of first-party property insurance losses, such as the privacy notification and crisis management expenses, and business interruption loss commonly covered by cyber policies, most jurisdictions have adopted a variation of the concurrent causation or efficient proximate cause doctrine. Under this doctrine, when a policyholder’s loss has resulted from a combination of causes, some of which are covered and some of which are excluded, the court must determine which cause was the predominant or overriding cause of the loss. The predominant/overriding cause governs coverage on an all-or-nothing basis: if that cause is covered, the policyholder is entitled to full reimbursement of the resulting loss; if that cause is excluded, the policyholder recovers nothing. This doctrine could become particularly interesting in the data breach context, because, like the Target situation, it is likely that loss could arise from arguably concurrent causes – the original hack, and the alleged failure of Target’s employees to catch, or prevent, the hack.
This was the issue before the court in State Bank of Bellingham v. Bancinsure, Inc.8 The insured bank was seeking coverage for loss it suffered from a fraudulent wire transfer executed by cyber hackers. The bank sought reimbursement under the computer systems fraud coverage included in a financial institution bond issued by Bancinsure. In response, Bancinsure asserted that a number of exclusions applied to bar recovery.
First, it claimed that the bond’s exclusion for “loss caused by an Employee” applied because the employees disregarded bank and federal reserve policies by downloading a virus through spam email, failing to enable and update antivirus software, failing to password-protect accounts, and failing to shut down and remove security tokens from computers immediately preceding the cyber hacking incident. Bancinsure further argued that an exclusion for loss resulting from “theft of confidential information” applied because the hacker stole confidential employee passwords to execute the fraudulent wire transfer. Finally, Bancinsure asserted an exclusion for loss resulting from “mechanical failure or gradual deterioration,” arguing that the bank’s antivirus software deteriorated and ultimately failed from the employees’ failure to adequately install necessary software updates. Applying Minnesota’s concurrent causation doctrine, the Court held that coverage was available because the computer hacker’s fraudulent conduct was the efficient and proximate cause of the loss even if the excluded causes may also have contributed to the loss, because “[b]ut for the hacker’s fraudulent conduct, the [money] would not have been transferred.”9
Some jurisdictions do permit the parties to contract around application of the concurrent causation/efficient proximate cause doctrine by stating something to the effect that the exclusion applies “regardless of whether any other cause also contributes to the loss.” While the court in Bancinsure alluded that such language likely is not enforceable under Minnesota law,10 a policyholder may have difficulty asserting this doctrine in a jurisdiction that is willing to enforce anti-concurrent causation language.
Illusory Coverage Doctrine
Policyholders facing overly broad exclusionary language in insurance policies also may seek redress under the illusory coverage doctrine. Under this equitable doctrine, courts elect not to enforce overly broad exclusions when applying them as written would render the policy’s coverage illusory. This doctrine prevents insurance policy forms from including broadly defined coverages that leave reasonable insureds with the impression that they are substantially protected from certain types of liability risks only to have that coverage significantly curtailed or altogether eliminated by exclusionary language included elsewhere in the policy.
Recent case law suggests that courts may apply the illusory coverage doctrine to policies designed to protect insureds from data breaches and other cyber risks. In First Bank of Delaware, Inc. v. Fidelity and Deposit Company of Maryland,11 for example, the insured was a debit card transaction processing company that had purchased Electronic Risk Liability coverage to protect itself from liability arising from data breach incidents. The insured was retained by Visa and Mastercard as the principal entity to manage their debit card transactions, and hired another entity to assist in processing the debit card transactions. After the insured’s hired entity’s computers were hacked and resulted in the unauthorized withdrawal of millions of dollars from Visa and Mastercard customers, the insured sought reimbursement from its insurer for liability stemming from the hacking incident. The insurer denied the claim, arguing that the incident did not qualify as a “loss event” under the policy because it was not the insured’s computer system that was hacked and therefore did not satisfy the requirement that the computer system be used “on behalf of” the insured and, in any event, the policy’s exclusion for loss arising from the fraudulent use of “any credit, debit, charge, access, convenience, customer identification or other card, including, but not limited to the card number” applied.12
After holding that the incident qualified as a “loss event,” the court found the policy’s exclusion for loss arising from fraudulent use of credit and debit cards was unambiguous and clearly encompassed the loss. Nevertheless, the court refused to enforce the exclusion as written. Noting that “it was not appropriate to apply an exclusion where the effect would be that there would be ‘little to nothing left to that coverage,’” the court highlighted “the difficulty [in] finding an example of unauthorized use or access that does not contain some element or fraud” and concluded the exclusion as written “would swallow the coverage granted under” the policy’s Electronic Risk Liability coverage.13
A similar issue arose in Retail Ventures, Inc. v. National Union Fire Insurance Company of Pittsburgh, Pennsylvania.14 The insureds, commercial retailers, had customer credit card and checking account information stolen from their main computer systems by hackers and sought coverage for losses stemming from that hacking event under computer fraud riders attached to their Blanket Crime policies issued by National Union. The policies excluded from coverage liability stemming from “loss of proprietary information, Trade Secrets, Confidential Processing methods, or other confidential information of any kind,” and National Union argued that the phrase “other confidential information of any kind” encompassed the stolen customer credit card and checking account information. The court rejected National Union’s argument, concluding that when properly read in context the exclusion applied only to the insureds’ own business-related confidential information rather than to their customers’ private financial data. The court further held that “to interpret ‘other confidential information of any kind’ as [National Union] urges— to mean any information belonging to anyone that is expected to be protected from unauthorized disclosure—would swallow not only the other terms in this exclusion but also the coverage for computer fraud.”15
Policyholders faced with exclusions that purport to exclude “errors” and “glitches” should assert similar arguments.
Reasonable Expectations Doctrine
Policyholders may also be able to seek refuge under the reasonable expectations doctrine. Similar to illusory coverage, the reasonable expectations doctrine applies the equitable principle that insurance policies may not be interpreted in a way that would be inconsistent with the insured’s reasonable coverage expectations when the policy was purchased. While jurisdictions have varying versions of this doctrine, it is most effective when raised to address unreasonably broad exclusions that, though unambiguous, significantly limit the breadth of coverage for the precise types of liability for which the policyholder sought to insulate itself from by purchasing the policy.
In First Bank, for example, the court concluded not only that the exclusion for loss arising from the fraudulent use of debit card information rendered the Electronic Risk Liability coverage illusory, but also that it violated the bank’s reasonable expectation of coverage:
Courts must consider the reasonable expectations of the insurance policy purchaser. This doctrine must be reconciled with the principle of contract interpretation requiring that unambiguous language be given its plain meaning.
The Court finds that the language in Exclusion M is unambiguous in its attempt to exclude coverage for fraudulent use of data. The Court finds that Fidelity has met its burden to prove the elements of the exclusion by showing a meaningful link between the fraudulent use of data and the claims at issue. However, when the burden shifts back to First Bank to prove that Exclusion M should not be applied, the Court considers that a grant of coverage should not be swallowed by an exclusion. The principle that a grant of coverage should not be rendered illusory protects the reasonable expectations of the purchaser.16
In summary, commercial entities face significant risks for losses stemming from data breaches and should seek out specialized insurance products to address these risks. When procuring specialized cyber insurance, policyholders need to be aware that policies may contain language that seeks to narrow substantially or altogether eliminate the breadth of coverage provided for negligent employee conduct notwithstanding that the “oops” and the “ghost in the machine” have been linked as causes of approximately half of all data breach incidents. Commercial insureds should negotiate with their carriers and, in particular, seek insurance from a different company if their existing carriers’ forms contain the broad exclusions directed at employee error and refuse to delete them or narrow them. Finally, should a claim arise and should the carrier assert these exclusions, consult with insurance coverage counsel because you may reasonably be entitled to coverage for negligence, notwithstanding the carrier’s position.