In 2011, more than 1.8 zettabytes, or 1.8 trillion gigabytes, of digital information will be created.1 Meanwhile, only 30% of that information is subject to even minimal security, and only half of the information that should be protected is actually protected.2
In recent years, the frequency of electronic data breaches, and the costs companies incur because of them, also have increased dramatically. For example, in 2010, the average cost of a single data breach peaked at more than $7 million.3 In 2011, the cost averaged $7.2 million per breach, or $214 per compromised record.4 Data breaches from malicious attacks are the most expensive, and the percentage of data breaches caused by these attacks continues to grow.5
To date, the rise of data breaches shows no signs of slowing down. Email marketing provider Epsilon’s data on customers of 50 retailers was breached during an unauthorized entry into its email system.6 In May, hackers obtained data on more than 360,000 credit card accounts from Citigroup.7 Governments are not immune either. The Office of the Texas Comptroller inadvertently disclosed Social Security numbers of 3.5 million people in April, and in July, the Pentagon reported that a foreign government obtained sensitive data via cyber attack.8
In perhaps the most widely publicized example from 2011, hackers infiltrated Sony’s networks in April 2011, accessing account information of more than 100 million users of Sony’s PlayStation Network, Sony Entertainment Online, and Sony Pictures.9 Sony estimates the cost of this breach at $178 million for this fiscal year alone.10
As the number of hacking incidents has increased, many of the affected companies have turned to their historic insurance policies for protection and relief. Their efforts to obtain insurance coverage, however, have met with varied success.
II. Coverage for Data Breaches
Companies affected by cyber breaches have sought coverage pursuant to a number of different insurance policies. Policyholders’ most common and successful claims have been based upon commercial general liability (“CGL”) policies. Sony is currently seeking coverage under its CGL policy following the breach of its networks. Sony submitted its claim to Zurich American Insurance Co. for the 58 putative class actions and potential state attorney general actions it now faces as a result of the breach.11 Typically, CGL policyholders that have suffered a data breach seek coverage pursuant to policy provisions affording coverage for “property damage” and “advertising injury” to third parties.12
a. Property Damage
Under CGL policies, property damage requires physical injury to tangible property, or loss of use of tangible property that is not physically injured.13 In some cases, courts have been reluctant to find that electronic data qualifies as tangible property.14 Moreover, insurers recently have begun to amend their standard CGL policies expressly to exclude electronic data from the definition of property damage.15 Thus, insureds are facing greater challenges in seeking insurance coverage for data breaches as property damage.
b. Advertising Injury
On the other hand, policyholders have had more success pursuing coverage for data breaches as advertising injuries. Advertising injuries encompass an insured’s liability for intentional torts enumerated in the CGL policy, including publication of material that violates a person’s right to privacy, that slanders or libels another, or disparages another’s goods, products, or services.16 To obtain coverage for a data breach, a policyholder must demonstrate that it engaged in advertising activity, that the claim against it included a publication that violated another’s right to privacy, and that there is a “causal nexus” between injury arising from the offense and the advertising activity.17
Under CGL policies, advertisements include notices that are “broadcast or published to the general public or specific market segments” about the insured’s goods, products, or services to attract customers or supporters.18 This includes material posted on the Internet, but only on the portions of websites aimed at attracting customers for the insured’s goods, products, or services. Publication includes publication via the Internet and other media outlets.
Insurers primarily have disputed whether data breaches qualify as publications and whether they violate another’s right to privacy. Most courts have interpreted the publication requirement broadly, holding that an insured disclosing data to only one person or entity is entitled to coverage.19 In some cases, courts have held that the disclosure need not even reach an outside party. In other words, information disclosed within a company to the insured’s personnel was “published” for purposes of policy coverage.20
Courts are more divided on the right to privacy issue. Courts disagree as to whether the underlying suit against the policyholder must explicitly allege a violation of the third party’s right to privacy. Most courts focus not on the specific allegations, but on the third party’s perception of the injuries as invading its privacy.21 In contrast, other courts have required the underlying allegations to include violations of privacy laws analogous to the offenses enumerated in the advertising injury policy provision.22
Finally, most courts favor policyholders in determining whether the third party has a privacy right in the accessed data and whether there is a nexus between the insured’s advertising activity and the underlying offense.23 Thus, overall, policyholders have been successful in obtaining coverage for data breaches most frequently pursuant to the CGL provisions concerning advertising injury.
III. Insurers Fight Back
Insurers, however, have begun fighting back. On July 20, 2011, Zurich filed suit against Sony seeking a declaratory judgment that its CGL policy did not cover the numerous class action lawsuits and the potential state attorney general actions arising out of the extensive data breaches. Zurich has alleged that these actions do not qualify as “bodily injury,” “property damage,” or “personal and advertising injury” under its CGL policy.24
The Sony Defendants recently moved to dismiss the complaint on various grounds, and Zurich moved for a preliminary injunction barring Sony’s competing coverage action filed in California. Oral argument on both motions is set for October 18, 2011. Thus far, no other rulings have been made.
Sony’s case is among the first efforts by the insurance industry proactively to limit their liability through litigation for cyber breaches. Additionally, insurers are increasingly amending and revising their CGL policies expressly to exclude coverage for data breaches and cyber risks.25 Policyholders must be vigilant in reviewing new policy forms when placing CGL coverage.
IV. Conclusion Policyholders have enjoyed some successes in obtaining coverage for data breaches as advertising injury. But such success remains far from uniform, and, as Zurich’s complaint against Sony demonstrates, insurers are taking a more active role in attempting to limit or restrict coverage for cyber breaches under CGL policies. Thus, policyholders concerned about the growing risk of damages resulting from of cyber risks should review their policies carefully, as well as the potentially applicable law, to ensure they have the protection they need and expect.