Last year has been called the “Year of the Mega Breach” because it saw an explosion of cyber-attacks and other data security breaches that affected literally hundreds of millions more people than were affected during the previous year. The cost of a data breach can be astounding. While organizations turn to technological safeguards to prevent cyber threats, insurance is a key asset for mitigating cyber losses when they happen.

The insurance industry has taken the position that data security breaches are not generally covered under conventional commercial insurance policies and is marketing specialized “cyber policies” to cover these losses. Many courts have rejected the insurance industry’s position that there is no coverage under existing policies, finding that data security breaches are at least partly covered under a variety of kinds of insurance including commercial general liability (CGL) policies.

Insurance companies have responded by inserting into their policies an ad hoc assortment of exclusions intended to limit coverage for data security breaches and other privacy claims. These exclusions have had mixed success in accomplishing that goal. Now, the Insurance Services Office (ISO) has proposed a new set of exclusions for use by the insurance industry that are intended to broadly exclude coverage for data security breaches. It is expected that the new ISO exclusions will start appearing in CGL policies later this year.

Standard CGL policies cover liability for bodily injury and property damage (Coverage A) and for so-called “personal and advertising injury” (Coverage B). “Personal and advertising injury” coverage requires a “publication” of material that invades someone’s right of privacy. The scope of Coverage B is at the center of disputes between policyholders and insurers about whether privacy claims  are covered under CGL policies, but many courts have found that this coverage applies to a variety of data breach and other privacy claims, although the case law is not uniform.

ISO recently submitted to state insurance regulators for their approval a set of proposed exclusions that seek once and for all to broadly exclude coverage for data breaches from CGL policies. The new exclusions will start being introduced by endorsement this summer. The new endorsement is entitled “Exclusion— Access or Disclosure of Confidential or Personal Information and Data-Related Liability—With Limited Bodily Injury Exception.”

This endorsement adds the following language to both Coverages A and B:

This insurance does not apply to [d] amages arising out of:

  1. Any access to or disclosure of any person’s or organizations confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

Significantly, the explanatory memorandum that ISO has submitted to state regulators acknowledges that this revision “may be considered a reduction in personal and advertising injury coverage” to the extent that access to or disclosure of confidential or personal information results in publication that violates a person’s right of privacy.

The endorsement also includes the following additional exclusionary language in Coverage A:

This insurance does not apply to [d] amages arising out of:

  1. The loss or loss of use of, damage  to, corruption of, inability to access, or inability to manipulate electronic data.

Finally, the endorsement provides that

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.

It is worth noting that these exclusions contain several exceptions. For example, the ISO endorsement contains an express exception for “damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.” With that said, ISO has also drafted an optional endorsement (CG 21 07) which eliminates this exception. So it remains to be seen what the scope of coverage will be for bodily injury resulting for example from cyber attacks on critical infrastructure.

This exclusion may not be the silver bullet the insurance industry seeks in other respects, as well. For example, the new language does not seem to apply to privacy claims that do not involve the “accessing” of any confidential information, e.g., illegal phone recording claims, junk fax and phone call claims, and claims arising out of the loss of hard drives and other media containing confidential information. Further, these exclusions do not appear to apply to property damage or bodily injury claims resulting from all cyber attacks, but only to attacks that damage or deny access to data.

As mentioned previously, policyholders should expect to see these exclusions added to their policies soon. While the courts may ultimately end up deciding what they mean, the insurance industry’s ongoing attempt to limit coverage under conventional insurance policies for data security and privacy claims will no doubt give policyholders further reason to assess the scope of their current insurance coverage, and consider whether now is the time to buy specialty cyber insurance. Policyholders should bear in mind that even cyber insurance policies contain many exclusions and other limitations on coverage, but the good news is that they tend to be highly negotiable with the help of an experienced broker or attorney.