This past June marks nine years since the data breach at CardSystems Solutions, which involved the disclosure of names, account numbers and verification codes for some 40 million cardholders. Next month, we will pass the eight-year anniversary of the data breach at Monster.com, which involved the disclosure of contact information for some 1.3 million users. Despite the passage of so much time and the seemingly endless recurrence of large, high-profile data breaches at companies in a wide range of industries, many companies still do not have dedicated, stand-alone network security/privacy liability insurance policies. For companies that remain reliant on traditional insurance policies to cover the inevitable cost of attorneys’ fees, credit monitoring, customer/employee notification, and card brand assessments attendant to any significant data breach, a recent decision from the Fifth Circuit Court of Appeals may have a silver lining.
Among the different potential obstacles that may exist for policyholders seeking to find network/privacy liability coverage under traditional liability insurance policies is the “contractual liability exclusion.” Coverage for “personal and advertising injury,” including the publication of material that violates a person’s right of privacy, under most general liability insurance policies does not include injuries “for which the insured has assumed liability in a contract or agreement.” Similar exclusions may be found in directors and officers’ liability and errors and omissions liability insurance policies. But, invariably, these exclusions preserve coverage for liability that the insured would have in the absence of a contract or agreement. The question then becomes, what is the nature of the insured’s liability in the event of a data breach? The Fifth Circuit’s opinion in Lone Star National Bank v. Heartland Payment Systems, Inc., 729 F.3d 421 (5th Cir. 2013) provides a partial answer.
Heartland is a payment card intermediary responsible for processing credit card transactions between merchant banks and card-issuing banks. Heartland had a contract with the merchant banks, but no contract with the card-issuing banks. After hackers stole some 130 million card numbers from Heartland’s computer systems, the card-issuing banks asserted claims against Heartland - both for negligence and as third-party beneficiaries of Heartland’s contracts with the merchant banks - for the losses sustained by the banks in re-issuing new cards and to reimburse customers for fraudulent charges.
The federal district court dismissed the card-issuing banks’ negligence claim as barred by the “economic loss doctrine” under New Jersey law. Writing for a three-judge panel of the Fifth Circuit Court of Appeals, Judge Garza reversed the district court’s ruling, finding that “the economic loss doctrine does not bar tort recovery where the defendant causes an identifiable class of plaintiffs to which it owes a duty of care to suffer economic loss that does not result in boundless liability.” 729 F.3d at 424. Because (1) the losses sustained by the card-issuing banks were “foreseeable;” (2) Heartland would not be subject to “boundless liability;” (3) absent a tort remedy, the card-issuing banks would be left without redress; and (4) the “negotiations” and “bargaining power” of the card-issuing banks with respect to Heartland’s contracts with the merchant banks were “uncertain,” the Fifth Circuit concluded that “the economic loss doctrine does not bar the [card-issuing banks’] negligence claim . . . .”
While Heartland’s “economic loss rule” defense was ultimately denied at the dismissal stage, as between contractual and tort liability, Heartland may have a better chance of obtaining insurance coverage for tort liability than for the card-issuing banks’ contractual claims. Any insureds defending against contractual and tort (or statutory) claims arising out of a privacy/data breach should think twice and consider the insurance coverage implications before narrowing a plaintiff’s case to claims that sound only in contract. Likewise, savvy plaintiffs should take note of where insurance coverage is most likely when framing a complaint and pursuing alternative claims for cyber/privacy losses.