Recent, large-scale data breaches at several well-known companies underscore the substantial risk that businesses now face with respect to cyber, data-security liability. In this year alone, numerous companies – including retailers, financial institutions, and health care providers – have experienced well-publicized, costly data breaches. These data breaches are in addition to the breach that Target disclosed in December 2013, where as many as 40 million credit and debit card numbers were stolen from point-of-sale terminals. Target itself estimates that this data breach will cost the company in excess of $148 million.
As such high-profile data breaches have become more frequent and more expensive to mitigate and resolve, the insurance industry has sharpened its stance on certain issues of insurance policy interpretation that have been developing in the courts over the past decade. The industry’s position is reflected in several recent articles and white papers sounding the same general theme: because traditional insurance products, and in particular Commercial General Liability (“CGL”) policies, were developed at a time when cyberliability claims were not contemplated as risks, policyholders should not expect coverage under such policies. In asserting these positions, insurers – either directly or through their outside law firms – are attempting to discourage policyholders from making claims and are seeking to limit their exposure under traditional lines of coverage, while developing and selling new types of specialty coverage forms for cyberliability risks.
The conclusion, however, that insureds should not expect coverage for cyberliability claims under CGL or other traditional policy forms, is premature and not well supported. Cyberliability claims may be covered under the broad insuring agreements of CGL policies, and traditional lines of insurance should not be ignored when a company is faced with such claims.
A typical CGL policy provides broad liability insurance coverage under two insuring agreements – Coverage A (bodily injury and property damage) and Coverage B (personal and advertising injury) – that generally cover all risks of such a nature except those that are specifically excluded. Coverage A includes coverage for property damage, which is often defined to include: (i) “physical injury to tangible property, including loss of use of that property”; and (ii) “loss of use of tangible property that is not physically injured.”
Although the case law is not uniform on the issue, some courts have held that data constitutes tangible property under Coverage A. In Retail Systems, Inc. v. CNA Insurance Co., the Court of Appeals of Minnesota compared a data storage tape to a motion picture, where “the information and the celluloid medium are integrated,” and held that “[t]he data on [a missing computer tape] was of permanent value and was integrated completely with the physical property of the tape.” Similarly, in American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., a federal district court in Arizona held that “physical injury” to property “is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.” The court stated that “when a computer’s data is unavailable, there is damage; when a computer’s services are interrupted, there is damage; and when a computer’s software or network is altered, there is damage.”
In response to these decisions, the insurance industry has developed endorsements and exclusions designed to limit their exposure for certain types of cyberliability claims as property damage. Nevertheless, even under policies that may specifically carve out software, data, or other electronically stored information from the definition of “tangible property,” coverage for property damage may be available for certain types of cyberliability claims.
For example, cyber-related attacks may not only cause physical destruction or alteration of software and data, but can also result in the loss of use of equipment that is not physically harmed. Coverage for property damage may be available in such situations. In Eyeblaster, Inc. v. Federal Insurance Co., the U.S. Court of Appeals for the Eighth Circuit concluded that a cyberliability claim was covered under Coverage A notwithstanding that “any software, data or other information that is in electronic form” was expressly excluded from “tangible property.” There, the underlying claimant alleged that his personal computer became corrupted after visiting Eyeblaster’s website. The insurer denied coverage on the grounds that the underlying complaint did not allege damage to tangible property. The court held that although there were no allegations of physical damage to the underlying plaintiff’s computer hardware, the complaint did in fact trigger coverage under the second prong of the insuring agreement – “loss of use of tangible property that is not physically injured.” The court recognized that the “plain meaning of tangible property includes computers, and the [underlying] complaint alleges repeatedly the ‘loss of use’ of [plaintiff’s] computer.”
Thus, although some courts have held to the contrary, property damage liability coverage should not be ruled out without careful consideration of the policy language, the underlying facts, and the case law that has developed in the relevant jurisdiction.
Additionally, numerous courts have confirmed coverage for cyberliability claims under Coverage B, where the underlying claim arises out of the breach of a privacy right rather than the destruction or loss of use of computer equipment. The typical insuring agreement under Coverage B provides coverage for, among other things, damages resulting from the “publication” of material that “violates a person’s right of privacy.” Although insurers may dispute whether a requisite “publication” has occurred, a number of courts have found a publication to exist in the data breach context.
In Travelers Indemnity Co. of America v. Portal Healthcare Solutions LLP, a federal district court in Virginia recently held that Coverage B was triggered where a health care company made certain confidential medical records accessible to the public. The court found that “exposing confidential medical records to public online searching placed highly sensitive, personal information before the public,” thereby triggering coverage. Critically, the court found that the “publication” requirement in Coverage B was met, notwithstanding that no third party was alleged to have actually accessed the records. The court held that the “publication” requirement is met “when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”
Cyberliability claims, thus, may be covered under the broad insuring agreement of Coverage B. Although splits of authority may exist on coverage issues relevant to these types of claims – including, for example, what constitutes a “publication” with respect to the data at issue – coverage will often turn on the specific facts of the claim and the specific policy language at issue.
Insureds should not presume the absence of coverage under either Coverage A or B without carefully considering the nature of the loss and the language of the policy at issue – factors that may vary significantly from claim to claim. While the insurance industry has introduced a number of endorsements in recent years designed to limit or preclude CGL coverage for certain types of cyber, data-security liability claims, these revisions may not be determinative of whether coverage exists for a particular claim. Indeed, historical policies that continue to provide coverage on an occurrence basis may not contain such exclusions, and prior exclusions may not be as sweeping as insurers contend – especially when applied to the facts of a particular claim.
Consideration should also be given to controlling legal standards that may have developed in the relevant jurisdiction, which can also vary significantly. Because these issues are relatively new, however, it may be some time before policyholders have definitive guidance from the courts on several dispositive coverage issues.
For these reasons, insureds should seek guidance from experienced coverage counsel if faced with a data breach. Coverage counsel can help to maximize the potential for coverage under each of the policies in the insurance program, including CGL and other traditional lines of insurance.
Even if coverage exists under a CGL policy, however, that coverage may not address all of the costs incurred by an insured as a result of a data breach. As such, before being faced with such an occurrence, an insured will benefit from a review of its insurance program by experienced coverage counsel. Coverage counsel can assist in determining whether an existing insurance program provides adequate protection if a data breach takes place, and if specialized cyber risk insurance should be part of that program.