Tag Archives: cgl

Key Questions for Vaping Businesses

As vaping becomes increasingly popular across the U.S., more businesses are manufacturing, distributing and selling vaping products, including ones containing or intended for use with CBD or THC. The proliferation of vaping products is likely to lead, before long, to an increase in vaping-related litigation.

As such, vaping-related businesses will want to make sure – before litigation ever occurs – that they have the right insurance in place to respond. Given the variety of terms, conditions and particularly exclusions in commercial general liability (CGL) and product liability insurance policies, businesses cannot simply assume that they have the necessary coverage.

In determining whether it has the needed coverage, a vaping-related business will want to take into account a number of considerations, including:

  • Does its CGL insurance cover product-related claims, or it is necessary to obtain and maintain separate product liability insurance? Some CGL policies may specifically exclude coverage for “Products-Completed Operations.” As a result, such policies may not provide coverage if a consumer is injured by, for example, an exploding vape pen.
  • Is its CGL or product liability insurance written on a claims-made basis, or does it provide occurrence-based coverage? Basically, a claims-made insurance policy provides coverage for a claim made during the policy period, whereas an occurrence-based policy provides coverage for an accident that happens during the policy period (no matter when the claim is ultimately made). Therefore, occurrence-based coverage is generally more valuable to the policyholder, especially when facing risk of long-tail-exposure claims (such as many toxic-tort claims). However, at least for cannabis-related companies, it may be difficult, if not impossible, to purchase an insurance policy covering product claims that is written on an occurrence basis.
  • Does its CGL policy or its product liability policy specifically exclude coverage for vaping-related products or vaping-related injuries? There are different formulations of such exclusions being used by insurers today. For example, at least one insurer includes a complete exclusion for vaping equipment and components, which precludes coverage for “any claim arising out of the use, handling or ownership of vaporizing equipment or any part of the accessories attached or used with the vaporizing equipment including pens, cartridges, mouth pieces, batteries, chargers, coils and any miscellaneous products used with, or attached to, vaporizing equipment.” Another insurer only excludes coverage for claims “resulting from the use, sale or distribution of batteries manufactured by, or which are represented, marketed and/or sold as having been manufactured by” certain specified companies.
  • Do its CGL or product liability policies include other exclusions that may arguably defeat coverage for a vaping-related claim? Such exclusions may include, (i) a health hazard exclusion, (2) a marijuana/cannabis products exclusion and (iii) a carcinogen exclusion.

The insurance considerations only increase if the vaping products at issue include, or are intended for use with, THC (i.e., the chief psychoactive component in marijuana, which remains a Schedule I controlled substance in the U.S.) or even CBD. Because marijuana remains illegal in the U.S., there are still many insurance companies that will not write coverage for a cannabis-related business or agree to cover cannabis-related losses. There are also any number of insurance policy terms, conditions, or exclusions that arguably could defeat coverage for a THC/cannabis-vaping-related claim. As such, as companies that already have CGL or product liability insurance move into the THC vaping space, they should double-check with their insurer(s) and review their policy(ies) to make sure they still would have coverage for any claims arising out of THC vaping. They cannot just expect that the policies they historically have had will cover them in this new line of business.

See also: Legal Marijuana: An Insurance Perspective  

Finally, CBD-related vaping products may raise many of the same concerns. Although the 2018 federal farm bill opened the door for the legal production and sale of hemp and hemp-derived CBD in the U.S., it did not amend the federal Food, Drug, and Cosmetic Act or otherwise legalize the sale of CBD for oral consumption. Accordingly, insurance policy provisions that require compliance with all applicable laws or exclude coverage for illegal acts or substances may arguably still bar coverage for CBD-vaping-related claims.

While many of these considerations will apply to many businesses in the vaping industry, each business is also likely to have its own unique insurance needs and issues, and each business should carefully review its specific coverages carefully.

Does CGL Cover for Data Breach?

In a highly anticipated May 26 decision, the Connecticut Supreme Court ruled that two commercial general liability (CGL) insurers, Federal Insurance and Scottsdale Insurance, are not required to cover losses in connection with the mysterious disappearance of computer tapes containing employment-related data, including the Social Security numbers, of approximately 500,000 current and former IBM employees in Recall Total Information Management, Inc. v. Federal Ins. Co.[1] Although the insurers in Recall Total won this particular battle, Recall Total’s value as precedent value as insurer-ammunition in their war against data breach coverage under CGL policies is severely limited by a highly unusual fact pattern. Recall Total can reasonably be read to assist insureds facing more typical kinds of data breaches, like the Target breach and many others.

Below is a brief summary of the facts, the key coverage issue, the ruling and five takeaways.

The Facts

The facts of Recall Total are unusual, to say the least: The computer tapes at issue, which belonged to IBM, fell off the back of a transportation subcontractor’s van near a highway exit ramp.[2] About 130 of the tapes were then removed from the roadside by an unknown person and never recovered.[3]

In the wake of this highway misadventure, IBM incurred more than $6 million in expenses to address the incident, including notification, call center services and credit monitoring.[4] IBM sought indemnification from its vendor, Recall Total Information Management (Recall), which had contracted with IBM to transport off-site and store the computer tapes at issue.[5] Recall settled with IBM and, in turn, sought indemnification from its transportation subcontractor, Executive Logistics (Ex Log), which lost the tapes after they fell off its van during transit. Ex Log agreed to pay more than $6.4 million to Recall and assigned to Recall its rights under a $2 million primary CGL policy and a $5 million umbrella policy following a coverage tender and denial.[6] Ex Log and Recall then initiated coverage litigation.[7]

Key Coverage Issue: Was There a “Publication”?

ExLog’s CGL policy at issue, similar to the current ISO standard form CGL policy,[8] states in relevant part that the insurer “will pay damages that the insured becomes legally obligated to pay … for … personal injury.”[9] The policy defines the key term “personal injury” to include “injury … caused by an offense of … electronic, oral, written or other publication of material that … violates a person’s right to privacy.”[10]

The Ruling

The intermediate appellate court, in a decision adopted by the Connecticut Supreme Court, appeared ready to find, or at least was not averse to finding, “publication” satisfied if there was any evidence of access to the data. Based upon the unique facts, however, the intermediate appellate court determined that the “publication” requirement was not satisfied because there was no evidence that the data on the tapes, which could not be read by a personal computer, “was ever accessed by anyone”[11] — let alone used it for “any improper purpose.”[12]

As the intermediate appellate court stated, there was not even any evidence that the party who took the tapes “even recognized that the tapes contained personal information.”[13] Under these unique facts, and the fact that no IBM employee had suffered any injury, the court determined that it was “unable to infer that there has been a publication” and concluded that “[a]s the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.”[14]

In a brief per curiam opinion, the Connecticut Supreme Court affirmed on the basis that there was no “publication,” noting that “[t]here is no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.”[15]

Takeaways

  1. The “Access” Lacking in Recall Total Is Present in Many Data Breach Cases

Recall Total is of limited utility to insurers seeking to avoid CGL coverage for data breaches given its peculiar factual setting. As the decision makes abundantly clear, it hinged on the fact that there was no evidence of access to the sensitive data. In fact, there was no evidence that the data could be accessed — or even that the party who took the tapes was aware that they contained sensitive data. This is in stark contrast to a typical data breach fact pattern, in which there is no question that sensitive information was accessed. In breaches like Target, and innumerable others, information is specifically identified and targeted by the actors taking it, and then used for criminal activity. In those cases, there is abundant evidence that the data in question was accessed.

  1. Other Courts Have Found the CGL “Publication” Requirement Satisfied Without Proof of “Access” in the Data Breach Context

Although “access” to data may be required under Connecticut law, courts in other jurisdictions have appropriately determined that the CGL “publication” requirement can be satisfied without proof that data was accessed. In one recent case involving the alleged posting of confidential medical records on the Internet, for example, the Eastern District of Virginia determined that “publication” does not require proof of “access”: [T]he issue is not whether a third party accessed the information because the definition of “publication” does not hinge on third-party access. Publication occurs when information is “placed before the public,” not when a member of the public reads the information placed before it. By Travelers’ logic, a book that is bound and placed on the shelves of Barnes & Noble is not “published” until a customer takes the book off the shelf and reads it.[16]

The bottom line: access to data storage devices alone, including laptops, may suffice to satisfy the “publication” requirement in other jurisdictions — and even in Connecticut under a different set of facts.

  1. Insureds Must Be Prepared to Fight to Secure CGL Coverage

The insurance industry has made it abundantly clear that it does not want to cover “cyber” and data privacy related exposures under CGL policies. Although there is potential valuable coverage under CGL policies, insureds should expect that they will need to fight to secure it. Insurers routinely assert, among other things, that there has been no “publication” of data. The good news is that if insureds decide to fight for coverage, they may well prevail. Many courts have upheld coverage for data breaches and other claims alleging violations of privacy rights in a variety of settings.[17]

  1. Insureds Should Be Aware of New CGL “Data Breach” Exclusions

Insurance Services Office (ISO), the insurance organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[18]   The exclusions became effective in most states in May 2014 and began appearing on new placements and renewals, in various forms, almost immediately.[19] Although it is important to be aware of new, potentially limiting, coverage terms, it also is important to recognize that the applicable policy in a data breach situation — where breaches often are discovered long after the “occurrence” that triggers coverage — may predate the newer exclusions. Where policies do contain the newer exclusions, insureds should not assume that they necessarily void coverage. Coverage will depend on myriad factors, including the particular facts of the case, specific policy language and applicable law.

The very existence of the exclusions, moreover, illustrates the insurance industry’s awareness that there is valuable potential data breach coverage under CGL policies. Indeed, when ISO filed the newer exclusions, it acknowledged that there currently may be data breach coverage for data breaches under CGL policies and advised that the new exclusions may be a “reduction in personal and advertising injury coverage”: “At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent, and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information. . . . To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[20] 

The implication is that the insurance industry understood there was CGL data breach coverage in the absence of the new exclusions.

  1. Organizations Are Advised to Consider Cyber Insurance

Given the insurance industry’s clear indication that it does not want to cover data breaches under CGL policies, organizations are advised to consider purchasing cyber insurance. In addition to providing defense and indemnity coverage in connection with claims arising out of a data breach, among many other types of cybersecurity and data privacy-related exposures, cyber policies generally cover a range of “crisis management” expenses, such as attorney “breach coach” fees, notification to potentially affected individuals, forensics, credit monitoring, call centers, ID theft protection and public relations efforts, which often are required after a breach of any consequence.

Cyber insurance coverage can be extremely valuable, but choosing the right insurance policy presents a real and significant challenge. There is a diverse and growing array of cyber products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. Because of the nature of the cyber insurance and the risks that it is intended to cover, a placement should include the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel, information technology professionals and compliance personnel, among other key internal players — and insurance coverage counsel well-versed in this challenging and dynamic line of coverage.

[1] — A.3d —-, 2015 WL 2371957 (Conn. May 26, 2015), aff’g 83 A.3d 664 (Conn. App. Ct. 2014).

[2] Recall Total, 83 A.3d at 667.

[3] Id.

[4] Id. at 668.

[5] Id.

[6] Id.

[7] Id.

[8] The current standard industry form states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” which is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a., §14.e.

[9] Recall Total, 83 A.3d at 672.

[10] Id.

[11] Id. at 673.

[12] Id.

[13] Id. at n.9 (emphasis added).

[14] Id. at 672 (emphasis added).

[15] Recall Total, 2015 WL 2371957, at *1.

[16] Travelers Indem. Co. of America v. Portal Healthcare Solutions, LLC, 35 F.Supp.3d 765, 771 (2014).

[17] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013) (upholding coverage in a data breach case for statutory damages of $1,000 per person under the CMIA and statutory damages of as much as $10,000 per person under the California Lanterman-Petris-Short Act under a policy that covered damages that the insured was “legally obligated to pay as damages because of … electronic publication of material that violates a person’s right of privacy”).

[18] One of the exclusionary endorsements, entitled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form CGL primary policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.

CG 21 08 05 14 (2013).

[19] See Roberta Anderson, “Coming To A CGL Policy Near You: Data Breach Exclusions,” Law360, April 23, 2014.

[20] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.

 

[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

How to Purchase Cyber Insurance

Cyber insurance can be an extremely valuable asset in an organization’s strategy to address and mitigate cyber security, data privacy and other risks. But selecting and negotiating the right insurance product can present a significant challenge, given, among other things, the lack of standardized policy language and the fact that many “off the shelf” policies do not adequately match the organization’s risk profile. The following five tips will help to facilitate a successful cyber policy placement.

#1. Get a Grasp on Risk Profile and Tolerance

A successful cyber placement is facilitated by having a thorough understanding of an organization’s risk profile, including the scope and type of personally identifiable information and confidential corporate data maintained by the company and the manner in which (and by whom) such data is used, transmitted and stored. A complete understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data breach or network security incident. When an organization has a grasp on its risk profile, potential exposure and risk tolerance, it is well-positioned to consider the type and amount of insurance coverage that it needs to adequately respond to identified risks and exposure.

#2. Look at Existing Coverage

The California federal district court’s recent decision in Hartford Casualty Insurance Company v. Corcino & Associates et al. 1 — upholding coverage under a commercial general liability (CGL) policy for a data breach that compromised the confidential medical records of nearly 20,000 patients — underscores that there may be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for data breach and network security liability and network security failures under an organization’s commercial property, D&O, E&O, professional liability, fiduciary, crime and other coverages.

#3. Purchase Cyber Insurance As Needed

As recently described in Law360,  2 in response to decisions upholding coverage for data breach, privacy, network security and other cyber risks, the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines of coverage. By way of example, Insurance Services Office, Inc. (ISO) 3 recently filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information. 4

Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information. By way of example, the AIG Specialty Risk Protector® specimen policy 5 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” 6 “Privacy Event” includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.7

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

  • costs associated with post-data breach notification
  • credit monitoring services
  • forensic investigation to determine cause and scope of a breach
  • public relations efforts and other “crisis management” expenses
  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem. 

The sublimits typically associated with remediation coverage warrant careful attention. Cyber insurance policies often offer other types of coverages, including:

  • network security coverage (often in the same coverage grant as the “privacy” coverage discussed above), which generally covers liability arising out of security threats to networks, including, for example, transmission of malicious code and DDoS attacks;
  • media liability coverage, which generally covers liability arising out of, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content;
  • information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing the insured’s own data or computer systems;
  • network interruption coverage, which generally covers an insured for its lost revenue due to network interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to networks; and
  • extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to prevent a threatened cyber attack.

In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.

#4. Spotlight the “Cloud”

Cyber risk is intensified by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March 2012, found that more than 41% of U.S. data breaches are caused by third-party errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” 8 Many “off the shelf” cyber policies, however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of third parties) and to network security threats to the insured’s own network or computer system — not the networks / computer systems of third parties. This may result in illusory coverage. As recently described in Law360, 9 the recent high-profile attack on the New York Times homepage, during which users who tried to access  www.nytimes.com were directed to a website apparently maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies because the attack was not on the New York Times “system” as defined in many policies, but rather on the system of a third-party domain name registrar.

#5. Remember the Cyber Misnomer

Keep in mind that many data breaches are not electronic — they often result from non-electronic sources. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Neither should a cyber insurance policy. A solid policy will cover non-electronic data, such as paper records. 10 Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop or loss of a USB drive.

There are many other considerations and points to focus on. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

This article first appeared in FC&S Legal, The National Underwriter Company on October 17, 2013.

1 No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013). The two underlying class action lawsuits alleged that Stanford Hospital and Clinics and the insured, medical consulting firm Corcino & Associates, violated the privacy rights of numerous patients by providing confidential personally identifiable medical information to an individual who posted the information on a public website. In particular, the claimants alleged that “the private, confidential, and sensitive medical and/or psychiatric information of almost 20,000 patients of Stanford’s Emergency Department appeared on a public website and remained publicly available online for almost one full year.” Id. at 2 (quoting the Second Amended Class Action Complaint in Springer, et al. v. Stanford Hosp. and Clinics, et al., No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)). The underlying complaints contained causes of action for violations of the claimants’ constitutional right of privacy, common law privacy rights, the California Confidentiality of Medical Information Act (CMIA) and the California Lanterman Petris Short (LPS) Act. The suits sought, among other things, statutory damages of $1000 per person under CMIA and statutory damages of up to $10,000 per person under LPS.

2See Roberta D. Anderson, ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber” Insurance, Law360 (Sept. 23, 2013).

3ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.

4CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled

equipment.” Id.

5See AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage Section.

6Id. Section 1. 

7 Id. Section 2.(d). “Security Breach Notice Law” includes “any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or potential unauthorized access by others to Confidential Information stored on such Computer System, including but not limited to, the statute known as California SB 1386 (§1798.82, et. al. of the California Civil Code).” Id. Section 2.(m).

82011 Global Cost Of Data Breach Study, Ponemon Institute LLC, at 6 (Mar. 2012).

9See Lon Berk, Takeaways From Recent Cyberattack On New York Times, Law360 (Sept. 17, 2013)

10  See Richard S. Betterley, The Betterley Report, Cyber/Privacy Insurance Market Survey, at 18 (June 2013).