Tag Archives: commercial general liability

Building Telematics Can Mitigate Risk

Commercial general liability insurers traditionally estimate business risk exposure of similar businesses based on variables like floor area and revenue. Advances in cloud computing and artificial intelligence are combining to offer insurers new, better variables to characterize risk.

Insurers generally understand that liability risk correlates to human presence and movement. A hair salon with twice the foot traffic should present twice the slip-and-fall risk. More expensive haircuts may reflect a business customer’s greater ability to pay but probably do not increase slip-and-fall risk. Indeed, risk should correlate linearly with foot traffic unless (1) traffic is so high that conditions become over-crowded and the risk accelerates, or (2) the building falls unoccupied. Measuring foot traffic and occupancy can also confirm that the insured’s description of its business corresponds to its actual business.

Progressive Insurance introduced new attributes to characterize driving behavior when it pioneered automotive telematics in the late 1990s, an early practice of usage-based insurance (UBI). Rather than insure an automobile based simply on the vehicle’s make/model and age and the driver’s sex and age, insurers could introduce newly observable attributes to better model risk:  distance, speed, time of day, etc.

Twenty-five years later, a similar revolution is stirring in building insurance. Advances in cloud computing, artificial intelligence, semiconductors and the internet of things (IoT) make it practical and inexpensive to measure foot traffic and occupancy. Rather than depending on the policyholder to estimate human presence, a process unlikely to deliver numbers that can be compared across businesses, human presence can be measured objectively and continuously. The information will also deliver an actuarial  basis for risk assessment over time.

Risk engineers are eminently capable of characterizing variables like floor surface, lighting and door placement. However, variables like occupancy that change continuously are effectively impossible to characterize during an annual visit.  

These sensors are not your father’s IoT. IoT that measures temperature, lighting, sound intensity, hail stone size or flood level are all first-generation devices that require negligible processing power, either at the edge or in the cloud. The new generation of IoT requires high-performance, low-power, edge computing devices to predict risk, not simply measure what is empirically evident.

Some insurers think of IoT data as the new FICO (consumer credit) scores for businesses. If a hotel’s ballrooms are always below the limit set by the fire marshal, that implies hotel management is willing to play by the rules. If restaurants and bars do not overcrowd their spaces, they are less likely to obstruct exits or understaff operations. Attention to the rules implies lower risk…and that business may be one the insurer will want to retain with lower premiums.

Foot traffic and occupancy data should be of value to the business owner as well as the insurer — if for different reasons. A cafeteria may want to use foot traffic data to plan food preparation to minimize food waste. Office tenants can use occupancy data for space planning: Does the business need more, less or different space in the coming year? A restaurant owner might want to compare receipts to foot traffic and customer dwell time to measure the effectiveness of sales staff. Does a business efficiently use its real estate? How does a company compare with its peers? Are there opportunities to use real estate more efficiently?

It is likely that not all policymakers will welcome a technology that measures occupancy — in the same way not all drivers have welcomed technologies that measure driving behavior. Conversely, businesses that welcome the sensors are likely to self-select as attentive to overcrowding… and reflect a lower risk. And once the sensors are in place, reverse moral hazard suggests that insureds will improve their behavior — justifying a discount offered in exchange for accepting the sensors.

Insurers can gain market share by identifying lower-risk properties and offering discounts. Higher-risk properties will see higher premiums and will either need to work with their insurers to reduce risk or will need to find new insurers — probably one that isn’t employing building telematics technology. The outcome of this trend is that overall commercial general liability (CGL) premiums will decline, in part because high-risk properties will be obliged to work to lower their risk profile.

With risk profile information in hand, property insurance may move to the embedded-insurance model, where insurance is provided by the property owner who is equipped to measure occupancy — and risk — in real time. If your staff is at home during a pandemic, premiums drop contractually. If you double the number of staff in a space, premiums rise. More tenants pay a fair price for CGL insurance, and more tenants are suitably insured.

Occupancy and foot traffic will not be the last variables to be quietly but accurately measured by Internet of Things sensors. Other attributes that will be able to be measured include the presence of adults versus children; whether persons are running or walking or sitting; the presence of door mats when it has rained.    

As the cost of semiconductors, cloud computing and cellular connectivity continues to decline, sensors will be cheaper to install and manage. At the same time, underwriters and actuaries will be able to accumulate new, invaluable data that more accurately assess risk and reduce the insurance costs of the 75% of customers who, until now, have been subsidizing the other 25% — now that we finally know who’s who.

Key Questions for Vaping Businesses

As vaping becomes increasingly popular across the U.S., more businesses are manufacturing, distributing and selling vaping products, including ones containing or intended for use with CBD or THC. The proliferation of vaping products is likely to lead, before long, to an increase in vaping-related litigation.

As such, vaping-related businesses will want to make sure – before litigation ever occurs – that they have the right insurance in place to respond. Given the variety of terms, conditions and particularly exclusions in commercial general liability (CGL) and product liability insurance policies, businesses cannot simply assume that they have the necessary coverage.

In determining whether it has the needed coverage, a vaping-related business will want to take into account a number of considerations, including:

  • Does its CGL insurance cover product-related claims, or it is necessary to obtain and maintain separate product liability insurance? Some CGL policies may specifically exclude coverage for “Products-Completed Operations.” As a result, such policies may not provide coverage if a consumer is injured by, for example, an exploding vape pen.
  • Is its CGL or product liability insurance written on a claims-made basis, or does it provide occurrence-based coverage? Basically, a claims-made insurance policy provides coverage for a claim made during the policy period, whereas an occurrence-based policy provides coverage for an accident that happens during the policy period (no matter when the claim is ultimately made). Therefore, occurrence-based coverage is generally more valuable to the policyholder, especially when facing risk of long-tail-exposure claims (such as many toxic-tort claims). However, at least for cannabis-related companies, it may be difficult, if not impossible, to purchase an insurance policy covering product claims that is written on an occurrence basis.
  • Does its CGL policy or its product liability policy specifically exclude coverage for vaping-related products or vaping-related injuries? There are different formulations of such exclusions being used by insurers today. For example, at least one insurer includes a complete exclusion for vaping equipment and components, which precludes coverage for “any claim arising out of the use, handling or ownership of vaporizing equipment or any part of the accessories attached or used with the vaporizing equipment including pens, cartridges, mouth pieces, batteries, chargers, coils and any miscellaneous products used with, or attached to, vaporizing equipment.” Another insurer only excludes coverage for claims “resulting from the use, sale or distribution of batteries manufactured by, or which are represented, marketed and/or sold as having been manufactured by” certain specified companies.
  • Do its CGL or product liability policies include other exclusions that may arguably defeat coverage for a vaping-related claim? Such exclusions may include, (i) a health hazard exclusion, (2) a marijuana/cannabis products exclusion and (iii) a carcinogen exclusion.

The insurance considerations only increase if the vaping products at issue include, or are intended for use with, THC (i.e., the chief psychoactive component in marijuana, which remains a Schedule I controlled substance in the U.S.) or even CBD. Because marijuana remains illegal in the U.S., there are still many insurance companies that will not write coverage for a cannabis-related business or agree to cover cannabis-related losses. There are also any number of insurance policy terms, conditions, or exclusions that arguably could defeat coverage for a THC/cannabis-vaping-related claim. As such, as companies that already have CGL or product liability insurance move into the THC vaping space, they should double-check with their insurer(s) and review their policy(ies) to make sure they still would have coverage for any claims arising out of THC vaping. They cannot just expect that the policies they historically have had will cover them in this new line of business.

See also: Legal Marijuana: An Insurance Perspective  

Finally, CBD-related vaping products may raise many of the same concerns. Although the 2018 federal farm bill opened the door for the legal production and sale of hemp and hemp-derived CBD in the U.S., it did not amend the federal Food, Drug, and Cosmetic Act or otherwise legalize the sale of CBD for oral consumption. Accordingly, insurance policy provisions that require compliance with all applicable laws or exclude coverage for illegal acts or substances may arguably still bar coverage for CBD-vaping-related claims.

While many of these considerations will apply to many businesses in the vaping industry, each business is also likely to have its own unique insurance needs and issues, and each business should carefully review its specific coverages carefully.

5 Tips for Success in Cyber Litigation

Many insurance coverage disputes can be, should be and are settled without the need for litigation and its attendant costs and distractions. However, some disputes cannot be settled, and organizations are compelled to resort to courts or other tribunals to obtain the coverage they paid for, or, with increasing frequency, they are pulled into proceedings by insurers seeking to preemptively avoid coverage. As illustrated by CNA’s recently filed coverage action against its insured in Columbia Casualty Company v. Cottage Health System, in which CNA seeks to avoid coverage for a data breach class action lawsuit and related regulatory investigation, cyber insurance coverage litigation is coming. And in the wake of a data breach or other privacy, cybersecurity, or data protection-related incident, organizations regrettably should anticipate that their cyber insurer may deny coverage for a resulting claim against the policy.

Before a claim arises, organizations are encouraged to negotiate and place the best possible coverage to decrease the likelihood of a coverage denial and litigation. In contrast to many other types of commercial insurance policies, cyber insurance policies are extremely negotiable, and the insurers’ off-the-shelf forms typically can be significantly negotiated and improved for no increase in premium. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

Even where a solid insurance policy is in place, however, and there is a good claim for coverage under the policy language and applicable law, insurers can and do deny coverage. In these and other instances, litigation presents the only method of obtaining or maximizing coverage for a claim.

When facing coverage litigation, organizations are advised to consider the following five strategies for success:

1. Tell a Concise, Compelling Story

In complex insurance coverage litigation, there are many moving parts, and the issues are typically nuanced. It is critical, however, that these complex issues come across to a judge, jury or arbitrator as relatively simple and straightforward. Getting overly caught up in the weeds of policy interpretive and legal issues, particularly at the outset, risks losing the organization’s critical audience and obfuscating a winningly concise, compelling story that is easy to understand, follow and sympathize with. Boiled down to its essence, the story may be—and in this context often is—something as simple as:

“They promised to protect us from a cyber breach if we paid the insurance premium. We paid the premium. They broke their promise.”

2. Place the Story in the Right Context

It is critical to place the story in the proper context because, unfortunately, many insurers in this space, whether by negligent deficit or deliberate design, are selling products that do not reflect the reality of e-commerce and its risks. Many off-the-shelf cyber insurance policies, for example, limit the scope of coverage to only the insured’s own acts and omissions, or only to incidents that affect the insured’s network. Others contain broadly worded, open- ended exclusions like the one at issue in the Columbia Casualty case, which insurers may argue, as CNA argues, can vaporize the coverage ostensibly provided under the policy. These types of exclusions invite litigation and, if enforced literally, can be acutely problematic. There are myriad other traps in cyber insurance policies—even more in those that are not carefully negotiated—that may allow insurers to avoid coverage if the language were applied literally.

If the context is carefully framed and explained, however, judges, juries and arbitrators should be inhospitable to the various “gotcha” traps in these policies. Taking the Columbia Casualty case as an example, the insurer, CNA, relies principally upon an exclusion, titled “Failure to Follow Minimum Required Practices.” As quoted by CNA in its complaint, the exclusion purports to void coverage if the insured fails to “continuously implement” certain aspects of computer security. In this context, however, given the extreme complexity of cybersecurity and data protection, any insured can reasonably be expected to make mistakes in implementing security. This reality is, in fact, a principal reason for purchasing cyber liability coverage in the first place. Indeed, CNA represents in its marketing materials that the policy at issue in Columbia Casualty offers “exceptional first- and third-party cyber liability coverage to address a broad range of exposures,” including “security breaches” and “mistakes”:

“CNA NetProtect fills the gaps by offering exceptional first- and third-party cyber liability coverage to address a broad range of exposures. CNA NetProtect covers insureds for exposures that include security breaches, mistakes and unauthorized employee acts, virus attacks, hacking, identity theft or private information loss, and infringing or disparaging content. CNA NetProtect coverage is worldwide, claims-made with limits up to $10 million.”

It is important to use the discovery phase to fully flesh out the context of the insurance and the entire insurance transaction in addition to the meaning, intent and interpretation of the policy terms and conditions, claims handling and other matters of importance depending on the particular circumstances of the coverage action.

3. Secure the Best Potential Venue and Choice of Law

One of the first and most critical decisions that an organization contemplating insurance coverage litigation must make is the appropriate forum for the litigation. This decision, which may be affected by whether the policy contains a forum selection clause, can be critical to potential success. Among other reasons, the choice of forum may have a significant impact on the related choice-of-law issue, which in some cases determines the outcome. Insurance contracts are interpreted according to state law, and the various state courts diverge widely on issues surrounding insurance coverage. Until the governing law applicable to an insurance contract is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper. The different interpretations given the same language from one state to the next can mean the difference between a coverage victory and a loss. It is therefore critical to undertake a careful choice-of-law analysis before initiating coverage litigation, selecting a venue or, where the insurer files first, taking a choice-of-law position or deciding whether to challenge the insurer’s selected forum.

4. Consider Bringing in Other Carriers

Often, when there is a cybersecurity, privacy or data protection-related issue, more than one insurance policy may be triggered. For example, a data breach like Target’s may implicate an organization’s cyber insurance, commercial general liability (CGL) insurance and directors’ and officers’ liability insurance. To the extent that insurers on different lines of coverage have denied coverage, it may be beneficial for the organization to have those insurance carriers pointing the finger at each other throughout the insurance coverage proceedings.

A judge, arbitrator or jury may find it offensive if an organization’s CGL insurer is arguing, on the one hand, that a data breach is not covered because of a new exclusion in the CGL policy and the organization’s cyber insurer also is arguing that the breach is not covered under the cyber policy that was purchased to fill the “gap” in coverage created by the CGL policy exclusion. It is also important to carefully consider the best strategy to maximize the potentially available coverage across the insured’s entire insurance portfolio and each triggered policy.

5. Retain Counsel With Cyber Insurance Expertise

Cyber insurance is unlike any other line of coverage. There is no standardization. Each of the hundreds of products in the marketplace has its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. Obtaining coverage litigation counsel with substantial cyber insurance expertise will assist an organization on a number of fronts.

Importantly, it will give the organization unique access to compelling arguments based upon the context, history, evolution and intent of this line of insurance product. Likewise, during the discovery phase, coverage counsel with unique knowledge and experience is positioned to ask for and obtain the particular information and evidence that can make or break the case—and will be able to do so in a relatively efficient manner. In addition to creating solid ammunition for trial, effective discovery often leads to successful summary judgment rulings, which, at a minimum, streamline the case in a cost-effective manner and limit the issues that ultimately go to a jury.

Likewise, counsel familiar with all of the many different insurer-drafted forms as they have evolved over time will give the organization key access to arguments based upon both obvious and subtle differences among the many different policy wordings, including the particular language in the organization’s policy. Often in coverage disputes, the multimillion-dollar result comes down to a few words, the sequence of a few words, or even the position of a comma or other punctuation.

Following these five strategies and refusing to take “no” for an answer will increase the odds of securing valuable coverage.

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.


[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).

Why Buy Cyber and Privacy Liability. . .

An industry known for embracing paper and shunning change, the property and casualty insurance market struggles to keep pace with the modern business world, which is full of personally owned mobile and other portable devices, and concepts such as advanced persistent threats (APTs), the Internet of Thingsand the “cloud.” While insurance companies are known for creating bespoke policies to address new risks not initially contemplated within the confines of traditional property and liability policies (see Y2K, environmental legal liability and employment practices liability), insureds are within their right to see how those current programs address 21st-century risks.

If only one of Target, Snapchat, Facebook, Google, Twitter, Yahoo! Adobe and so on and so forth had suffered a serious data breach within the last few months, that would be sufficiently troubling. Yet data breaches have become so ubiquitous that a single week (if not days) without one hitting the headlines seems almost strange. By now every organization should appreciate that—no matter how robust and sophisticated its network security is—it remains a vulnerable target for cybersecurity breaches and the host of negative consequences that typically follow, including class action lawsuits (so far, dozens of suits have been filed against Target), substantial breach notification costs, and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers and public relations efforts, as well as potential regulatory investigations, fines and penalties.

This article will briefly look at how an organization’s commercial general liability—specifically, the personal and advertising injury coverage—may currently address privacy risks.

Although there can be substantial overlap between the concepts of cybersecurity, network security liability and privacy, as they typically are understood in the industry, this article will focus on those risks associated purely with privacy risks, or the “unauthorized access, collection, use or disclosure of personal information.” Therefore, we will not be covering those issues related to cyber liability, or “breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification and call center costs.” This article will also not be addressing the recent first-party bodily injury, property damage and business interruption coverage associated with the damage attributable to unauthorized access of operational technology (SCADA systems).

We will first summarize the current industry standard form key coverage grant, definitions and exclusions. We will then discuss the recent Sony decision and the new 2014 industry form exclusionary endorsements targeted at eliminating coverage for data breaches under standard-form CGL coverage.

Current standard-form CGL coverage

The Coverage B “Personal and Advertising Injury Liability” coverage section of the current standard-form Insurance Services Office, Inc. (ISO) CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’ which is caused by an Id. §1.b.offense arising out of [the insured’s] business.” “Personal and advertising injury” is defined in the ISO standard-form policy to include a list of specifically enumerated offenses, which include the “offense” of ‘[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.’” The policy further states that the insurer “will have the right and duty to defend the insured against any ‘suit.’” The CGL Coverage B can indemnify and provide a defense against a wide variety of claims, including claims alleging violation of privacy rights, such as data breach cases.

Coverage disputes have generally focused on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies. Courts generally (although certainly not universally) have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations, including, for example, in respect of claims alleging violations of the Telephone Consumer Protection Act (TCPA), claims alleging violations of the Fair Credit Reporting Act (FCRA), claims alleging violations of the Fair and Accurate Credit Transactions Act (FACTA), claims alleging violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, claims alleging violations of the California Confidentiality of Medical Information Act (CMIA), and claims alleging violations of the California Lanterman-Petris-Short Act. Courts have found in favor of coverage in data breach cases, although the recent decision in Zurich American Insurance Co. v. Sony Corp. of America et al. highlights the issues that insureds may face in obtaining coverage for data breaches under CGL policies.

Zurich v. Sony

Arguably the most visible legal case surrounding the applicability of the CGL personal and advertising injury coverage to claims alleging data breach came about because of Sony’s massive 2011 PlayStation data breach. Zurich American and Mitsui Sumitomo had issued primary CGL policies to Sony. In April 2011, hackers broke into Sony networks and stole personal and financial information of more than 100 million users.

Sony was named as a defendant in numerous class actions immediately following the breach. Mitsui denied coverage, and Zurich responded by filing a declaratory relief action seeking a declaration that Zurich had no duty to defend.

At issue in the case is whether Sony or the hackers were responsible for the actual “publication” of the personally identifiable information (PII). A New York court recently held that there was no coverage, essentially because it was the perpetrators of the breach who ultimately “published” the private information, rather than Sony itself. Legal experts have argued both in favor of and against the court’s decision, arguing, among other things, that the trigger for the personal and advertising injury coverage must be an affirmative act by Sony or, conversely, that coverage is triggered to the extent Sony has liability.

The case is currently under appeal, and its final decision will potentially be an indicator of how insurers and courts will view data breach coverage under the personal and advertising injury coverage.

In the meantime, however, the decision underscores the difficulties that insureds can face in pursing data breach coverage under their traditional CGL policies.

Although this endorsement appears to have quietly flown in under the radar, it in reality is even more sweeping than the 2014 data breach exclusionary endorsements because it entirely eliminates coverage in the first instance.


Over the years, the commercial general liability policy has been the proverbial “catch all” for claims subsequently determined to be outside the intent and scope of the underwriters. Past examples have included pollution liability, asbestos, employment practices liability and professional liability. Cyber and privacy liability may well be heading in the same direction. Insurers are stating publicly that this exposure was never contemplated when the policy language was drafted. And, of course, cybersecurity and privacy liability has recently risen to potentially catastrophic levels of potential liability (e.g., Target). Insurers, therefore, are increasingly seeking to separately insure the risk, subject to separate underwriting criteria.

In the end, before a cybersecurity or privacy incident, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure to cyber and privacy risks, their risk tolerance, the sufficiency of their existing insurance coverage and the potential role of specialized cyber risk coverage.