Tag Archives: E&O

The Costs of Inaction on Encryption

Alarm systems have a long and varied history — from geese in ancient Rome, to noise makers that announced the presence of an intruder, to present-day electronic sensors and lasers. Originally, the creation of alarms was driven by the psychological need all humans have to establish a safe environment for themselves. Today, that same need exists, but it has been extended to include other concerns, such as valued personal possessions, merchandise and intellectual property. In the cyber realm, security is as important as it is in the physical world because people must be able to feel secure in their ability to store sensitive, high-value data. Without that sense of security, the cyber realm would lose almost all of its relevance.

Cybersecurity is established by various hardware and software components, but none of the components are more essential than strong encryption. It is such encryption that keeps bank transactions, online purchases and email accounts safe. However, there is a disturbing worldwide governmental trend to weaken encryption, which was exemplified in the legal disagreement earlier this year between Apple and the U.S. government. While there are definite aspects of the dispute that fall outside of the professional insurance sphere, there is an undeniable part of the battle for strong encryption that the professional insurance sector must not fail to acknowledge and address. The outcome of this struggle will be felt well into the 22nd century, and, perhaps, at least in the business arena, the outcome will be borne most keenly by cyber liability and technology E&O insurers.

With global attempts to reduce the effectiveness of encryption, no insurer can claim it lacks a part in the effort for resilient and ever-evolving encryption and cybersecurity measures. The Chinese government is not a supporter of privacy, and it has even hacked Google’s Gmail service and the Dalai Lama’s email account to gain access to information it has deemed disruptive. It also has been stepping up its “investigations” into products produced by U.S-based technology companies. Furthermore, after both the 2015 attack in Paris and the 2016 attack in Brussels, the debate regarding whether encryption should be allowed was re-ignited in Europe and the U.K. Recently, the French, Hungarian and British governments have made various attempts at weakening or removing encryption. Therefore, with this global challenge facing insurers, they are required to be completely aware of what is at risk for them, and they must help pave a path forward that endeavors to balance profitability of products (like cyber liability and technology E&O) with the protection those products should afford any insured.

See also: Best Practices in Cyber Security

Apple, perhaps, serves as the best example of how governmental interference with cybersecurity is an issue that requires direct and immediate intervention from insurers. There are thousands of businesses around the world that rely on the iPhone and iPad for productivity purposes — and almost all of those businesses also rely on the security that those devices provide, both from a hardware and a software standpoint. Recently, the U.S. government attempted to force Apple, in different judicial battles, to write code that will allow the government to have a master key to access the data of any iPhone. However, the U.S government is also pursuing a legislative avenue to pass a law that will force U.S. companies to give the U.S. government unfettered retrieval of any data on which it sets its sight.

To provide such access would almost always require companies to write software code that is purposefully compromised from a security standpoint. It would be extremely unwise for professional insurance companies to assume this disagreement is only between the technology sector and world governments because, if there is an outcome favorable for the U.S. government, it will have direct and immediately negative effects on insurers that offer cyber liability and technology E&O insurance in the U.S., and it will set a dangerous precedent that will embolden other governments to justify similar breaches that will allow them to acquire what should be secure data.

From a cyber liability standpoint, any vulnerability in software code gives hackers another way to compromise a victim’s computers and network. If a company like Apple (which has thousands of businesses depending on it to keep them safe) has to create a master key, then all of the businesses that use Apple products will be vulnerable to attack. The U.S. government has a long history of being unable to keep its own data safe, which means, in time, hackers will be able to figure out what entrance point was created and then exploit it. The most worrisome entities that might access the backdoor would be non-democratic nation-states because they have the most to gain from exploiting any vulnerabilities in U.S-based companies. However, such companies are not the only ones who use products produced by Apple, which means companies located anywhere would also be vulnerable. Additionally, if world governments put restraints on encryption to make it illegal or to limit the ways data can be encoded then, again, that gives power to those entities that would exploit weak encipherment to the detriment of the private sector.

From a technology E&O standpoint, any request by the U.S. government to weaken products produced by an insured creates a breach of contract, which will hurt claims made against technology E&O policies. If Foxconn, which builds the iPhone for Apple, was forced to alter firmware used in the iPhone to allow at least one software flaw, then Apple could sue Foxconn for a breach of contract were Apple to learn of Foxconn obeying a government order to create a security bypass in the firmware code. Worse yet would be a company like FireEye being forced to reduce the effectiveness of its virtual execution engines that are at the heart of its malware analysis appliances. FireEye, and other cyber security companies, are what often stand between a hacker and its victim. Should a cybersecurity company ever be forced to obey a government order, little would stand between a hacker and its potential victims. Moreover, all of the companies that depend on the products of a cybersecurity company would also be in a position to bring claims against the insured organization, which would certainly be detrimental to technology E&O insurers.

To defend itself and its products from government interference, Apple is implementing a security feature that removes its ability to bypass the iPhone’s security. While such method works from a simplicity standpoint, it will not work for a majority of technology companies, with cybersecurity and cloud providers being two examples of where such a solution would not work. Additionally, if a law were passed that forced a company by way of a court order, for example, to decrypt information on its products, then the company so ordered would be put into a bind. Cyber liability and technology E&O insurers could also add exclusions to policies that would void insurance contracts if an insured organization complied with a governmental request to create a backdoor.

However, it would be extremely difficult for an insurer to prove the backdoor was created deliberately, and, ultimately, such exclusions would be ethically ambiguous given they would punish an insured firm for obeying the rule of law. Companies could also contest each governmental request, assuming no law makes it illegal to deny a government request, but not all companies have the time or financial resources with which to fight a government. The only reasonable avenue to rein in disruptive governmental orders, then, is for insurers, technology companies and others to unite and block any legislative attempt to pass a law that would force any technology company to create a security gap. Moreover, the resistance movement will also need to fight against any attempt to weaken or make illegal any type of encryption.

See also: Paradigm Shift on Cyber Security

Currently, the relationship that exists between the insurance and technology sectors is that of provider and client, but that relationship must now evolve into a partnership. The technology sector cannot afford to go without cyber liability and technology E&O insurance because almost every company needs to offset technological risk now that we are in a globally connected and highly litigious age. Insurers also need to continue offering cyber liability and technology E&O policies because they have the clout and financial strength to help protect companies — especially small- and medium-sized ones — from an ever-changing technological landscape. Then, too, whichever insurer develops a realistic understanding of the intersection of risk and technology will be in a position to enrich itself.

The path forward, then, is to create a coalition whose first goal would be to stay on top of both pending and current judicial cases and bills being drafted or voted on in any legislature worldwide that would degrade the security strength of any member’s product. The U.S. government has recently tried to force Apple to create a master key to one of its product lines, and there is no reason to believe that it will not force other companies (like cloud providers) to build similar backdoors into their products. To work against such actions, the coalition might be composed of two representatives from each sector’s main representative organization. For instance, for the professional insurance sector that would be PLUS, and for technology companies that would be IEEE.

Furthermore, the coalition might also be composed of members from automotive manufacturers, educators and telecommunication firms. The coalition’s protective approach, then, would be to identify cases or bills and then attempt to bring all resources forward to eliminate or mitigate the offending threat. A recent example on the judicial side of a case that would have been a threat to the putative coalition was the Apple vs. the U.S. government in Central District of California, Eastern Division. A current example of a legislative threat to the coalition is the Burr-Feinstein Anti-Encryption draft that seeks to allow courts to order a company to decrypt information it has encoded, like the way the iPhone protects a user’s data.

In a judicial case, the main measure could be filing amicus curiae briefs on the part of the aggrieved organization, but another measure might be ensuring the defendant is crafting the most reasonably persuasive anti-governmental interference arguments and appealing unfavorable rulings. On the legislative front, measures might include lobbyists but, more importantly, ought to involve the unity achieved by the existence of the coalition, working with an organization like the EFF and even creating public relation campaigns to appeal to the support of the world populace. In the rare instances when a government attempts to work with the private sector to understand the concerns that it has — for instance, as the U.S. government is trying to do with the proposed “Digital Security Commission” — then the coalition would need to support such efforts as much as possible.

It is true that the coalition’s efforts in countries like China and Russia might be limited, and they will be also be limited when a country feels that a criminal act, like terrorism, is better dealt with by eroding encryption and cybersecurity measures. In an instance concerning China, insurers could consider increasing the amount of re-insurance that they purchase on their cyber liability and technology E&O portfolios to offset the damage from increased claims. Insurers will also need to be extremely cautious when providing cyber liability and technology E&O coverage to organizations that have close relationships with non-democratic governments (like the Chinese government) or ones that produce products that have a high likelihood of being the result of IP theft, such as any mid- to high-end binary processor.

The pursuit of the best encryption and cybersecurity measures needs to be unencumbered by the efforts of any government, just as alarm systems have been free to evolve over the past two or three millennia. This can only be achieved, though, through the unified actions and vigilance of a coalition. Encryption and resilient cybersecurity frameworks are the essential and irreplaceable elements in a safely connected world. To limit, in any way, the efforts to perfect those elements or to purposefully reduce their effectiveness is irresponsible regardless of whether the reason is national security or the pursuit of breaking a criminal enterprise. Lloyds, and other organizations involved with cyber liability and technology E&O insurance, see a future where insurers are able to achieve healthy profits off those two products. However, if insurers do not responsibly oppose governmental attacks on encryption and cybersecurity, that profitable future will give way to a future of excessive claims, damaging losses and very little profit.

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.

 

[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).