Tag Archives: personal injury coverage

Why Buy Cyber and Privacy Liability. . .

An industry known for embracing paper and shunning change, the property and casualty insurance market struggles to keep pace with the modern business world, which is full of personally owned mobile and other portable devices, and concepts such as advanced persistent threats (APTs), the Internet of Thingsand the “cloud.” While insurance companies are known for creating bespoke policies to address new risks not initially contemplated within the confines of traditional property and liability policies (see Y2K, environmental legal liability and employment practices liability), insureds are within their right to see how those current programs address 21st-century risks.

If only one of Target, Snapchat, Facebook, Google, Twitter, Yahoo! Adobe and so on and so forth had suffered a serious data breach within the last few months, that would be sufficiently troubling. Yet data breaches have become so ubiquitous that a single week (if not days) without one hitting the headlines seems almost strange. By now every organization should appreciate that—no matter how robust and sophisticated its network security is—it remains a vulnerable target for cybersecurity breaches and the host of negative consequences that typically follow, including class action lawsuits (so far, dozens of suits have been filed against Target), substantial breach notification costs, and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers and public relations efforts, as well as potential regulatory investigations, fines and penalties.

This article will briefly look at how an organization’s commercial general liability—specifically, the personal and advertising injury coverage—may currently address privacy risks.

Although there can be substantial overlap between the concepts of cybersecurity, network security liability and privacy, as they typically are understood in the industry, this article will focus on those risks associated purely with privacy risks, or the “unauthorized access, collection, use or disclosure of personal information.” Therefore, we will not be covering those issues related to cyber liability, or “breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification and call center costs.” This article will also not be addressing the recent first-party bodily injury, property damage and business interruption coverage associated with the damage attributable to unauthorized access of operational technology (SCADA systems).

We will first summarize the current industry standard form key coverage grant, definitions and exclusions. We will then discuss the recent Sony decision and the new 2014 industry form exclusionary endorsements targeted at eliminating coverage for data breaches under standard-form CGL coverage.

Current standard-form CGL coverage

The Coverage B “Personal and Advertising Injury Liability” coverage section of the current standard-form Insurance Services Office, Inc. (ISO) CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’ which is caused by an Id. §1.b.offense arising out of [the insured’s] business.” “Personal and advertising injury” is defined in the ISO standard-form policy to include a list of specifically enumerated offenses, which include the “offense” of ‘[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.’” The policy further states that the insurer “will have the right and duty to defend the insured against any ‘suit.’” The CGL Coverage B can indemnify and provide a defense against a wide variety of claims, including claims alleging violation of privacy rights, such as data breach cases.

Coverage disputes have generally focused on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies. Courts generally (although certainly not universally) have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations, including, for example, in respect of claims alleging violations of the Telephone Consumer Protection Act (TCPA), claims alleging violations of the Fair Credit Reporting Act (FCRA), claims alleging violations of the Fair and Accurate Credit Transactions Act (FACTA), claims alleging violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, claims alleging violations of the California Confidentiality of Medical Information Act (CMIA), and claims alleging violations of the California Lanterman-Petris-Short Act. Courts have found in favor of coverage in data breach cases, although the recent decision in Zurich American Insurance Co. v. Sony Corp. of America et al. highlights the issues that insureds may face in obtaining coverage for data breaches under CGL policies.

Zurich v. Sony

Arguably the most visible legal case surrounding the applicability of the CGL personal and advertising injury coverage to claims alleging data breach came about because of Sony’s massive 2011 PlayStation data breach. Zurich American and Mitsui Sumitomo had issued primary CGL policies to Sony. In April 2011, hackers broke into Sony networks and stole personal and financial information of more than 100 million users.

Sony was named as a defendant in numerous class actions immediately following the breach. Mitsui denied coverage, and Zurich responded by filing a declaratory relief action seeking a declaration that Zurich had no duty to defend.

At issue in the case is whether Sony or the hackers were responsible for the actual “publication” of the personally identifiable information (PII). A New York court recently held that there was no coverage, essentially because it was the perpetrators of the breach who ultimately “published” the private information, rather than Sony itself. Legal experts have argued both in favor of and against the court’s decision, arguing, among other things, that the trigger for the personal and advertising injury coverage must be an affirmative act by Sony or, conversely, that coverage is triggered to the extent Sony has liability.

The case is currently under appeal, and its final decision will potentially be an indicator of how insurers and courts will view data breach coverage under the personal and advertising injury coverage.

In the meantime, however, the decision underscores the difficulties that insureds can face in pursing data breach coverage under their traditional CGL policies.

Although this endorsement appears to have quietly flown in under the radar, it in reality is even more sweeping than the 2014 data breach exclusionary endorsements because it entirely eliminates coverage in the first instance.

Conclusion

Over the years, the commercial general liability policy has been the proverbial “catch all” for claims subsequently determined to be outside the intent and scope of the underwriters. Past examples have included pollution liability, asbestos, employment practices liability and professional liability. Cyber and privacy liability may well be heading in the same direction. Insurers are stating publicly that this exposure was never contemplated when the policy language was drafted. And, of course, cybersecurity and privacy liability has recently risen to potentially catastrophic levels of potential liability (e.g., Target). Insurers, therefore, are increasingly seeking to separately insure the risk, subject to separate underwriting criteria.

In the end, before a cybersecurity or privacy incident, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure to cyber and privacy risks, their risk tolerance, the sufficiency of their existing insurance coverage and the potential role of specialized cyber risk coverage.

The Insurance Implications of Social Networking Websites, Part 3

This is the third part of a six part series of articles discussing insurance coverage for claims that can be brought against individuals or companies because of the use of Social Media websites. Earlier articles in this series can be found here: Part 1 and Part 2. This article discusses coverages potentially triggered under Coverage A – Bodily Injury.

Bodily Injury Coverage
Even if the policy contains a personal injury coverage part (as discussed in part 2 of this series), analysis should still be made whether the policy provides coverage under the bodily injury coverage part. Oftentimes, this is dependent on the policy’s definition of “bodily injury” and “occurrence.”

Does The Defamatory Comment/Posting Made On A Blog/Website Constitute An Occurrence?
In order to trigger coverage under the policy’s insuring agreement there must be a defined “occurrence” that results in defined “bodily injury” during the policy period. Policies typically define “occurrence” as an “accident, including continuous or repeated exposure to substantially the same general harmful conditions” which results in bodily injury. Most jurisdictions hold that it is the insured’s standpoint that controls in determining whether there has been an “occurrence” that triggers the duty to defend under the policy. A majority of jurisdictions have held that an accident is “an unexpected, unforeseen, or undesigned happening or consequence from either a known or an unknown cause.” A deliberate act, therefore, is not an accident.

If the defendant publishes an internet posting that referred to the plaintiff in a derogatory manner, e.g., accusing the person of being a pedophile, then this is a deliberate act which does not constitute an occurrence as defined by the policy. Stellar v. State Farm General Ins. Co., 157 Cal. App. 4th 1498, 69 Cal. Rptr.3d 350 (Cal. App. 2007). Some jurisdictions have held that the very nature of defamation precludes the conclusion that it can occur “accidentally.” See, e.g., Uhrich v. State Farm Fire & Cas. Co., 109 Cal.App.4th 598, 135 Cal.Rptr.2d 131 (Cal. App. 2003); Rogers v. Allstate Ins. Co., 938 So.2d 871, 876 (Miss. App. 2006); Iafallo v. Nationwide Mut. Fire Ins. Co., 299 A.D.2d 925, 926, 750 N.Y.S.2d 386, 388 (N.Y. App. Div. 2002). Some jurisdictions, however, recognize negligent defamation and, therefore, there may be an occurrence triggering coverage. Cincinnati Ins. Co. v. Eastern Atlantic Ins. Co., 260 F.3d 742 (7th Cir. 2001); cf., Baumann v. Elliott, 704 N.W.2d 361 (Wis. App. 2005) (finding no occurrence because complaint did not allege a negligent defamation); Farmers Ins. Exchange v. Hallaway, 564 F.Supp.2d 1047 (D. Minn. 2008) (reversing summary judgment and holding that there may be personal injury coverage because underlying lawsuit alleged negligent defamation and intent to injure had not been decided).

There are, obviously, certain factual situations that may at first blush appear to be intentional, but, upon further, investigation, may constitute an occurrence triggering coverage. For example, an individual intends on posting a defamatory comment on Facebook, spends time typing out the comment, but later decides against posting the comment, but accidentally hits “share” rather than “cancel” and so the item is accidentally posted on Facebook against the user’s wishes. Although the individual may have originally intended to post a defamatory comment, at the moment the comment was indeed posted, the individual did not have that intention. This may constitute an “occurrence” triggering coverage.

Similarly, an individual may have intended to respond to a message on Facebook with defamatory or libelous remarks, but rather than clicking the “reply” button, the individually mistakenly clicked the “reply all” button and, consequently, the message is sent to everyone on the list, rather than just the individual that the user originally intended.

Another example includes attaching a video or picture to a social media website. The individual may have intended to attach file A, but when selecting the file, the individual selected file B, which contained a picture/video of a person in a compromising position such that the individual’s privacy is invaded.

These are a few examples where the claim or complaint may allege conduct that may at first blush appear intentional, but the true facts may reveal that coverage is triggered. Further investigation may be needed to determine coverage.

Does The Emotional Distress Or Other Alleged Damages Resulting From The Defamation Constitute Bodily Injury?
“Bodily injury” is typically defined in a policy as “bodily injury, sickness or disease sustained by a person, including required care, loss of service and death that results.” Courts have held that “bodily injury” encompasses only physical injury and its consequences and does not include emotional distress in the absence of physical injury. Waller v. Truck Ins. Exchange, Inc., 11 Cal.4th 1, 44 Cal.Rptr.2d 370, 900 P.2d 619 (1995); Nguyen v. State Farm Lloyds, Inc., 947 S.W.2d 320, 323 (Tex. Ct. App. 1997); Wiard v. State Farm Mutual Auto Ins. Co., 132 N.M. 470, 50 P.3d 565 (N.M. Ct. App. 2000). Thus, pure emotional distress does not constitute “bodily injury” for purposes of a policy unless there is specific policy language providing coverage for pure emotional injuries.

Because most social media claims do not involve direct physical contact, there is generally no “bodily injury” triggering coverage in the traditional sense. However, physical manifestations of emotional distress may be covered by the policy even if there was no direct physical contact with the claimant. This may include loss of hair, loss of weight, exacerbation of existing illnesses like Crohn’s disease, etc. If the claimant alleges such physical manifestations resulting from social media torts, then there may be qualifying “bodily injury” as defined by the policy.

Hopefully, this article makes the reader aware that social media torts may not only trigger coverage under the typical personal and advertising injury provided under Coverage B of the policy, if available, but that such social media torts may also trigger “bodily injury” coverage under Coverage A, depending on the particular factual circumstances.