Electronic Data Breaches

Cyber criminals frequently target classes of consumer information that state and federal regulations governing data protection refer to as “Personal Information,” generally defined as a name plus a Social Security number, credit or debit card number, driver's license or government-issued identification card, medical insurance identification number, or financial account information. Cyber criminals often target institutions that maintain Personal Information of large numbers of individuals, in an attempt to get large returns from their efforts. Recent data breaches of payment processing companies and retailers in which the credit and debit card information of millions of consumers was obtained by cyber criminals demonstrate the scope of such attacks, the increasing sophistication of the cyber criminals, and the resultant costs to the targeted company.

Large Losses

The costs to an entity affected by a data breach can be enormous and are sustained for a variety of reasons. State and federal statutes and regulations now require entities that have suffered a data breach to provide notification to affected individuals whose Personal Information has been stolen or compromised. Forty-eight U.S. jurisdictions, including 45 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have enacted data breach notification laws. Notification costs add up quickly when the number of affected records is in the millions. The entity that suffered the data breach may find it necessary to offer credit monitoring services to affected individuals. If the stolen Personal Information includes credit or debit card data, the entity may be subject to contractual fines imposed by the card brands (e.g., Visa and Master Card). Retaining outside counsel, computer forensics experts, and public relations consultants presents an additional burden. These are first-party costs, although a company sustaining them may look to make third-party claims against an entity that it believes has contributed to the occurrence of the data breach, such as a vendor involved in the security of the breached company's data.

Another significant exposure resulting from a data breach is that of third-party claims and lawsuits by other entities affected by the breach. In recent years, significant data breaches have been followed by a variety of types of lawsuits, including class action lawsuits pursued by the individuals whose data were compromised; lawsuits brought by the banks that issued the credit cards that were compromised based on allegations that they were compelled to cancel the cards and issue new ones and absorb the cost of fraudulent charges; securities litigation brought by shareholders who saw the value of their shares of the affected entity's stock decline following publication of the breach; and even lawsuits brought by other merchants who shared a common customer with the breached company, claiming that the cancellation of large numbers of credit and debit cards in their geographic region adversely affected their own businesses.

Lawsuits related to data breaches have, so far, met with limited success, although as litigation increases, so do the risks of a successful claim. A securities litigation against a company that suffered a data breach was recently dismissed when the court found that the plaintiffs failed to allege the existence of a material misstatement or omission on the part of the company. In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D.N.J., Dec., 7, 2009). Two lawsuits pursued by banks that had issued credit and debit cards that became compromised by data breaches affecting, in each case, a third-party retailer were dismissed for failure to plead a cognizable claim. Cumis Ins. Society, Inc. v. BJ's Wholesale Club, Inc., 918 N.E.2d 36 (Mass. 2009); In Re TJX Companies Retail Security Breach Litigation, 564 F.3d 489 (1st Cir. 2009). Consumer claims have generally been unsuccessful, particularly when the consumers have not been able to demonstrate actual out-of-pocket losses from a data breach involving their Personal Information. See e.g., Ruiz v. Gap, Inc. and Vangent Inc., 2009 WL 941162 (N.D. Cal., April 6, 2009); Shafran v. Harley Davidson, Inc., 2008 WL 763177 (S.D.N.Y. 2008); Randolph v. ING Life Ins. and Annuity Co., 486 F.Supp.2d. 1 (D.D.C. 2007). However, a federal class action lawsuit brought by individuals whose Personal Information was allegedly stolen from a grocery store chain is currently ongoing, and awaits a determination from the Maine Supreme Judicial Court, on a certified question, as to whether the time and effort allegedly expended by the affected individuals to avert damage to their credit constitutes a cognizable injury under Maine law. In re Hannaford, MDL Docket No. 2:08-MD-1954 (D. Me., Oct. 5, 2009).

Whether or not lawsuits against a breached company ultimately succeed, the defense of those lawsuits will represent a significant expenditure, and the breached company will often look to its existing insurance policies to try to obtain funding for its defense. If the breached company had purchased a policy specifically designed to provide coverage for cyber risks and data breaches, it is likely to be fortunate to have at least some of its first-party costs of investigating and responding to the breach covered, and to have some third-party claims defended. An increasing number of insurance carriers are offering such policies.

However, data breaches strike a wide range of entities, and not all have included coverage of cyber risks as a focus of their insurance programs. In recent years, data breaches have affected universities, bricks-and-mortar retailers, hotels, the food and beverage industry, financial institutions, law firms, and the health care industry, among other types of entities. Many of these entities do not carry cyber risk insurance, and may attempt to tender the defense of lawsuits related to data breaches under one of their traditional insurance policies ' with commercial general liability (“CGL”) policies a prime target.

Coverage Under the General Liability Policy

An insured company subjected to a lawsuit in connection with a data breach it suffers may tender the defense of that suit under its CGL policy. While cyber crime and other types of data breach are developing areas of the law, there are a few judicial decisions indicating the likely issues on which a coverage dispute will focus when a claim for coverage is made under a CGL policy.

Coverage A

The typical CGL policy contains two coverage parts: Coverage A and Coverage B. Coverage A provides that “we will pay those sums that the insured becomes legally obligated to pay as damages because of 'bodily injury' or 'property damage' to which this insurance applies.” “Property damage” is defined as “physical injury to tangible property, including all resulting loss of use of that property;” and “loss of use of tangible property that is not physically injured.” This is standard policy language found in recent form policies developed by the Insurance Services Office (“ISO”) (see CG 00 01 12 04). While there is variance in language used by different insurers' CGL policies, the ISO language is in widespread use, and there are judicial decisions dealing directly with ISO wordings.

Generally in data breach cases, the question of whether there is coverage, or at least sufficient allegations to trigger a duty to defend, focuses on the “property damage” requirement of Coverage A. Because of the requirement that there be “tangible property” affected, it is usually considered unlikely that lawsuits related to a typical breach of electronically stored data would be covered under Coverage A. Case law generally maintains that electronic data are not tangible property. See Ward General Services, Inc. v. Employers Fire Insurance Co., 114 Cal. App. 4th 548, 556-57 (Cal. App. 4 Dist. 2003); Southeast Mental Healthcare Center, Inc. v. Pacific Insurance Company, LTD, 439 F.Supp. 2d 831, 838-839 (W.D. Tenn. 2006); America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 93-98 (4th Cir. 2003); State Auto Property & Cas. Ins. Co. v. Midwest Computers & More, 147 F.Supp.2d 1113 (W.D. Okla. 2001). Courts reaching a different conclusion have done so where the data are actually lost to their owner, not merely stolen. See Computer Corner, Inc. v. Fireman's Fund Ins. Co., 46 P.3d 1264 (N.M. 2002) (holding that loss of the pre-existing electronic data was tangible property damage covered by CGL policy where the computer store repairing the customer's computer permanently lost all the data); see also American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 WL 726789 (D. Ariz. Apr. 18, 2000) (holding that computer data permanently lost during a power outage constituted “direct physical loss or damage from any cause” covered by property policy). Additionally, ISO's 2004 form and other CGL forms include in the definition of “property damage” the provision that “for the purpose of this insurance, electronic data is not tangible property.” The ISO definition of “property damage” further defines “electronic data” for purposes of applying the policy: “As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”

Without being able to assert damage to tangible property, an insured may be unable to successfully tender a typical electronic data-breach-related lawsuit under Coverage A. In addition, the 2004 ISO form includes an Electronic Data Exclusion, according to which “this insurance does not apply to ' damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” While there appears to be no reported decisions that have construed the Electronic Data Exclusion, it may present an additional barrier to an insured attempting to tender the defense of an electronic data-breach-related lawsuit under Coverage A.

The “bodily injury” component of Coverage A may present another avenue for an entity seeking coverage for a data-breach-related lawsuit. Consumer data breach claims often include an emotional distress component. If a policy (or governing law) defines “bodily injury” to include emotional distress even when there is no other physical injury, or there is applicable case law supporting that “bodily injury” does not require physical injury, there potentially could be a claim for coverage for the defense of any such emotional distress claim (as well as for indemnity for that aspect of the alleged damages). However, while the “tangible property” barrier would not apply to such a claim, the insured would still have to demonstrate that the “bodily injury” was caused by an “occurrence,” and circumvent any other provisions and exclusions that may be added by an insurer to its policy to preclude coverage of data breach claims.

Coverage B

Coverage B, Personal and Advertising Injury, presents another avenue for the insured seeking coverage for at least some types of data-breach-related claims. To date, the cases interpreting the different terms of CGL policies indicate that disputes regarding the applicability of CGL policies to data-breach lawsuits are likely to focus on Coverage B, as there has been some limited success in obtaining coverage of at least defense costs.

Standard Coverage B provides, “we will pay those sums that the insured becomes legally obligated to pay as damages because of 'personal and advertising injury' to which this insurance applies.” “Personal and advertising injury” is typically defined as “injury ' arising out of ' oral or written publication, in any manner, of material that violates a person's right of privacy.”

To successfully tender a data breach claim under Coverage B, an insured would have to demonstrate at least a potential that the inadvertent disclosure of data, or failure of data security, constituted a “publication” that violated the data owner's “privacy.” While the standard ISO insurance form does not define the terms “publication” or “privacy,” courts ruling on the applicability of Coverage B to privacy claims have found some types of personal data, such as credit information, to be within the data owner's “right of privacy.” Thus, some courts have found privacy rights implicated for purposes of Coverage B in cases involving improper access and use of credit reports in violation of the Fair Credit Reporting Act (“FCRA”). Pietras v. Sentry Ins. Co., 2007 WL 715759 (N.D. Ill. 2007) (holding, under Illinois law, that the insurer had a duty to provide a defense); American Family Mutual Ins. Co. v. C.M.A. Mortgage, Inc., 2008 WL 906230 (S.D. Ind. 2008) (holding that a claim involving the improper use of credit reports in violation of FCRA states a potentially covered claim under Indiana law and thus triggers the insurer's duty to defend) (order rescinded in part due to docketing error, 2008 WL 5069825); Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460 (Md. Dist. Ct. 2007) (holding that a FCRA claim based upon improper access and use of others' credit information triggered a duty to defend under Maryland law.)

Notably, the FCRA expressly states that it is intended to protect consumers' right to privacy. Similarly, the personal data at issue in data-breach scenarios are also protected by statutes designed to keep that data private. An insured may therefore look to statements of legislative or regulatory intent contained in data-privacy laws in order to argue that disclosure of Personal Information violated a “right of privacy” for purposes of Coverage B.

However, the requirement that there be a “publication” in order to obtain coverage under Coverage B presents another hurdle to the insured, and case law presents conflicting results. Decisions in some jurisdictions have found the publication requirement to be sufficiently satisfied in some factual scenarios to at least trigger a duty to defend, while others have held there to be no coverage as a matter of law.

In the line of cases involving coverage for lawsuits alleging violations of the FCRA, different courts took a broad view of “publication,” and found that publication can occur when information is revealed to a single person, including the owner of the information. One court noted that “of the circuits to examine 'publication' in the context of an 'advertising injury' provision, the majority have found that the publication need not be to a third party.” Zurich v. Fieldstone, supra, 2007 WL 3268460 at *5; see e.g., Park Univ. Enterprises, Inc. v. American Cas. Co. of Reading, 442 F.3d 1239, 1248-49, 1250 (10th Cir. 2006) (applying Kansas law and holding that violation of a law prohibiting unsolicited fax advertisements violated “a species of privacy interest”; that it is reasonable to define publication as “making something generally known,” and faxing advertisements is to effectively “publish,” and that there was therefore a duty to defend) and, relying on a dictionary, found “publication” to mean “to produce or release for distribution.” Id. Additionally, in a case construing “publication” in the context of an employer subjecting his employee to audio surveillance without informing the employee in violation of the Wiretapping and Electronic Surveillance Act, the surveillance was found to constitute “publication.” Bowyer v. Hi-Lad Inc., 609 S.E.2d 895, 912 (W.Va. 2004) (the court held, “nothing in the policy indicating that the word publication necessarily means transmitting the intercepted communications to a third party, as is required of material in the defamation context. And, even were we to assume publication does require communicating to a third-party, the surveillance monitoring system apparently functioned in such a way that anyone in the manager's office or in [the hotel owner's] home had the ability to listen in on employee conversations.”).

In contrast, a court in another jurisdiction analyzing the applicability of Coverage B to a violation of the Fair and Accurate Credit Transactions Act (“FACTA”) reached a different conclusion. The court found there was no “publication” where credit card information on a sales receipt is improperly printed in full, but is provided only to the cardholder and is thus not “in any way made generally known, announced publicly, disseminated to the public, or released for distribution.” Whole Enchilada, Inc. v. Travelers, 581 F. Supp. 2d 677 at 698 (W. Dist. Pa. 2008).

Thus, in the event of a request for coverage under Coverage B of a third-party claim based upon improper access to Personal Information due to a data breach, the focus is likely to be whether there was “oral or written publication” by the insured. The issue of whether publication was made to a third party will be especially relevant in cases where the data security was compromised, but there are no allegations that cyber criminals actually captured the data or any third party received it.

Yet another hurdle for attempts to obtain coverage of a third-party data breach claim under a CGL Policy is the requirement under both Coverage A and Coverage B that the claim be for “sums that the insured is legally obligated to pay as damages.” Often consumers have not sustained out-of-pocket losses, and many courts have held that other types of claims such as for credit monitoring in the absence of identity theft and fear of future identity theft are not legally cognizable injuries.

Variations and Exclusions

Variations in Coverage B policy wording can also affect whether a court is likely to find coverage for a data breach under Coverage B. In a case involving claims brought under the Electronic Communications Privacy Act and Computer Fraud and Abuse Act in connection with the collection of information regarding the underlying plaintiffs' online activity for eventual dissemination to third-party advertisers, the court construed a policy with Coverage B wording different from the wording in the ISO form. The policy defined “personal injury offense” to include “Making known to any person or organization written or spoken material that violates a person's right to privacy.” In that case, the phrase “making known to any person or organization” took the place of the phrase “oral or written publication, in any manner” found in the ISO form. Under this definition, the court found that it was enough for the defendant to have passed the information to its parent company, and for the defendant's employees to have shared the information among themselves, to constitute “making known to any person or organization” and to satisfy the policy's definition of “personal injury offense.” (The holding was reversed on appeal but not on this point). Netscape Communications Corp. v. Federal Ins. Co., 2007 WL 2972924 (N.D. Cal.), reversed, Netscape Communications Corp. v. Federal Ins. Co., 2009 WL 2634945 (9th Cir. Aug. 27, 2009). The Ninth Circuit agreed that the Coverage B language covered the claims and dismissed as dicta opinions in other cases that the disclosure must be to a third party in order to be covered by Coverage B. The court found the policy's broad language regarding “any person or organization” to be dispositive. However, the Ninth Circuit disagreed with the lower court regarding the applicability of an exclusion to Coverage B. The policy excluded coverage for personal injury offenses relating to defined “online activities,” including the provision of Internet access. While the lower court found that the exclusion barred coverage because the claims involved the use of software to assist with downloading files, the Ninth Circuit, reading the exclusion narrowly, reasoned that the software itself does not provide Internet access, and thus the exclusion did not apply.

Furthermore, Coverage B usually has exclusions that can come into play in the event of a data breach, including ones for “personal and advertising injury” arising out of the criminal act of the insured (which could come into play when employee theft is in issue); arising out of intellectual property rights; committed by insureds in media- and Internet-type businesses; arising out of an electronic chatroom or bulletin board that the insured hosts, owns or controls; and any additional exclusions that an insurer may add to restrict its exposure to data breach claims.

Conclusion

As companies in all lines of business increasingly collect Personal Information and maintain it in electronic form, the risk of data breaches either by cyber criminal intrusions or inadvertent disclosures increases. While the availability of cyber risk policies designed to provide coverage for the losses and claims arising from data breaches is increasing, for now many companies do not have such policies in their insurance programs or have costs or claims not fully covered by those policies. Companies sustaining a breach are likely to look to their other policies to see if any of their costs will be covered. Given the ubiquity of CGL policies, many breached companies may tender claims asserted against them arising from a data breach to their CGL insurers. Further, those asserting claims against breached companies may tailor their allegations to try to trigger such coverage. As claims increase, we can expect to see more courts taking up the issue of whether such claims raise sufficient issues to at least trigger a defense obligation under CGL policies.

Joseph Geoghegan is a senior associate in the Hartford, CT, office of Edwards Angell Palmer & Dodge LLP. Laurie A. Kamaiko is a partner in the firm's New York office and advises insurers on issues involving coverage, claims handling, and bad faith. Dennis O. Brown, a member of this newsletter's Board of Editors, is a partner in the Hartford office whose practice is focused on defending coverage and bad faith litigation.

In recent years, incidents involving the theft or inadvertent disclosure of significant amounts of electronic data containing personal information have been increasing and have frequently been heavily publicized. Often, a large, public data breach is followed by a flurry of litigation as individuals, banks, and other entities affected sue the company that suffered the breach for not protecting the compromised data more effectively. The company targeted by such claims will often look to its insurance program for coverage for the defense of such lawsuits and any resulting awards. While some companies carry specialty insurance policies that are specifically designed to afford coverage for data-breach-related liability, in many cases the breached company will lack such specialized coverage, and may look to tender the defense of data-breach-related litigation under its general liability policy.

The Rise of Electronic Data Breaches

Recent studies of data breaches confirm they are increasing in number, size, and related costs. Identity Theft Resource Center Jan. 2, 2009 Report. See www.idtheftcenter.org. While paper sources of information are still subject to inadvertent or malicious disclosures, the growth of electronically collected, transmitted, and stored information has resulted in an increasing number of electronic data breaches. Id. The report stated that electronic breaches comprised 82.3% of breaches, and paper breaches comprised 17.7%. As the frequency and severity of data breaches have grown, so too have grown the potential exposures to companies when the data that they store or transmit become compromised, both from their own costs of addressing and responding to breaches, and from third-party claims. The total average cost of a data breach grew in 2009 to $204 per record compromised, with the average total cost per company of more than $6.75 million. Ponemon Institute, LLC, 2009 Annual Study: Cost of a Data Breach. While data breaches can and do occur due to inadvertent loss and disclosure of information, as often occurs when laptops are lost, many of the large publicized data breaches have been caused by deliberate intrusions into company databases by cyber criminals. Verizon Business RISK Team, 2009 Data Breach Investigations Report, cites hacking as the leading cause of data breaches; see http://securityblog.verizonbusiness.com.

Cyber criminals frequently target classes of consumer information that state and federal regulations governing data protection refer to as “Personal Information,” generally defined as a name plus a Social Security number, credit or debit card number, driver's license or government-issued identification card, medical insurance identification number, or financial account information. Cyber criminals often target institutions that maintain Personal Information of large numbers of individuals, in an attempt to get large returns from their efforts. Recent data breaches of payment processing companies and retailers in which the credit and debit card information of millions of consumers was obtained by cyber criminals demonstrate the scope of such attacks, the increasing sophistication of the cyber criminals, and the resultant costs to the targeted company.

Large Losses

The costs to an entity affected by a data breach can be enormous and are sustained for a variety of reasons. State and federal statutes and regulations now require entities that have suffered a data breach to provide notification to affected individuals whose Personal Information has been stolen or compromised. Forty-eight U.S. jurisdictions, including 45 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have enacted data breach notification laws. Notification costs add up quickly when the number of affected records is in the millions. The entity that suffered the data breach may find it necessary to offer credit monitoring services to affected individuals. If the stolen Personal Information includes credit or debit card data, the entity may be subject to contractual fines imposed by the card brands (e.g., Visa and Master Card). Retaining outside counsel, computer forensics experts, and public relations consultants presents an additional burden. These are first-party costs, although a company sustaining them may look to make third-party claims against an entity that it believes has contributed to the occurrence of the data breach, such as a vendor involved in the security of the breached company's data.

Another significant exposure resulting from a data breach is that of third-party claims and lawsuits by other entities affected by the breach. In recent years, significant data breaches have been followed by a variety of types of lawsuits, including class action lawsuits pursued by the individuals whose data were compromised; lawsuits brought by the banks that issued the credit cards that were compromised based on allegations that they were compelled to cancel the cards and issue new ones and absorb the cost of fraudulent charges; securities litigation brought by shareholders who saw the value of their shares of the affected entity's stock decline following publication of the breach; and even lawsuits brought by other merchants who shared a common customer with the breached company, claiming that the cancellation of large numbers of credit and debit cards in their geographic region adversely affected their own businesses.

Lawsuits related to data breaches have, so far, met with limited success, although as litigation increases, so do the risks of a successful claim. A securities litigation against a company that suffered a data breach was recently dismissed when the court found that the plaintiffs failed to allege the existence of a material misstatement or omission on the part of the company. In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D.N.J., Dec., 7, 2009). Two lawsuits pursued by banks that had issued credit and debit cards that became compromised by data breaches affecting, in each case, a third-party retailer were dismissed for failure to plead a cognizable claim. Cumis Ins. Society, Inc. v. BJ's Wholesale Club , Inc., 918 N.E.2d 36 (Mass. 2009); In Re TJX Companies Retail Security Breach Litigation, 564 F.3d 489 (1st Cir. 2009). Consumer claims have generally been unsuccessful, particularly when the consumers have not been able to demonstrate actual out-of-pocket losses from a data breach involving their Personal Information. See e.g., Ruiz v. Gap , Inc. and Vangent Inc. , 2009 WL 941162 (N.D. Cal., April 6, 2009); Shafran v. Harley Davidson, Inc., 2008 WL 763177 (S.D.N.Y. 2008); Randolph v. ING Life Ins. and Annuity Co. , 486 F.Supp.2d. 1 (D.D.C. 2007). However, a federal class action lawsuit brought by individuals whose Personal Information was allegedly stolen from a grocery store chain is currently ongoing, and awaits a determination from the Maine Supreme Judicial Court, on a certified question, as to whether the time and effort allegedly expended by the affected individuals to avert damage to their credit constitutes a cognizable injury under Maine law. In re Hannaford, MDL Docket No. 2:08-MD-1954 (D. Me., Oct. 5, 2009).

Whether or not lawsuits against a breached company ultimately succeed, the defense of those lawsuits will represent a significant expenditure, and the breached company will often look to its existing insurance policies to try to obtain funding for its defense. If the breached company had purchased a policy specifically designed to provide coverage for cyber risks and data breaches, it is likely to be fortunate to have at least some of its first-party costs of investigating and responding to the breach covered, and to have some third-party claims defended. An increasing number of insurance carriers are offering such policies.

However, data breaches strike a wide range of entities, and not all have included coverage of cyber risks as a focus of their insurance programs. In recent years, data breaches have affected universities, bricks-and-mortar retailers, hotels, the food and beverage industry, financial institutions, law firms, and the health care industry, among other types of entities. Many of these entities do not carry cyber risk insurance, and may attempt to tender the defense of lawsuits related to data breaches under one of their traditional insurance policies ' with commercial general liability (“CGL”) policies a prime target.

Coverage Under the General Liability Policy

An insured company subjected to a lawsuit in connection with a data breach it suffers may tender the defense of that suit under its CGL policy. While cyber crime and other types of data breach are developing areas of the law, there are a few judicial decisions indicating the likely issues on which a coverage dispute will focus when a claim for coverage is made under a CGL policy.

Coverage A

The typical CGL policy contains two coverage parts: Coverage A and Coverage B. Coverage A provides that “we will pay those sums that the insured becomes legally obligated to pay as damages because of 'bodily injury' or 'property damage' to which this insurance applies.” “Property damage” is defined as “physical injury to tangible property, including all resulting loss of use of that property;” and “loss of use of tangible property that is not physically injured.” This is standard policy language found in recent form policies developed by the Insurance Services Office (“ISO”) (see CG 00 01 12 04). While there is variance in language used by different insurers' CGL policies, the ISO language is in widespread use, and there are judicial decisions dealing directly with ISO wordings.

Generally in data breach cases, the question of whether there is coverage, or at least sufficient allegations to trigger a duty to defend, focuses on the “property damage” requirement of Coverage A. Because of the requirement that there be “tangible property” affected, it is usually considered unlikely that lawsuits related to a typical breach of electronically stored data would be covered under Coverage A. Case law generally maintains that electronic data are not tangible property. See Ward General Services, Inc. v. Employers Fire Insurance Co. , 114 Cal. App. 4th 548, 556-57 (Cal. App. 4 Dist. 2003); Southeast Mental Healthcare Center, Inc. v. Pacific Insurance Company, LTD , 439 F.Supp. 2d 831, 838-839 (W.D. Tenn. 2006); America Online, Inc. v. St. Paul Mercury Ins. Co. , 347 F.3d 89, 93-98 (4th Cir. 2003); State Auto Property & Cas. Ins. Co. v. Midwest Computers & More , 147 F.Supp.2d 1113 (W.D. Okla. 2001). Courts reaching a different conclusion have done so where the data are actually lost to their owner, not merely stolen. See Computer Corner, Inc. v. Fireman's Fund Ins. Co. , 46 P.3d 1264 (N.M. 2002) (holding that loss of the pre-existing electronic data was tangible property damage covered by CGL policy where the computer store repairing the customer's computer permanently lost all the data); see also American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 WL 726789 (D. Ariz. Apr. 18, 2000) (holding that computer data permanently lost during a power outage constituted “direct physical loss or damage from any cause” covered by property policy). Additionally, ISO's 2004 form and other CGL forms include in the definition of “property damage” the provision that “for the purpose of this insurance, electronic data is not tangible property.” The ISO definition of “property damage” further defines “electronic data” for purposes of applying the policy: “As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”

Without being able to assert damage to tangible property, an insured may be unable to successfully tender a typical electronic data-breach-related lawsuit under Coverage A. In addition, the 2004 ISO form includes an Electronic Data Exclusion, according to which “this insurance does not apply to ' damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” While there appears to be no reported decisions that have construed the Electronic Data Exclusion, it may present an additional barrier to an insured attempting to tender the defense of an electronic data-breach-related lawsuit under Coverage A.

The “bodily injury” component of Coverage A may present another avenue for an entity seeking coverage for a data-breach-related lawsuit. Consumer data breach claims often include an emotional distress component. If a policy (or governing law) defines “bodily injury” to include emotional distress even when there is no other physical injury, or there is applicable case law supporting that “bodily injury” does not require physical injury, there potentially could be a claim for coverage for the defense of any such emotional distress claim (as well as for indemnity for that aspect of the alleged damages). However, while the “tangible property” barrier would not apply to such a claim, the insured would still have to demonstrate that the “bodily injury” was caused by an “occurrence,” and circumvent any other provisions and exclusions that may be added by an insurer to its policy to preclude coverage of data breach claims.

Coverage B

Coverage B, Personal and Advertising Injury, presents another avenue for the insured seeking coverage for at least some types of data-breach-related claims. To date, the cases interpreting the different terms of CGL policies indicate that disputes regarding the applicability of CGL policies to data-breach lawsuits are likely to focus on Coverage B, as there has been some limited success in obtaining coverage of at least defense costs.

Standard Coverage B provides, “we will pay those sums that the insured becomes legally obligated to pay as damages because of 'personal and advertising injury' to which this insurance applies.” “Personal and advertising injury” is typically defined as “injury ' arising out of ' oral or written publication, in any manner, of material that violates a person's right of privacy.”

To successfully tender a data breach claim under Coverage B, an insured would have to demonstrate at least a potential that the inadvertent disclosure of data, or failure of data security, constituted a “publication” that violated the data owner's “privacy.” While the standard ISO insurance form does not define the terms “publication” or “privacy,” courts ruling on the applicability of Coverage B to privacy claims have found some types of personal data, such as credit information, to be within the data owner's “right of privacy.” Thus, some courts have found privacy rights implicated for purposes of Coverage B in cases involving improper access and use of credit reports in violation of the Fair Credit Reporting Act (“FCRA”). Pietras v. Sentry Ins. Co., 2007 WL 715759 (N.D. Ill. 2007) (holding, under Illinois law, that the insurer had a duty to provide a defense); American Family Mutual Ins. Co. v. C.M.A. Mortgage, Inc., 2008 WL 906230 (S.D. Ind. 2008) (holding that a claim involving the improper use of credit reports in violation of FCRA states a potentially covered claim under Indiana law and thus triggers the insurer's duty to defend) (order rescinded in part due to docketing error, 2008 WL 5069825); Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460 (Md. Dist. Ct. 2007) (holding that a FCRA claim based upon improper access and use of others' credit information triggered a duty to defend under Maryland law.)

Notably, the FCRA expressly states that it is intended to protect consumers' right to privacy. Similarly, the personal data at issue in data-breach scenarios are also protected by statutes designed to keep that data private. An insured may therefore look to statements of legislative or regulatory intent contained in data-privacy laws in order to argue that disclosure of Personal Information violated a “right of privacy” for purposes of Coverage B.

However, the requirement that there be a “publication” in order to obtain coverage under Coverage B presents another hurdle to the insured, and case law presents conflicting results. Decisions in some jurisdictions have found the publication requirement to be sufficiently satisfied in some factual scenarios to at least trigger a duty to defend, while others have held there to be no coverage as a matter of law.

In the line of cases involving coverage for lawsuits alleging violations of the FCRA, different courts took a broad view of “publication,” and found that publication can occur when information is revealed to a single person, including the owner of the information. One court noted that “of the circuits to examine 'publication' in the context of an 'advertising injury' provision, the majority have found that the publication need not be to a third party.” Zurich v. Fieldstone, supra , 2007 WL 3268460 at *5; see e.g. , Park Univ. Enterprises, Inc. v. American Cas. Co. of Reading , 442 F.3d 1239, 1248-49, 1250 (10th Cir. 2006) (applying Kansas law and holding that violation of a law prohibiting unsolicited fax advertisements violated “a species of privacy interest”; that it is reasonable to define publication as “making something generally known,” and faxing advertisements is to effectively “publish,” and that there was therefore a duty to defend) and, relying on a dictionary, found “publication” to mean “to produce or release for distribution.” Id. Additionally, in a case construing “publication” in the context of an employer subjecting his employee to audio surveillance without informing the employee in violation of the Wiretapping and Electronic Surveillance Act, the surveillance was found to constitute “publication.” Bowyer v. Hi-Lad Inc. , 609 S.E.2d 895, 912 (W.Va. 2004) (the court held, “nothing in the policy indicating that the word publication necessarily means transmitting the intercepted communications to a third party, as is required of material in the defamation context. And, even were we to assume publication does require communicating to a third-party, the surveillance monitoring system apparently functioned in such a way that anyone in the manager's office or in [the hotel owner's] home had the ability to listen in on employee conversations.”).

In contrast, a court in another jurisdiction analyzing the applicability of Coverage B to a violation of the Fair and Accurate Credit Transactions Act (“FACTA”) reached a different conclusion. The court found there was no “publication” where credit card information on a sales receipt is improperly printed in full, but is provided only to the cardholder and is thus not “in any way made generally known, announced publicly, disseminated to the public, or released for distribution.” Whole Enchilada, Inc. v. Travelers, 581 F. Supp. 2d 677 at 698 (W. Dist. Pa. 2008).

Thus, in the event of a request for coverage under Coverage B of a third-party claim based upon improper access to Personal Information due to a data breach, the focus is likely to be whether there was “oral or written publication” by the insured. The issue of whether publication was made to a third party will be especially relevant in cases where the data security was compromised, but there are no allegations that cyber criminals actually captured the data or any third party received it.

Yet another hurdle for attempts to obtain coverage of a third-party data breach claim under a CGL Policy is the requirement under both Coverage A and Coverage B that the claim be for “sums that the insured is legally obligated to pay as damages.” Often consumers have not sustained out-of-pocket losses, and many courts have held that other types of claims such as for credit monitoring in the absence of identity theft and fear of future identity theft are not legally cognizable injuries.

Variations and Exclusions

Variations in Coverage B policy wording can also affect whether a court is likely to find coverage for a data breach under Coverage B. In a case involving claims brought under the Electronic Communications Privacy Act and Computer Fraud and Abuse Act in connection with the collection of information regarding the underlying plaintiffs' online activity for eventual dissemination to third-party advertisers, the court construed a policy with Coverage B wording different from the wording in the ISO form. The policy defined “personal injury offense” to include “Making known to any person or organization written or spoken material that violates a person's right to privacy.” In that case, the phrase “making known to any person or organization” took the place of the phrase “oral or written publication, in any manner” found in the ISO form. Under this definition, the court found that it was enough for the defendant to have passed the information to its parent company, and for the defendant's employees to have shared the information among themselves, to constitute “making known to any person or organization” and to satisfy the policy's definition of “personal injury offense.” (The holding was reversed on appeal but not on this point). Netscape Communications Corp. v. Federal Ins. Co., 2007 WL 2972924 (N.D. Cal.), reversed, Netscape Communications Corp. v. Federal Ins. Co., 2009 WL 2634945 (9th Cir. Aug. 27, 2009). The Ninth Circuit agreed that the Coverage B language covered the claims and dismissed as dicta opinions in other cases that the disclosure must be to a third party in order to be covered by Coverage B. The court found the policy's broad language regarding “any person or organization” to be dispositive. However, the Ninth Circuit disagreed with the lower court regarding the applicability of an exclusion to Coverage B. The policy excluded coverage for personal injury offenses relating to defined “online activities,” including the provision of Internet access. While the lower court found that the exclusion barred coverage because the claims involved the use of software to assist with downloading files, the Ninth Circuit, reading the exclusion narrowly, reasoned that the software itself does not provide Internet access, and thus the exclusion did not apply.

Furthermore, Coverage B usually has exclusions that can come into play in the event of a data breach, including ones for “personal and advertising injury” arising out of the criminal act of the insured (which could come into play when employee theft is in issue); arising out of intellectual property rights; committed by insureds in media- and Internet-type businesses; arising out of an electronic chatroom or bulletin board that the insured hosts, owns or controls; and any additional exclusions that an insurer may add to restrict its exposure to data breach claims.

Conclusion

As companies in all lines of business increasingly collect Personal Information and maintain it in electronic form, the risk of data breaches either by cyber criminal intrusions or inadvertent disclosures increases. While the availability of cyber risk policies designed to provide coverage for the losses and claims arising from data breaches is increasing, for now many companies do not have such policies in their insurance programs or have costs or claims not fully covered by those policies. Companies sustaining a breach are likely to look to their other policies to see if any of their costs will be covered. Given the ubiquity of CGL policies, many breached companies may tender claims asserted against them arising from a data breach to their CGL insurers. Further, those asserting claims against breached companies may tailor their allegations to try to trigger such coverage. As claims increase, we can expect to see more courts taking up the issue of whether such claims raise sufficient issues to at least trigger a defense obligation under CGL policies.

Joseph Geoghegan is a senior associate in the Hartford, CT, office of Edwards Angell Palmer & Dodge LLP. Laurie A. Kamaiko is a partner in the firm's New York office and advises insurers on issues involving coverage, claims handling, and bad faith. Dennis O. Brown, a member of this newsletter's Board of Editors, is a partner in the Hartford office whose practice is focused on defending coverage and bad faith litigation.