Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Each day, businesses become progressively more dependent on computers and the Internet to gather, store and protect information. But, as sophisticated as this technology may be, it has also proven to be susceptible to breaches, which have time and again resulted in the unauthorized access of confidential information.
These breaches can be incredibly costly to companies. According to a recent study by Symantec, the average total organizational cost of a data breach to a U.S. company has reached a staggering $5,403,644. And, as in the case of the recent Target breach, many millions of individuals have potentially had their personal information compromised, the cost of a data breach may be many times the Symantec average.
As more companies have experienced data breaches, we have seen an increasing number of disputes over whether insurance policies will help pay for them. In this article, we have compiled cases that have addressed (or are addressing) coverage for these breaches, and have divided those cases into three categories: decided, settled and pending. As set forth below, many (but not all) of these cases have focused on whether the breached data was covered property, whether there had been a “personal or advertising injury,” or whether the policyholder's conduct was intentional.
Rulings in Breach Coverage Cases
In one of the earliest cases involving coverage for an electronic data breach, a Florida district court held that there was no coverage under a crime insurance policy, which insured damage to “'tangible property ' that has intrinsic value.'” Peoples Telephone Co. Inc. v. Hartford Fire Ins. Co., 36 F. Supp. 2d 1335 (S.D. Fl. 1997).
The underlying breach in that case involved employee theft. An employee of Peoples Telephone, which provided mobile phones to rental car fleets, allegedly stole identification numbers and sold them to third parties, who in turn used the numbers to program, activate and use other phones, and to run up hundreds of thousands of dollars in unauthorized charges. 26 F. Supp. 2d at 1336-37. Peoples Telephone argued that the crime policy issued by Hartford Fire covered this action because the stolen identification numbers constituted covered property, which the policy defined as tangible property with intrinsic value. Id. at 1337. The court rejected this argument, holding that the identification numbers could not “be said to have intrinsic value since, without reference to cellular phones, they have no meaning or use.” Id. at 1339.
Ten years later, a California state court likewise held that a commercial general liability (CGL) policy did not provide coverage for an alleged data breach because the policyholder had intentionally breached a third party's systems, and because there was no “personal or advertising injury” (i.e., injury “arising out of ' oral or written publication of material that violates a person's right to privacy”) under the policy. Tom Joseph Santos v. Peerless Ins. Co., 2009 Cal. App. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009).
The policyholder in that case, Santos, was an officer and owner of a company that had been authorized to resell and provide services for Apple products. In the course of a business dispute between Santos and Apple, the latter claimed that Santos had breached Apple's computer network to access non-public information. Id. at *3. Santos sought a defense and coverage from its insurer, Peerless, for that claim.
The court concluded that there was no coverage under the policy because, due to Santos' intentional acts, there was no occurrence under the policy's insuring agreement relating to “bodily injury/property damage.” Indeed, Santos had admitted that he “was deliberately misusing Apple's website to obtain information that he was not supposed to have to use as ammunition against Apple in a lawsuit ' ” Id. at *20. The court likewise held that there was no coverage under the policy's insuring agreement for “personal or advertising” injury, because Apple had not alleged that Santos had violated Apple's privacy rights. Id. at *23.
In 2009, a California federal court similarly held that an insurer had no duty to defend a policyholder that had intentionally misappropriated data. Greenwich Ins. Co. v. Media Breakaway, LLC, 2009 U.S. Dist. LEXIS 63454 (C.D. Ca. 2009). That policyholder, Media Breakaway, is an online marketing company that rewarded its contractors (or “affiliates”) for directing Internet traffic to its websites. The affiliates hacked into the social media website MySpace, and misappropriated user logins and passwords. Id. at *4.
The court held that these actions were excluded under the directors' and liability policy because the underlying claims against Media Breakaway were predicated on alleged “intentional wrongful conduct.” Id. at n.8. The court further held that coverage was barred under a policy exclusion for “profit ' to which such Insured is not legally entitled,” since Media Breakaway had profited from illegal actions. Id. at *24-25.
Next month, we will discuss other court decisions on the question of insurance coverage for data breaches, as well as settlements in this area.
Ellen Farrell is a Counsel in Crowell & Moring LLPs Insurance/Reinsurance practice group. Kathryn Linsky is an Associate in the same practice group.
Each day, businesses become progressively more dependent on computers and the Internet to gather, store and protect information. But, as sophisticated as this technology may be, it has also proven to be susceptible to breaches, which have time and again resulted in the unauthorized access of confidential information.
These breaches can be incredibly costly to companies. According to a recent study by Symantec, the average total organizational cost of a data breach to a U.S. company has reached a staggering $5,403,644. And, as in the case of the recent
As more companies have experienced data breaches, we have seen an increasing number of disputes over whether insurance policies will help pay for them. In this article, we have compiled cases that have addressed (or are addressing) coverage for these breaches, and have divided those cases into three categories: decided, settled and pending. As set forth below, many (but not all) of these cases have focused on whether the breached data was covered property, whether there had been a “personal or advertising injury,” or whether the policyholder's conduct was intentional.
Rulings in Breach Coverage Cases
In one of the earliest cases involving coverage for an electronic data breach, a Florida district court held that there was no coverage under a crime insurance policy, which insured damage to “'tangible property ' that has intrinsic value.'”
The underlying breach in that case involved employee theft. An employee of Peoples Telephone, which provided mobile phones to rental car fleets, allegedly stole identification numbers and sold them to third parties, who in turn used the numbers to program, activate and use other phones, and to run up hundreds of thousands of dollars in unauthorized charges. 26 F. Supp. 2d at 1336-37. Peoples Telephone argued that the crime policy issued by Hartford Fire covered this action because the stolen identification numbers constituted covered property, which the policy defined as tangible property with intrinsic value. Id. at 1337. The court rejected this argument, holding that the identification numbers could not “be said to have intrinsic value since, without reference to cellular phones, they have no meaning or use.” Id. at 1339.
Ten years later, a California state court likewise held that a commercial general liability (CGL) policy did not provide coverage for an alleged data breach because the policyholder had intentionally breached a third party's systems, and because there was no “personal or advertising injury” (i.e., injury “arising out of ' oral or written publication of material that violates a person's right to privacy”) under the policy. Tom Joseph Santos v. Peerless Ins. Co., 2009 Cal. App. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009).
The policyholder in that case, Santos, was an officer and owner of a company that had been authorized to resell and provide services for
The court concluded that there was no coverage under the policy because, due to Santos' intentional acts, there was no occurrence under the policy's insuring agreement relating to “bodily injury/property damage.” Indeed, Santos had admitted that he “was deliberately misusing
In 2009, a California federal court similarly held that an insurer had no duty to defend a policyholder that had intentionally misappropriated data. Greenwich Ins. Co. v. Media Breakaway, LLC, 2009 U.S. Dist. LEXIS 63454 (C.D. Ca. 2009). That policyholder, Media Breakaway, is an online marketing company that rewarded its contractors (or “affiliates”) for directing Internet traffic to its websites. The affiliates hacked into the social media website MySpace, and misappropriated user logins and passwords. Id. at *4.
The court held that these actions were excluded under the directors' and liability policy because the underlying claims against Media Breakaway were predicated on alleged “intentional wrongful conduct.” Id. at n.8. The court further held that coverage was barred under a policy exclusion for “profit ' to which such Insured is not legally entitled,” since Media Breakaway had profited from illegal actions. Id. at *24-25.
Next month, we will discuss other court decisions on the question of insurance coverage for data breaches, as well as settlements in this area.
Ellen Farrell is a Counsel in
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.