Cyberattacks Push Companies to Specialty Insurance Policies

Among other requirements, personal injury coverage applies only to claims arising from a “publication” of information. Data theft through hacking does not appear to involve a “publication” as that term is commonly understood. Courts will not presume a publication simply because a data loss occurred. In a recent case, tapes containing confidential employee information fell out of a delivery truck. An unknown person then retrieved them, but there was no evidence that employee information was publicly disclosed or improperly used.

A Connecticut appellate court rejected the argument that the data loss, in and of itself, constituted a “publication.” The mere potential for disclosure was not enough ' there had to be evidence that confidential information on the tapes was actually published. See Recall Total Information Management Inc. v. Federal Ins. Co., 147 Conn. App. 450 (2014).

Zurich v. Sony

Some courts have held not only that there must be a publication, but that the insured must publish information giving rise to the claim. In March 2014, a New York state judge denied coverage on this basis in the hotly contested Zurich v. Sony insurance litigation.

The Sony dispute arose from a massive data breach. In April 2011, hackers broke into Sony networks and stole personal information involving over 100 million users. Sony was named in numerous class actions, which the company tendered to its insurers. One of those insurers, Zurich, filed a declaratory relief action in New York state court seeking a declaration that it had no duty to defend.

Sony argued that the unauthorized collection and use of personal information necessarily constituted a “publication” that violates privacy rights. The company cited authority holding that there could be a publication even though the people who accessed or stole personal information never disseminated it. See, e.g., Lenscrafters Inc. v. Liberty Mut. Fire Ins. Co., 2005 U.S. Dist. LEXIS 47185 (N.D. Cal, Jan. 20, 2005) (insured's improper use of private medical information to sell products to customers).

The insurers countered that Sony's authorities all involved situations in which the insured misappropriated information. Because Sony did not misappropriate any personal information ' rather, third-party hackers stole it ' there was no personal injury coverage as a matter of law. The insurers relied primarily on the New York Court of Appeals decision in Columbia v. Continental Ins. Co., 83 N.Y.2d 618, 634 N.E.2d 946 (1994). There, Columbia County sought coverage for environmental contamination under a personal injury endorsement. Upholding a dismissal in the insurer's favor, the court of appeals interpreted personal injury coverage to reach only the insured's “purposeful acts,” and not indirect, incremental harm from environmental pollution.

Columbia was an environmental case, but other courts have applied the purposeful acts rationale outside the pollution context. In Butts v. Royal Vendors Inc., 202 W. Va. 448, 504 S.E.2d 911 (1998), the West Virginia Supreme Court concluded that personal injury coverage applied only where the insured itself had published material invading privacy rights.

The Sony trial judge sided with the insurers, concluding that personal injury coverage applied only to Sony's own publications. And the judge rejected the argument that Sony's negligent failure to prevent hacking constituted a publication.

Coverage for Data Breaches

Traditional liability policies have other conditions and exclusions that may limit their effectiveness in reimbursing companies for losses from data breaches. Liability polices do not compensate for first-party losses, such as forensic costs or business interruption losses. In addition, insurers have expanded policy exclusions for losses arising from cyber risks. These exclusions already have found their way into many CGL, errors and omissions, and directors and officers policies.

Now the Insurance Services Office Inc., the entity that publishes the standard ISO forms, is getting into the act. In late 2013, the ISO filed data breach exclusionary endorsements for CGL policies. Effective May 1, these forms broadly exclude all “property damage,” “bodily injury” or “personal injury” liability arising out of the access to or disclosure of any person's or organization's confidential or personal information.

As insurers clamp down on coverage for cyber events and expand exclusionary language, companies will have to consider cyber insurance for protection against data breaches. Unlike standard policies, there are no ISO forms for cyber insurance. Each insurer has unique provisions.

Because minor differences in language could have significant repercussions, insureds must scrutinize policies carefully to determine exactly what they cover. Below are some factors companies should consider when buying a cyber policy.

1. What Damages or Expenses Does the Policy Cover?

This is a basic question, but the answer may not be straightforward with cyber policies. Standard commercial liability policies tend to have broad coverage provisions. A wide variety of damages could be covered, provided they derive from property damage, bodily injury, or personal injury offenses as broadly defined.

Cyber policies are different. They compartmentalize losses into discrete categories, and then include separate coverage parts for each type of loss. Thus, there could be separate coverage provisions, limits, and premium requirements for breach notification costs, forensic costs to identify and repair a data breach, business interruption losses, expenses to fund media campaigns, defending third-party lawsuits, and responding to regulatory inquiries.

2. What Type of Information Loss Does the Policy Cover?

Not all data breaches involve consumer information. Hackers could steal corporate trade secrets or employee information. The policy language should be broad enough to cover all relevant data.

3. Does the Policy Apply to Data Losses Involving Third-Party Vendors?

Cyber policies will define what computer systems and networks the policies cover. When a data breach occurs, these definitions will be critical in determining coverage. Companies that rely upon third-party vendors for data management should ensure that the policies cover losses involving outside entities.

4. Does the Policy Require the Data Breach to Begin During a Specified Period?

Some cyber policies require the data breach to begin during a specified period, while others cover data breaches a policyholder discovers during the relevant period. This distinction could be significant, since companies may not be aware of a data breach for weeks, months, or even years.

5. Does the Policy Require the Policyholder to Maintain and Update Its Computer Systems?

Insurers have tightened underwriting requirements for cyber policies. Representations that the insured makes in the underwriting process could impact coverage. An insurer, for example, might attempt to rescind a policy if an insured made material misrepresentations about its data management.

Some cyber policies have exclusions or conditions requiring policyholders to implement certain data security measures. Thus, depending upon policy language, coverage could be excluded where a company failed to encrypt sensitive data on laptops or thumb drives, failed to require strong passwords or the periodic changing of passwords, or failed to install software patches.

Conclusion

As the cyber insurance landscape changes, specialty cyber policies will become more prevalent. When purchasing this insurance, companies must carefully analyze the cyber risks they face and buy policies specifically tailored to those risks.

Travis Wall is a partner at the insurance law firm Barger & Wolen LLP, and founder of the firm's cyber risk and technology group. This article also appeared in The Recorder, an ALM sister publication of this newsletter.

Standard insurance policies are not designed to address losses from data breaches. Although some insureds have been successful in obtaining coverage for cyberattacks under traditional policies, that window is closing. As insurers refine coverage defenses and expand exclusions for cyber events, business will have to turn to specialty cyber policies for protection against data theft or loss.

Background

Commercial general liability (CGL) policies have two basic coverage types. Coverage A addresses “property damage” and “bodily injury.” Coverage B applies to “personal injury” offenses, such as publications that invade rights of privacy. Because data breaches typically do not involve property damage or bodily injury, policyholders rely primarily on the personal injury prong.

Among other requirements, personal injury coverage applies only to claims arising from a “publication” of information. Data theft through hacking does not appear to involve a “publication” as that term is commonly understood. Courts will not presume a publication simply because a data loss occurred. In a recent case, tapes containing confidential employee information fell out of a delivery truck. An unknown person then retrieved them, but there was no evidence that employee information was publicly disclosed or improperly used.

A Connecticut appellate court rejected the argument that the data loss, in and of itself, constituted a “publication.” The mere potential for disclosure was not enough ' there had to be evidence that confidential information on the tapes was actually published. See Recall Total Information Management Inc. v. Federal Ins. Co. , 147 Conn. App. 450 (2014).

Zurich v. Sony

Some courts have held not only that there must be a publication, but that the insured must publish information giving rise to the claim. In March 2014, a New York state judge denied coverage on this basis in the hotly contested Zurich v. Sony insurance litigation.

The Sony dispute arose from a massive data breach. In April 2011, hackers broke into Sony networks and stole personal information involving over 100 million users. Sony was named in numerous class actions, which the company tendered to its insurers. One of those insurers, Zurich, filed a declaratory relief action in New York state court seeking a declaration that it had no duty to defend.

Sony argued that the unauthorized collection and use of personal information necessarily constituted a “publication” that violates privacy rights. The company cited authority holding that there could be a publication even though the people who accessed or stole personal information never disseminated it. See, e.g., Lenscrafters Inc. v. Liberty Mut. Fire Ins. Co., 2005 U.S. Dist. LEXIS 47185 (N.D. Cal, Jan. 20, 2005) (insured's improper use of private medical information to sell products to customers).

The insurers countered that Sony's authorities all involved situations in which the insured misappropriated information. Because Sony did not misappropriate any personal information ' rather, third-party hackers stole it ' there was no personal injury coverage as a matter of law. The insurers relied primarily on the New York Court of Appeals decision in Columbia v. Continental Ins. Co. , 83 N.Y.2d 618, 634 N.E.2d 946 (1994). There, Columbia County sought coverage for environmental contamination under a personal injury endorsement. Upholding a dismissal in the insurer's favor, the court of appeals interpreted personal injury coverage to reach only the insured's “purposeful acts,” and not indirect, incremental harm from environmental pollution.

Columbia was an environmental case, but other courts have applied the purposeful acts rationale outside the pollution context. In Butts v. Royal Vendors Inc. , 202 W. Va. 448, 504 S.E.2d 911 (1998), the West Virginia Supreme Court concluded that personal injury coverage applied only where the insured itself had published material invading privacy rights.

The Sony trial judge sided with the insurers, concluding that personal injury coverage applied only to Sony's own publications. And the judge rejected the argument that Sony's negligent failure to prevent hacking constituted a publication.

Coverage for Data Breaches

Traditional liability policies have other conditions and exclusions that may limit their effectiveness in reimbursing companies for losses from data breaches. Liability polices do not compensate for first-party losses, such as forensic costs or business interruption losses. In addition, insurers have expanded policy exclusions for losses arising from cyber risks. These exclusions already have found their way into many CGL, errors and omissions, and directors and officers policies.

Now the Insurance Services Office Inc., the entity that publishes the standard ISO forms, is getting into the act. In late 2013, the ISO filed data breach exclusionary endorsements for CGL policies. Effective May 1, these forms broadly exclude all “property damage,” “bodily injury” or “personal injury” liability arising out of the access to or disclosure of any person's or organization's confidential or personal information.

As insurers clamp down on coverage for cyber events and expand exclusionary language, companies will have to consider cyber insurance for protection against data breaches. Unlike standard policies, there are no ISO forms for cyber insurance. Each insurer has unique provisions.

Because minor differences in language could have significant repercussions, insureds must scrutinize policies carefully to determine exactly what they cover. Below are some factors companies should consider when buying a cyber policy.

1. What Damages or Expenses Does the Policy Cover?

This is a basic question, but the answer may not be straightforward with cyber policies. Standard commercial liability policies tend to have broad coverage provisions. A wide variety of damages could be covered, provided they derive from property damage, bodily injury, or personal injury offenses as broadly defined.

Cyber policies are different. They compartmentalize losses into discrete categories, and then include separate coverage parts for each type of loss. Thus, there could be separate coverage provisions, limits, and premium requirements for breach notification costs, forensic costs to identify and repair a data breach, business interruption losses, expenses to fund media campaigns, defending third-party lawsuits, and responding to regulatory inquiries.

2. What Type of Information Loss Does the Policy Cover?

Not all data breaches involve consumer information. Hackers could steal corporate trade secrets or employee information. The policy language should be broad enough to cover all relevant data.

3. Does the Policy Apply to Data Losses Involving Third-Party Vendors?

Cyber policies will define what computer systems and networks the policies cover. When a data breach occurs, these definitions will be critical in determining coverage. Companies that rely upon third-party vendors for data management should ensure that the policies cover losses involving outside entities.

4. Does the Policy Require the Data Breach to Begin During a Specified Period?

Some cyber policies require the data breach to begin during a specified period, while others cover data breaches a policyholder discovers during the relevant period. This distinction could be significant, since companies may not be aware of a data breach for weeks, months, or even years.

5. Does the Policy Require the Policyholder to Maintain and Update Its Computer Systems?

Insurers have tightened underwriting requirements for cyber policies. Representations that the insured makes in the underwriting process could impact coverage. An insurer, for example, might attempt to rescind a policy if an insured made material misrepresentations about its data management.

Some cyber policies have exclusions or conditions requiring policyholders to implement certain data security measures. Thus, depending upon policy language, coverage could be excluded where a company failed to encrypt sensitive data on laptops or thumb drives, failed to require strong passwords or the periodic changing of passwords, or failed to install software patches.

Conclusion

As the cyber insurance landscape changes, specialty cyber policies will become more prevalent. When purchasing this insurance, companies must carefully analyze the cyber risks they face and buy policies specifically tailored to those risks.

Travis Wall is a partner at the insurance law firm Barger & Wolen LLP, and founder of the firm's cyber risk and technology group. This article also appeared in The Recorder, an ALM sister publication of this newsletter.