Insurance Coverage Disputes over Data Breaches

Rulings in Breach Coverage Cases

In one of the earliest cases involving coverage for an electronic data breach, a Florida district court held that there was no coverage under a crime insurance policy, which insured damage to “'tangible property ' that has intrinsic value.'” Peoples Telephone Co. Inc. v. Hartford Fire Ins. Co., 36 F. Supp. 2d 1335 (S.D. Fl. 1997).

The underlying breach in that case involved employee theft. An employee of Peoples Telephone, which provided mobile phones to rental car fleets, allegedly stole identification numbers and sold them to third parties, who in turn used the numbers to program, activate and use other phones, and to run up hundreds of thousands of dollars in unauthorized charges. Id. at 1336-37. Peoples Telephone argued that the crime policy issued by Hartford Fire covered this action because the stolen identification numbers constituted covered property, which the policy defined as tangible property with intrinsic value. Id. at 1337. The court rejected this argument, holding that the identification numbers could not “be said to have intrinsic value since, without reference to cellular phones, they have no meaning or use.” Id. at 1339.

Ten years later, a California state court likewise held that a commercial general liability (CGL) policy did not provide coverage for an alleged data breach because the policyholder had intentionally breached a third party's systems, and because there was no “personal or advertising injury” (i.e., injury “arising out of ' oral or written publication of material that violates a person's right to privacy”) under the policy. Tom Joseph Santos v. Peerless Ins. Co., 2009 Cal. App. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009).

The policyholder in that case, Santos, was an officer and owner of a company that had been authorized to resell and provide services for Apple products. In the course of a business dispute between Santos and Apple, the latter claimed that Santos had breached Apple's computer network to access non-public information. Id. at 3. Santos sought a defense and coverage from its insurer, Peerless, for that claim.

The court concluded that there was no coverage under the policy because, due to Santos' intentional acts, there was no occurrence under the policy's insuring agreement relating to “bodily injury/property damage.” Indeed, Santos had admitted that he “was deliberately misusing Apple's website to obtain information that he was not supposed to have to use as ammunition against Apple in a lawsuit ' .” Id. at 20. The court likewise held that there was no coverage under the policy's insuring agreement for “personal or advertising” injury, because Apple had not alleged that Santos had violated Apple's privacy rights. Id. at 23.

In 2009, a California federal court similarly held that an insurer had no duty to defend a policyholder that had intentionally misappropriated data. Greenwich Ins. Co. v. Media Breakaway, LLC, 2009 U.S. Dist. LEXIS 63454 (C.D. Ca. 2009). That policyholder, Media Breakaway, is an online marketing company that rewarded its contractors (or “affiliates”) for directing Internet traffic to its websites. The affiliates hacked into the social media website MySpace, and misappropriated user logins and passwords. Id. at 4.

The court held that these actions were excluded under the directors' and liability policy because the underlying claims against Media Breakaway were predicated on alleged “intentional wrongful conduct.” Id. at n.8. The court further held that coverage was barred under a policy exclusion for “profit ' to which such Insured is not legally entitled,” since Media Breakaway had profited from illegal actions. Id. at 24-25.

Next month, we will discuss other court decisions on the question of insurance coverage for data breaches, as well as settlements in this area.

Ellen Farrell is a Counsel in Crowell & Moring LLPs Insurance/Reinsurance practice group. Kathryn Linsky is an Associate in the same practice group.

Each day, businesses become progressively more dependent on computers and the Internet to gather, store and protect information. But, as sophisticated as this technology may be, it has also proven to be susceptible to breaches, which have time and again resulted in the unauthorized access of confidential information.

These breaches can be incredibly costly to companies. According to a recent study by Symantec, the average total organizational cost of a data breach to a U.S. company has reached a staggering $5,403,644. See, http://bit.ly/UAbyLI. And, as in the case of the recent Target breach, many millions of individuals have potentially had their personal information compromised, so the cost of a data breach may be many times the Symantec average.

As more companies have experienced data breaches, we have seen an increasing number of disputes over whether insurance policies will help pay for them. In this article, we have compiled cases that have addressed (or are addressing) coverage for these breaches and have divided those cases into three categories: decided, settled and pending. As set forth below, many (but not all) of these cases have focused on whether the breached data was covered property, whether there had been a “personal or advertising injury,” or whether the policyholder's conduct was intentional.

Rulings in Breach Coverage Cases

In one of the earliest cases involving coverage for an electronic data breach, a Florida district court held that there was no coverage under a crime insurance policy, which insured damage to “'tangible property ' that has intrinsic value.'” Peoples Telephone Co. Inc. v. Hartford Fire Ins. Co. , 36 F. Supp. 2d 1335 (S.D. Fl. 1997).

The underlying breach in that case involved employee theft. An employee of Peoples Telephone, which provided mobile phones to rental car fleets, allegedly stole identification numbers and sold them to third parties, who in turn used the numbers to program, activate and use other phones, and to run up hundreds of thousands of dollars in unauthorized charges. Id. at 1336-37. Peoples Telephone argued that the crime policy issued by Hartford Fire covered this action because the stolen identification numbers constituted covered property, which the policy defined as tangible property with intrinsic value. Id. at 1337. The court rejected this argument, holding that the identification numbers could not “be said to have intrinsic value since, without reference to cellular phones, they have no meaning or use.” Id. at 1339.

Ten years later, a California state court likewise held that a commercial general liability (CGL) policy did not provide coverage for an alleged data breach because the policyholder had intentionally breached a third party's systems, and because there was no “personal or advertising injury” (i.e., injury “arising out of ' oral or written publication of material that violates a person's right to privacy”) under the policy. Tom Joseph Santos v. Peerless Ins. Co., 2009 Cal. App. LEXIS 3415 (Cal. Ct. App. Apr. 30, 2009).

The policyholder in that case, Santos, was an officer and owner of a company that had been authorized to resell and provide services for Apple products. In the course of a business dispute between Santos and Apple, the latter claimed that Santos had breached Apple's computer network to access non-public information. Id. at 3. Santos sought a defense and coverage from its insurer, Peerless, for that claim.

The court concluded that there was no coverage under the policy because, due to Santos' intentional acts, there was no occurrence under the policy's insuring agreement relating to “bodily injury/property damage.” Indeed, Santos had admitted that he “was deliberately misusing Apple's website to obtain information that he was not supposed to have to use as ammunition against Apple in a lawsuit ' .” Id. at 20. The court likewise held that there was no coverage under the policy's insuring agreement for “personal or advertising” injury, because Apple had not alleged that Santos had violated Apple's privacy rights. Id. at 23.

In 2009, a California federal court similarly held that an insurer had no duty to defend a policyholder that had intentionally misappropriated data. Greenwich Ins. Co. v. Media Breakaway, LLC, 2009 U.S. Dist. LEXIS 63454 (C.D. Ca. 2009). That policyholder, Media Breakaway, is an online marketing company that rewarded its contractors (or “affiliates”) for directing Internet traffic to its websites. The affiliates hacked into the social media website MySpace, and misappropriated user logins and passwords. Id. at 4.

The court held that these actions were excluded under the directors' and liability policy because the underlying claims against Media Breakaway were predicated on alleged “intentional wrongful conduct.” Id. at n.8. The court further held that coverage was barred under a policy exclusion for “profit ' to which such Insured is not legally entitled,” since Media Breakaway had profited from illegal actions. Id. at 24-25.

Next month, we will discuss other court decisions on the question of insurance coverage for data breaches, as well as settlements in this area.

Ellen Farrell is a Counsel in Crowell & Moring LLPs Insurance/Reinsurance practice group. Kathryn Linsky is an Associate in the same practice group.