When Your Data Goes Viral: Insurance for Data Breaches

Is there insurance coverage when a company's data goes viral? Maybe. This article explains the traditional insurance products that may provide a policyholder with insurance coverage for data breaches, and some of the newer products available to policyholders for these risks. It also considers the mixed law developing around these matters, analyzing the recent New York trial court decision in Zurich American Insurance Co. v. Sony Corporation, Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), involving a dispute relating to coverage for a data breach under a commercial general liability (CGL) policy for a hacking incident.

Coverage for Data Breach Losses Under Traditional Policies

Many companies have yet to buy cyberliability insurance policies, and instead turn ' albeit with mixed success ' to their CGL, directors' and officers' liability (D&O), errors and omissions (E&O), fidelity, and property policies when they suffer a cyberattack. Most standard form CGL policies provide coverage for property damage and bodily injury (Coverage A), as well as personal and advertising injury (Coverage B). CGL policies typically insure against property damage, defined as “physical injury to tangible property, including all resulting loss of use of that property” and “loss of use of tangible property that is not physically injured.” The Personal and Advertising Injury sections cover losses from certain enumerated wrongful acts, including “[o]ral or written publication, in any manner, of material that violates a person's right of privacy.” See, e.g., ISO Commercial General Liability Coverage Form, Form No. CG 00 01 12 07.

Some policyholders have sought coverage for a data breach, where the breach has caused property damage including the loss of use, value, or function of property. Traditional CGL and first-party property policies protect against physical damage to, or loss of, tangible property. One of the key coverage issues under these policies is whether the loss of electronic data constitutes damage to, or loss of, property. Indeed, some policies specifically exclude damage to data or other electronic property, or note that electronic data is not “tangible property.” Some also include an exclusion for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” See, e.g., ISO Building and Personal Property Coverage Form, Form No. CG 00 10 10 12. In the absence of a specific exclusion, however, court decisions have been mixed as to whether the loss of use, value, and function of electronic data is a loss of physical or tangible property.

In Eyeblaster, Inc. v. Federal Insurance Company, 613 F.3d 797 (8th Cir. 2010), for example, the Eighth Circuit Court of Appeals found coverage for an insured whose internet advertising system infected its customers' computers with spyware. There, a third party alleged that his computer, software, and data were injured when he visited the policyholder's website. The policyholder, an online marketing campaign management company, distributed clients' ads using cookies, JavaScript, and Flash technology, but not spyware. When the third party sued, the policyholder sought coverage under its CGL policy, and its E&O policies. Its insurer denied coverage, arguing that there was neither bodily injury nor property damage as required to trigger coverage under the CGL policy; it also relied on its CGL policy's exclusion for “software, data or other information that is in electronic form.” As to its E&O policy, the insurer argued that it was not implicated as there was no coverage for intentional acts, even if they result in unintentional damage.

The Court of Appeals held there was the potential for coverage, finding that the insurer's CGL policy excluded certain software and data in electronic form, but that the involved computer was clearly tangible property, and the alleged loss of it constituted “property damage” within the meaning of the plaintiff's policy. It also concluded that the underlying complaint alleged conduct that was intentional, such as installing tracking cookies, Flash technology, and JavaScript, but that there was no evidence that this conduct was intentionally wrongful (as opposed to negligent). Applying Minnesota law, the court concluded that the insurer was obligated to defend the underlying claim, which was arguably covered, in part, under both involved policies.

Other courts have interpreted the term “property damage” in combination with “tangible property” to preclude recovery for losses resulting from data breaches. A federal district court in Georgia, for example, recently considered whether a policy's coverage for “direct physical loss of or damage to Covered Property” applied to the unauthorized access of an online banking system to make fraudulent payments from clients' escrow accounts. Metro Brokers, Inc. v. Transp. Ins. Co., 2013 WL 7117840 (N.D. Ga. Nov. 21, 2013). According to the court, the policy's exclusions for “malicious code” and “system penetration” made it clear the policy was drafted to “eliminate coverage for any and all losses resulting from an internal or external breach to the insured's electronic systems and/or data.” Id. at 2. In addition, the court concluded the electronic transfers did not meet the policy's definition of “forgery” because the court characterized forgery as applying only to “traditional” negotiable instruments, not electronic transmissions. Id. at 4-5.

D&O policies provide defense costs and indemnification for claims arising from the wrongful acts of the policyholder's “directors and officers” committed in connection with their corporate responsibilities. E&O policies are intended to cover losses or liabilities related to wrongful acts a policyholder commits in the course of its professional services. Many of these policies exclude intentional wrongdoing and/or wrongful acts that violate certain laws; they instead require that culpability for wrongful acts amount to no more than negligence or judgment errors. See, e.g., Greenwich Ins. Co. v. Media Breakaway LLC, 417 Fed.App'x 642 (9th Cir. 2011) (finding no coverage for online marketer that sent unauthorized spam to MySpace users' accounts by “phishing” or using “phished” names and passwords because policy excluded coverage for intentional conduct.)

By way of illustration, a federal court in National Union Fire Insurance Co. of Pittsburgh v. Coinstar Inc., 2014 WL 868584 (W.D. Wash. Feb. 28, 2014), recently held that an exclusion for a “violation of statute in connection with sending, transmitting or communicating any material or information” precluded coverage for the hacking of a policyholder's video rental kiosks, known to many as Redbox. There, the policyholder sought coverage for a putative class action relating to the way it operated its automated DVD-vending machines. To rent a movie, customers input personal information, which the policyholder allegedly used for marketing purposes. It also disclosed the information to third parties without customers' express consent.

The insurer's policies provided coverage for “personal injury and advertising injury” liability arising out of “oral or written publication, in any manner, of material that violates a person's right of privacy.” They excluded, however, coverage “for any injury that arises from 'any act that violates any statute ' that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever.'” The insurer sought a declaration that it had no coverage obligation, arguing that the putative class action did not implicate personal or advertising injury coverage because it did not allege there was a publication, and because the “Violation of Statutes” exclusion applied. The court did not get to the publication issue, because it agreed that the “Violation of Statutes” exclusion barred coverage because the putative class alleged violation of the Video Privacy Protection Act (VPPA).

The law remains mixed as to whether data breaches trigger personal and advertising injury coverage for alleged violation of one's rights to privacy, in part because courts have differed over the meaning of “publication.” Some courts have found that publication requires a showing that someone accessed the information, even if it was a single person or entity. See, e.g., Recall Total Info. Mgmt., Inc. v. Fed. Insur. Co., 83 A.3d 664 (Conn. App. Ct. 2014) (finding loss of computer tapes was insufficient to prove publication). Other courts have found publication even absent proof that anyone accessed the confidential records. See, Travelers Indem. Co. of Amer. v. Portal Healthcare Solutions, LLC, 2014 WL 3887797 5 (E.D. Va. Aug. 7, 2014) (finding “[p]ublication occurs when information is 'placed before the public,' not when a member of the public reads the information placed before it.”). Insurers have argued that publication means some type of public dissemination. A New York court recently addressed this issue in a high-profile coverage dispute involving Sony Corporation. See, Zurich Am. Ins. Co. v. Sony Corp. of Am., Dkt. No. 651982/2011, 2014 NY Slip Op 83802 (N.Y. App. Div. [1st Dept.] 2014).

The Sony Decision And Its Implications For Data Breach Coverage

Hackers, in April 2001, launched a series of cyberattacks against Sony's PlayStation Network, Qriocity services, and the network platform for the Sony Online Entertainment Network. Sony develops and markets PlayStation video game devices and consoles that enable users to play games, connect to the internet, access Sony Online Entertainment Services and the Play Station Network, purchase video games and movies, and access prepaid third-party services such as Netflix. Hackers ultimately obtained users' personal information, including names, addresses, and credit card information.

Over 60 putative class action lawsuits for privacy violations were filed against various Sony subsidiaries and affiliates (collectively, Sony) following the attacks. Sony tendered the suits to its insurers under the Personal and Advertising Injury provisions of its CGL policies. The insurers denied coverage and filed suit seeking a declaration that they had no duty to defend or indemnify Sony.

The Sony coverage dispute presented three issues: 1) whether a data breach, without more, constitutes “publication”; 2) whether the policyholder has to commit the publication to trigger coverage; and 3) whether the “Insureds in Media and Internet Type Businesses” exclusion applies to policyholders whose businesses involve the internet, but are not primarily or exclusively related to the internet.

The insurers urged that the “Insureds in Media and Internet Type Businesses” exclusion precluded coverage. The exclusion bars coverage when the insured's business is:

1. Advertising, broadcasting, publishing or telecasting;
2. Designing or determining content of websites for others; or
3. An Internet search, access, content or service provider.

The insurers contended that some of Sony's subsidiaries were “principally” engaged in activities falling within the exclusion. A New York trial court recognized that Sony provides access to the Internet, but characterized Sony's business as a “hybrid” of activities, rather than “just pure access” to the Web, such as Google or Internet Explorer. Therefore, it, refused to interpret the exclusion in a way that would broaden the exclusion's reach to policyholders, like Sony, whose hybrid of activities include some excluded activities.

The insurers also argued that there was no covered wrongful act, as there was no “publication,” let alone “publication in any manner, of material that violates a person's right of privacy.” Sony urged that the use of the phrase “in any manner” in defining publication included negligent disclosure and failure to protect the information. The insurers, however, argued that publication involves public dissemination, and that there was no evidence or allegation of public dissemination.

The trial court agreed with Sony, holding that there was a publication when hackers accessed and stole the data:

Because, I look at it as [a] Pandora's box. Once it is opened it doesn't matter who does what with it. It is out there. It is out there in the world, that information. And whether or not it's actually used later on to get any benefit by the hackers, that in my mind is not the issue. The issue is that it was in their vault. ' But now you have opened it up. You cannot ignore the fact that it's opened for everyone to look at.

Transcript of Record (Record) at 42:4-17.

Thus, according to the court, “merely opening up that safeguard or that safe box where all of the information was, in my mind my finding is that that is publication.” Id. at 77:4-8.

The court then turned to who had to commit the wrongful publication. The insurers argued that the policy required that Sony commit the publication for it to be covered. Sony took the position that nothing in the policy language required the policyholder to commit the publication. Indeed, Sony noted that the relevant provision included the phrase “in any manner,” and it modified the publication language to include third-party acts. Id. at 33:10-14; 63: 25-64:3. Sony further argued that if the insurer's intent was to limit coverage to the policyholder's acts, it could have expressly done so, as it had done in other policy sections. Id. 33:15-22. Sony pointed out that the Insuring Agreement required only that the “Personal and Advertising Injury” arise from its business, in the coverage territory, and during the policy period. Id. 35: 3-18. It further complained that the insurers' reading of the policy implied an exclusion not found in the policy.

The insurers argued that the phrase “in any manner” referred to means of publication, such as e-mails, handwritten letters or faxes ' not to who performed the publication. Id. at 55:13-21; 56:24-57:3 (citing Creative Hospitality Ventures v. U.S. Liab. Ins. Co., 2011 WL 4509919 (11th Cir. 2011)). The court agreed with the insurers that the policyholder had to commit the publication. Id. at 78-80. As Sony did not publish the data, the court held its coverage was not triggered, and the insurers had no duty to defend or indemnify. Id . Cross appeals followed, and the matter remains pending on appeal.

The Sony decision, if upheld on appeal and/or followed by other courts, would reduce the availability of coverage for losses stemming from data breaches. Although the New York trial court's interpretation of the term “publication” is helpful to policyholders suffering a data breach, its decision that the policyholder must commit the publication to obtain coverage could eliminate coverage for those that are the victims of hacking or cyberattacks. If the court's view were persuasive to other courts, companies that are not involved in the data breaches may have limited coverage against losses caused exclusively by third parties. Whether the decision's reasoning will be used by insurers as a basis to deny coverage for data breaches committed by third-parties ' such as vendors, information technology contractors, or consulting companies ' remains to be seen.

Cyberliability Insurance Developments

In response to the increased risks posed by data breaches, insurers now offer cyberliability policies to respond to these risks; they also have included cyberliability-related exclusions in traditional policies. Indeed, effective May 2014, ISO introduced new exclusions for use with its CGL and commercial liability umbrella policies. See, e.g., ISO Circular, Commercial Liability Umbrella LI-CU-2013-059, General Liability LI-GL-2013-143 (ISO Aug. 28, 2013); ISO, Access or Disclosure of Confidential or Personal Information Exclusions Introduced, Commercial Liability Umbrella Forms Filing CU-2013-ODBFR (ISO 2013). These new exclusions are specifically targeted to address data breaches, the disclosure of personal information, and notification and credit monitoring for impacted individuals.

The new exclusion for use with Coverage A, Access or Disclosure of Confidential or Personal Information and Data-Related Liability ' Limited Bodily Injury Exception Not Included, provides the following:

This insurance does not apply to:

Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

ISO Form No. CU 21 87 05 14, Exclusion ' Access or Disclosure of Confidential or Personal Information and Data-Related Liability ' with Limited Bodily Injury Exception Not Included (ISO 2013).

ISO also promulgated exclusions for use in the Advertising and Personal Injury section of CGL policies. The new Access or Disclosure of Confidential Or Personal Information, states:

This insurance does not apply to:

“Personal and advertising injury” arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.

Electronic Data Liability, ISO Form No. CG 04 37 05 14; Exclusion ' Access Or Disclosure of Confidential Or Personal Information And Data-Related Liability ' With Limited Bodily Injury Exception, ISO Form No. CG 21 06 05 14.

Some of the umbrella exclusions may contain an additional paragraph stating that the exclusion does not alter the coverage afforded under scheduled primary policies. In addition, ISO also offers revised exclusions for “Distribution of Material In Violation of Statutes.” See, eg., ISO Commercial General Liability Coverage Form, No. CG 00 68 05 09, Recording and Distribution of Material or Information in Violation of Law Endorsement. Given the array of state and federal privacy and consumer protection statutes, data breaches may trigger these statutes or regulations, and insurers may argue that the latest form of the “Distribution Of Material in Violation Of Statutes” exclusion bars or limits coverage.

Next month, we conclude this discussion of the changes to that endorsement.

Sherilyn Pastor, a member of the Board of Editors of our sibling newsletter, The Insurance Coverage Law Bulletin, leads McCarter & English's Insurance Coverage Group. She is is Co-Chair of the ABA's Insurance Coverage Litigation Committee, holds an AV Preeminent Rating from Martindale-Hubbell, and has been honored as a New Jersey Super Lawyer since 2006. Kelly Lloyd is an associate in the Insurance Coverage Group, representing clients in complex insurance coverage litigation. We welcome Ms. Lloyd to our Board of Editors with this issue.

Data breaches are part of the technological age. Indeed, 2013 was dubbed the year of the “mega breach,” and in 2014, as of October, there had been 621 publicly reported data breaches, exposing 77,890,487 records. See, Identity Theft Resource Center, 2014 Data Breach Category Summary (Oct. 21, 2014). In early October 2014, JPMorgan Chase reported a data breach affecting as many as 76 million households and 7 million small businesses, making it one of the largest data breaches ever reported.

A data breach typically involves the unauthorized release or access of personal or confidential information. Personal information includes names, addresses, Social Security numbers, financial information, or health information. In addition to personal information, a data breach can also jeopardize a company's confidential information such as client records, trade secrets, privileged legal information, or employee records. Although many associate data breaches with hackers or cyberattacks, human error, such as a mistake in computer coding or losing a company laptop, also have resulted in significant breaches. A 2014 study concluded that 44% of data breaches were from malicious or criminal attacks against an organization, but 31% resulted from employee negligence and 25% resulted from system glitches.

The losses associated with data breaches are significant. The total average cost from breaches in 2014 was $5.9 million, with each lost or stolen record estimated to cost an organization $201. See, Ponemon Inst., LLC, 2014 Cost of Data Breach Study: United States 17 (2014). In addition to lost profits, companies involved in a breach face reputational harm and may face physical damage to their technology systems, software, or hardware. They also incur the cost of remediating the harm to individuals or organizations whose information was disclosed, providing them with notice of the breach, a call center for information, credit monitoring, and identity fraud recovery services. Victims of a data breach also may incur costs retaining specialized breach response firms to help identify and repair the cause of the breach, and public relations agencies to restore their image. Additionally, they may face the costs associated with lawsuits over the breach, and administrative actions against them.

Is there insurance coverage when a company's data goes viral? Maybe. This article explains the traditional insurance products that may provide a policyholder with insurance coverage for data breaches, and some of the newer products available to policyholders for these risks. It also considers the mixed law developing around these matters, analyzing the recent New York trial court decision in Zurich American Insurance Co. v. Sony Corporation, Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), involving a dispute relating to coverage for a data breach under a commercial general liability (CGL) policy for a hacking incident.

Coverage for Data Breach Losses Under Traditional Policies

Many companies have yet to buy cyberliability insurance policies, and instead turn ' albeit with mixed success ' to their CGL, directors' and officers' liability (D&O), errors and omissions (E&O), fidelity, and property policies when they suffer a cyberattack. Most standard form CGL policies provide coverage for property damage and bodily injury (Coverage A), as well as personal and advertising injury (Coverage B). CGL policies typically insure against property damage, defined as “physical injury to tangible property, including all resulting loss of use of that property” and “loss of use of tangible property that is not physically injured.” The Personal and Advertising Injury sections cover losses from certain enumerated wrongful acts, including “[o]ral or written publication, in any manner, of material that violates a person's right of privacy.” See, e.g., ISO Commercial General Liability Coverage Form, Form No. CG 00 01 12 07.

Some policyholders have sought coverage for a data breach, where the breach has caused property damage including the loss of use, value, or function of property. Traditional CGL and first-party property policies protect against physical damage to, or loss of, tangible property. One of the key coverage issues under these policies is whether the loss of electronic data constitutes damage to, or loss of, property. Indeed, some policies specifically exclude damage to data or other electronic property, or note that electronic data is not “tangible property.” Some also include an exclusion for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” See, e.g., ISO Building and Personal Property Coverage Form, Form No. CG 00 10 10 12. In the absence of a specific exclusion, however, court decisions have been mixed as to whether the loss of use, value, and function of electronic data is a loss of physical or tangible property.

In Eyeblaster, Inc. v. Federal Insurance Company , 613 F.3d 797 (8th Cir. 2010), for example, the Eighth Circuit Court of Appeals found coverage for an insured whose internet advertising system infected its customers' computers with spyware. There, a third party alleged that his computer, software, and data were injured when he visited the policyholder's website. The policyholder, an online marketing campaign management company, distributed clients' ads using cookies, JavaScript, and Flash technology, but not spyware. When the third party sued, the policyholder sought coverage under its CGL policy, and its E&O policies. Its insurer denied coverage, arguing that there was neither bodily injury nor property damage as required to trigger coverage under the CGL policy; it also relied on its CGL policy's exclusion for “software, data or other information that is in electronic form.” As to its E&O policy, the insurer argued that it was not implicated as there was no coverage for intentional acts, even if they result in unintentional damage.

The Court of Appeals held there was the potential for coverage, finding that the insurer's CGL policy excluded certain software and data in electronic form, but that the involved computer was clearly tangible property, and the alleged loss of it constituted “property damage” within the meaning of the plaintiff's policy. It also concluded that the underlying complaint alleged conduct that was intentional, such as installing tracking cookies, Flash technology, and JavaScript, but that there was no evidence that this conduct was intentionally wrongful (as opposed to negligent). Applying Minnesota law, the court concluded that the insurer was obligated to defend the underlying claim, which was arguably covered, in part, under both involved policies.

Other courts have interpreted the term “property damage” in combination with “tangible property” to preclude recovery for losses resulting from data breaches. A federal district court in Georgia, for example, recently considered whether a policy's coverage for “direct physical loss of or damage to Covered Property” applied to the unauthorized access of an online banking system to make fraudulent payments from clients' escrow accounts. Metro Brokers, Inc. v. Transp. Ins. Co., 2013 WL 7117840 (N.D. Ga. Nov. 21, 2013). According to the court, the policy's exclusions for “malicious code” and “system penetration” made it clear the policy was drafted to “eliminate coverage for any and all losses resulting from an internal or external breach to the insured's electronic systems and/or data.” Id. at 2. In addition, the court concluded the electronic transfers did not meet the policy's definition of “forgery” because the court characterized forgery as applying only to “traditional” negotiable instruments, not electronic transmissions. Id. at 4-5.

D&O policies provide defense costs and indemnification for claims arising from the wrongful acts of the policyholder's “directors and officers” committed in connection with their corporate responsibilities. E&O policies are intended to cover losses or liabilities related to wrongful acts a policyholder commits in the course of its professional services. Many of these policies exclude intentional wrongdoing and/or wrongful acts that violate certain laws; they instead require that culpability for wrongful acts amount to no more than negligence or judgment errors. See, e.g., Greenwich Ins. Co. v. Media Breakaway LLC , 417 Fed.App'x 642 (9th Cir. 2011) (finding no coverage for online marketer that sent unauthorized spam to MySpace users' accounts by “phishing” or using “phished” names and passwords because policy excluded coverage for intentional conduct.)

By way of illustration, a federal court in National Union Fire Insurance Co. of Pittsburgh v. Coinstar Inc., 2014 WL 868584 (W.D. Wash. Feb. 28, 2014), recently held that an exclusion for a “violation of statute in connection with sending, transmitting or communicating any material or information” precluded coverage for the hacking of a policyholder's video rental kiosks, known to many as Redbox. There, the policyholder sought coverage for a putative class action relating to the way it operated its automated DVD-vending machines. To rent a movie, customers input personal information, which the policyholder allegedly used for marketing purposes. It also disclosed the information to third parties without customers' express consent.

The insurer's policies provided coverage for “personal injury and advertising injury” liability arising out of “oral or written publication, in any manner, of material that violates a person's right of privacy.” They excluded, however, coverage “for any injury that arises from 'any act that violates any statute ' that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever.'” The insurer sought a declaration that it had no coverage obligation, arguing that the putative class action did not implicate personal or advertising injury coverage because it did not allege there was a publication, and because the “Violation of Statutes” exclusion applied. The court did not get to the publication issue, because it agreed that the “Violation of Statutes” exclusion barred coverage because the putative class alleged violation of the Video Privacy Protection Act (VPPA).

The law remains mixed as to whether data breaches trigger personal and advertising injury coverage for alleged violation of one's rights to privacy, in part because courts have differed over the meaning of “publication.” Some courts have found that publication requires a showing that someone accessed the information, even if it was a single person or entity. See, e.g., Recall Total Info. Mgmt., Inc. v. Fed. Insur. Co. , 83 A.3d 664 (Conn. App. Ct. 2014) (finding loss of computer tapes was insufficient to prove publication). Other courts have found publication even absent proof that anyone accessed the confidential records. See, Travelers Indem. Co. of Amer. v. Portal Healthcare Solutions, LLC, 2014 WL 3887797 5 (E.D. Va. Aug. 7, 2014) (finding “[p]ublication occurs when information is 'placed before the public,' not when a member of the public reads the information placed before it.”). Insurers have argued that publication means some type of public dissemination. A New York court recently addressed this issue in a high-profile coverage dispute involving Sony Corporation. See, Zurich Am. Ins. Co. v. Sony Corp. of Am. , Dkt. No. 651982/2011, 2014 NY Slip Op 83802 (N.Y. App. Div. [1st Dept.] 2014).

The Sony Decision And Its Implications For Data Breach Coverage

Hackers, in April 2001, launched a series of cyberattacks against Sony's PlayStation Network, Qriocity services, and the network platform for the Sony Online Entertainment Network. Sony develops and markets PlayStation video game devices and consoles that enable users to play games, connect to the internet, access Sony Online Entertainment Services and the Play Station Network, purchase video games and movies, and access prepaid third-party services such as Netflix. Hackers ultimately obtained users' personal information, including names, addresses, and credit card information.

Over 60 putative class action lawsuits for privacy violations were filed against various Sony subsidiaries and affiliates (collectively, Sony) following the attacks. Sony tendered the suits to its insurers under the Personal and Advertising Injury provisions of its CGL policies. The insurers denied coverage and filed suit seeking a declaration that they had no duty to defend or indemnify Sony.

The Sony coverage dispute presented three issues: 1) whether a data breach, without more, constitutes “publication”; 2) whether the policyholder has to commit the publication to trigger coverage; and 3) whether the “Insureds in Media and Internet Type Businesses” exclusion applies to policyholders whose businesses involve the internet, but are not primarily or exclusively related to the internet.

The insurers urged that the “Insureds in Media and Internet Type Businesses” exclusion precluded coverage. The exclusion bars coverage when the insured's business is:

1. Advertising, broadcasting, publishing or telecasting;
2. Designing or determining content of websites for others; or
3. An Internet search, access, content or service provider.

The insurers contended that some of Sony's subsidiaries were “principally” engaged in activities falling within the exclusion. A New York trial court recognized that Sony provides access to the Internet, but characterized Sony's business as a “hybrid” of activities, rather than “just pure access” to the Web, such as Google or Internet Explorer. Therefore, it, refused to interpret the exclusion in a way that would broaden the exclusion's reach to policyholders, like Sony, whose hybrid of activities include some excluded activities.

The insurers also argued that there was no covered wrongful act, as there was no “publication,” let alone “publication in any manner, of material that violates a person's right of privacy.” Sony urged that the use of the phrase “in any manner” in defining publication included negligent disclosure and failure to protect the information. The insurers, however, argued that publication involves public dissemination, and that there was no evidence or allegation of public dissemination.

The trial court agreed with Sony, holding that there was a publication when hackers accessed and stole the data:

Because, I look at it as [a] Pandora's box. Once it is opened it doesn't matter who does what with it. It is out there. It is out there in the world, that information. And whether or not it's actually used later on to get any benefit by the hackers, that in my mind is not the issue. The issue is that it was in their vault. ' But now you have opened it up. You cannot ignore the fact that it's opened for everyone to look at.

Transcript of Record (Record) at 42:4-17.

Thus, according to the court, “merely opening up that safeguard or that safe box where all of the information was, in my mind my finding is that that is publication.” Id. at 77:4-8.

The court then turned to who had to commit the wrongful publication. The insurers argued that the policy required that Sony commit the publication for it to be covered. Sony took the position that nothing in the policy language required the policyholder to commit the publication. Indeed, Sony noted that the relevant provision included the phrase “in any manner,” and it modified the publication language to include third-party acts. Id. at 33:10-14; 63: 25-64:3. Sony further argued that if the insurer's intent was to limit coverage to the policyholder's acts, it could have expressly done so, as it had done in other policy sections. Id. 33:15-22. Sony pointed out that the Insuring Agreement required only that the “Personal and Advertising Injury” arise from its business, in the coverage territory, and during the policy period. Id. 35: 3-18. It further complained that the insurers' reading of the policy implied an exclusion not found in the policy.

The insurers argued that the phrase “in any manner” referred to means of publication, such as e-mails, handwritten letters or faxes ' not to who performed the publication. Id. at 55:13-21; 56:24-57:3 (citing Creative Hospitality Ventures v. U.S. Liab. Ins. Co., 2011 WL 4509919 (11th Cir. 2011)). The court agreed with the insurers that the policyholder had to commit the publication. Id. at 78-80. As Sony did not publish the data, the court held its coverage was not triggered, and the insurers had no duty to defend or indemnify. Id . Cross appeals followed, and the matter remains pending on appeal.

The Sony decision, if upheld on appeal and/or followed by other courts, would reduce the availability of coverage for losses stemming from data breaches. Although the New York trial court's interpretation of the term “publication” is helpful to policyholders suffering a data breach, its decision that the policyholder must commit the publication to obtain coverage could eliminate coverage for those that are the victims of hacking or cyberattacks. If the court's view were persuasive to other courts, companies that are not involved in the data breaches may have limited coverage against losses caused exclusively by third parties. Whether the decision's reasoning will be used by insurers as a basis to deny coverage for data breaches committed by third-parties ' such as vendors, information technology contractors, or consulting companies ' remains to be seen.

Cyberliability Insurance Developments

In response to the increased risks posed by data breaches, insurers now offer cyberliability policies to respond to these risks; they also have included cyberliability-related exclusions in traditional policies. Indeed, effective May 2014, ISO introduced new exclusions for use with its CGL and commercial liability umbrella policies. See, e.g., ISO Circular, Commercial Liability Umbrella LI-CU-2013-059, General Liability LI-GL-2013-143 (ISO Aug. 28, 2013); ISO, Access or Disclosure of Confidential or Personal Information Exclusions Introduced, Commercial Liability Umbrella Forms Filing CU-2013-ODBFR (ISO 2013). These new exclusions are specifically targeted to address data breaches, the disclosure of personal information, and notification and credit monitoring for impacted individuals.

The new exclusion for use with Coverage A, Access or Disclosure of Confidential or Personal Information and Data-Related Liability ' Limited Bodily Injury Exception Not Included, provides the following:

This insurance does not apply to:

Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

ISO Form No. CU 21 87 05 14, Exclusion ' Access or Disclosure of Confidential or Personal Information and Data-Related Liability ' with Limited Bodily Injury Exception Not Included (ISO 2013).

ISO also promulgated exclusions for use in the Advertising and Personal Injury section of CGL policies. The new Access or Disclosure of Confidential Or Personal Information, states:

This insurance does not apply to:

“Personal and advertising injury” arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.

Electronic Data Liability, ISO Form No. CG 04 37 05 14; Exclusion ' Access Or Disclosure of Confidential Or Personal Information And Data-Related Liability ' With Limited Bodily Injury Exception, ISO Form No. CG 21 06 05 14.

Some of the umbrella exclusions may contain an additional paragraph stating that the exclusion does not alter the coverage afforded under scheduled primary policies. In addition, ISO also offers revised exclusions for “Distribution of Material In Violation of Statutes.” See, eg., ISO Commercial General Liability Coverage Form, No. CG 00 68 05 09, Recording and Distribution of Material or Information in Violation of Law Endorsement. Given the array of state and federal privacy and consumer protection statutes, data breaches may trigger these statutes or regulations, and insurers may argue that the latest form of the “Distribution Of Material in Violation Of Statutes” exclusion bars or limits coverage.

Next month, we conclude this discussion of the changes to that endorsement.

Sherilyn Pastor, a member of the Board of Editors of our sibling newsletter, The Insurance Coverage Law Bulletin, leads McCarter & English's Insurance Coverage Group. She is is Co-Chair of the ABA's Insurance Coverage Litigation Committee, holds an AV Preeminent Rating from Martindale-Hubbell, and has been honored as a New Jersey Super Lawyer since 2006. Kelly Lloyd is an associate in the Insurance Coverage Group, representing clients in complex insurance coverage litigation. We welcome Ms. Lloyd to our Board of Editors with this issue.