When Your Data Goes Viral

As discussed in Part One of this article (in the January issue, available at http://bit.ly/1AlvORI), a data breach can jeopardize a company's confidential information such as client records, trade secrets, privileged legal information, or employee records. Although many associate data breaches with hackers or cyberattacks, human error, such as a mistake in computer coding or losing a company laptop, also results in significant breaches.

Is there insurance coverage when a company's data goes viral? Maybe. Part One explained the traditional insurance products that may provide a policyholder with insurance coverage for data breaches, and some of the newer products available to policyholders for these risks. It also considered the mixed law developing around these matters, analyzing the recent New York trial court decision in Zurich American Insurance Co. v. Sony Corporation, Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014). The discussion concludes herein.

Coverage Exclusions

Given the array of state and federal privacy and consumer protection statutes, data breaches may trigger statutes or regulations, and insurers may argue that the latest form of the “Distribution of Material in Violation of Statutes” exclusion bars or limits coverage. The changes to that endorsement are illustrated in the chart to the right.

Insurers contend that these exclusions confirm that they do not intend to cover certain cyber-related risks, including data breaches, under traditional general liability policies. Indeed, brokers have observed that these broader exclusions may be signaling, among the markets that adopt them, an intent to encourage policyholders to purchase cyber and/or media policies to accommodate such risks. See, Marsh, ISO General Liability Form Revisions ' Effective April 1, 2013, available at http://usa.marsh.com (last visited Jan. 9, 2015). In fact, insurers now are offering specialized “Cyber Liability” and “Security and Privacy Protection Policies.” ISO, for example, has introduced cyber coverage on standard forms and will be offering a new endorsement for business owner policies. See, e.g., ISO Form No. BP 15 07 03 15.

The policies currently offered vary significantly in terms of the coverage provided. Both first-party and third-party products are available. First-party coverage may insure the policyholder from losses resulting directly from fraudulent input; preparation or modification of data in an policyholder's computer system; cyber-attacks; fraudulent communications causing loss; impairment of services; malicious acts by a person who alters, damages, deletes or destroys company data; instructions or communication that are part of the policyholder's system; fraudulent electronic signatures; and misappropriation of records or data due to a cyberattack or unauthorized hacking. The policy also may cover costs for legal and forensic services, notification to affected individuals, customer credit monitoring, crisis management or public relations services, and business interruption expenses.

Third-Party Liability Policies

Third-party liability policies usually cover losses resulting from claims made against the policyholder. They often reimburse damage to a third party's computer system or content; and protect against claims alleging invasion of privacy; libel, slander or defamation, lost or damaged data, impairment or interruption in services or access, and lost business opportunities or unauthorized access of a customer's account.

Conclusion

The newer insurance products are far from uniform. When purchasing insurance, policyholders should consider the type and magnitude of their risks, and tailor their insurance policies to best meet their individualized needs. To the extent that the policies offered to them contain technical terms of art, or computer- or insurance-related jargon, policyholders should seek advice from their insurance professionals, brokers, or attorneys before they purchase coverage to confirm it meets their needs and covers risks as they intend it to do so.

Following a loss, insureds should consider their factual circumstances, applicable law, and all insurance policies that may respond to their losses. The law is developing, and it remains to be seen how traditional and new insurance forms ultimately will be interpreted and applied by courts.

Sherilyn Pastor, a member of the Board of Editors of our sibling newsletter, The Insurance Coverage Law Bulletin, leads McCarter & English's Insurance Coverage Group. She is is Co-Chair of the ABA's Insurance Coverage Litigation Committee, holds an AV Preeminent Rating from Martindale-Hubbell, and has been honored as a New Jersey Super Lawyer since 2006. Kelly Lloyd is a member of the Board of Editors of this newsletter and an associate in the Insurance Coverage Group, representing clients in complex insurance coverage litigation.

As discussed in Part One of this article (in the January issue, available at http://bit.ly/1AlvORI), a data breach can jeopardize a company's confidential information such as client records, trade secrets, privileged legal information, or employee records. Although many associate data breaches with hackers or cyberattacks, human error, such as a mistake in computer coding or losing a company laptop, also results in significant breaches.

Is there insurance coverage when a company's data goes viral? Maybe. Part One explained the traditional insurance products that may provide a policyholder with insurance coverage for data breaches, and some of the newer products available to policyholders for these risks. It also considered the mixed law developing around these matters, analyzing the recent New York trial court decision in Zurich American Insurance Co. v. Sony Corporation, Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014). The discussion concludes herein.

Coverage Exclusions

Given the array of state and federal privacy and consumer protection statutes, data breaches may trigger statutes or regulations, and insurers may argue that the latest form of the “Distribution of Material in Violation of Statutes” exclusion bars or limits coverage. The changes to that endorsement are illustrated in the chart to the right.

Insurers contend that these exclusions confirm that they do not intend to cover certain cyber-related risks, including data breaches, under traditional general liability policies. Indeed, brokers have observed that these broader exclusions may be signaling, among the markets that adopt them, an intent to encourage policyholders to purchase cyber and/or media policies to accommodate such risks. See, Marsh, ISO General Liability Form Revisions ' Effective April 1, 2013, available at http://usa.marsh.com (last visited Jan. 9, 2015). In fact, insurers now are offering specialized “Cyber Liability” and “Security and Privacy Protection Policies.” ISO, for example, has introduced cyber coverage on standard forms and will be offering a new endorsement for business owner policies. See, e.g., ISO Form No. BP 15 07 03 15.

The policies currently offered vary significantly in terms of the coverage provided. Both first-party and third-party products are available. First-party coverage may insure the policyholder from losses resulting directly from fraudulent input; preparation or modification of data in an policyholder's computer system; cyber-attacks; fraudulent communications causing loss; impairment of services; malicious acts by a person who alters, damages, deletes or destroys company data; instructions or communication that are part of the policyholder's system; fraudulent electronic signatures; and misappropriation of records or data due to a cyberattack or unauthorized hacking. The policy also may cover costs for legal and forensic services, notification to affected individuals, customer credit monitoring, crisis management or public relations services, and business interruption expenses.

Third-Party Liability Policies

Third-party liability policies usually cover losses resulting from claims made against the policyholder. They often reimburse damage to a third party's computer system or content; and protect against claims alleging invasion of privacy; libel, slander or defamation, lost or damaged data, impairment or interruption in services or access, and lost business opportunities or unauthorized access of a customer's account.

Conclusion

The newer insurance products are far from uniform. When purchasing insurance, policyholders should consider the type and magnitude of their risks, and tailor their insurance policies to best meet their individualized needs. To the extent that the policies offered to them contain technical terms of art, or computer- or insurance-related jargon, policyholders should seek advice from their insurance professionals, brokers, or attorneys before they purchase coverage to confirm it meets their needs and covers risks as they intend it to do so.

Following a loss, insureds should consider their factual circumstances, applicable law, and all insurance policies that may respond to their losses. The law is developing, and it remains to be seen how traditional and new insurance forms ultimately will be interpreted and applied by courts.

Sherilyn Pastor, a member of the Board of Editors of our sibling newsletter, The Insurance Coverage Law Bulletin, leads McCarter & English's Insurance Coverage Group. She is is Co-Chair of the ABA's Insurance Coverage Litigation Committee, holds an AV Preeminent Rating from Martindale-Hubbell, and has been honored as a New Jersey Super Lawyer since 2006. Kelly Lloyd is a member of the Board of Editors of this newsletter and an associate in the Insurance Coverage Group, representing clients in complex insurance coverage litigation.