The Rise of Cyber Insurance Liability Litigation

A data breach threatens not only to reveal confidential personal or business information, but it also can result in significant legal liability for companies as a result of the litigation that often follows. Sony, for instance, reportedly paid upwards of $8 million to settle claims from employees whose personal information was leaked following the 2014 computer hack. It was even more costly for Target, which reportedly reached a settlement following its 2013 data breach wherein it agreed to reimburse thousands of financial institutions as much as $67 million in costs associated from that cyber-breach. The lawsuits that follow a data breach often add insult to injury: After a company weathers the immediate negative media attention and financial repercussions that come with a high-profile data breach, it then must endure costly legal battles that seek remuneration on behalf of those directly affected by the taking of private information.

As a result, the need to guard against cyber-attacks is paramount. According to a recent Wall Street Journal report, J.P. Morgan Chase & Co., for example, expects to boost its cyber-security budget to about $500 million in 2016, a number nearly double what it spent in 2015. Importantly, though, merely increasing cyber-security expenditures to minimize the risk of a cyber-attack is not enough. This is why companies are now beginning to purchase cyber insurance policies, so that businesses are better able to mitigate potential liability risk in the event a cyber-attack is successful.

Insurance Coverage Lawsuits Stemming from Cyber-Attacks

To date, there have only been a handful of insurance coverage cases stemming from a cyber-attack. Below is a discussion of four recent cases.

1. Zurich American Ins. Co. v. Sony Corp. of America, et al.

Zurich American Insurance Co. v. Sony Corp. of America, Index No. 651982/2011 (N.Y. Sup. Ct., filed July 20, 2011), was an insurance coverage dispute concerning whether the theft of electronic data was covered under a commercial general liability policy. The coverage dispute arose after computer hackers obtained unauthorized access to, and stole personal identification and financial information of, users from Sony's PlayStation network. As a result of that hack, users of Sony's PlayStation network sued various Sony entities in 58 class action complaints in the United States and Canada. The class action complaints generally alleged that the Sony customers were harmed because of: 1) the unauthorized access to and alleged theft of their personal identification and financial information maintained on Sony's PlayStation severs; and 2) Sony's delay in notifying affected customers of the cyber-attack and the accessing of their personal and financial information. In response, Sony tendered defense of the class action complaints to Zurich American Insurance Company and Zurich Insurance Company Ltd. (collectively, “Zurich”) seeking defense coverage and indemnification.

Zurich filed a complaint against Sony seeking a declaration that it was not obligated to defend or indemnify Sony. Alternatively, the complaint sought a declaration as to the proper allocation or apportionment of any defense or indemnity obligations as between Sony, Zurich and certain of Sony's other insurers to which Sony also tendered defense of the class action complaints. Zurich primarily argued that the claims in the class action complaints arising out of the cyber-attack did not constitute claims for “personal and advertising injury,” which the Zurich policy defined as an injury, among other things, arising out of the “oral or written publication in any manner of the material that violates a person's right to privacy.”

In its bench ruling on the parties' cross motions for summary judgment, the trial court agreed with Zurich. While the court recognized that the Sony users' personal information had been technically “published” under the “personal and advertising injury” provision, it interpreted that provision to require that the policyholder itself (i.e., Sony) be the actor who publishes the information. The court ruled that that did not happen, as the “publication” of Sony users' data was done by the hackers who stole the information ' not Sony. Thus, in the court's opinion, because the applicable provision of the Zurich policy did not provide coverage for the intentional acts of third parties, the court granted Zurich's motion and held that Zurich had no duty to defend or indemnify Sony for the class action complaints.

Sony appealed the trial court's ruling to the New York Appellate Court. Two months after the Appellate Court heard oral argument on Sony's appeal, the parties settled the dispute by stipulating to a withdrawal of Sony's appeal and dismissal of the case with prejudice.

2. Recall Total Information Mgmt., Inc. v. Federal Ins. Co.

Recall Total Information Management, Inc. v. Federal Insurance Co., 147 Conn. App. 450 (2014), aff'd, 317 Conn. 46 (2015), involved an insurance dispute that arose when Recall Total Information Management, Inc. (“Recall”), a record storage company, and Executive Logistics, Inc. (“Ex Log”), Recall's transportation subcontractor, lost in transit data tapes containing employment-related data for 500,000 Internal Business Machines (“IBM”) employees. The information consisted of birthdates, Social Security numbers and contact information. IBM immediately took steps to prevent the dissemination of this personal information, including notifying potentially affected employees and providing one year of credit monitoring for those who could be affected. IBM claimed a total of more than $6 million in expenses for the mitigation measures it took and entered into a negotiated settlement with Recall for the full amount of the loss.

Thereafter, Recall sought indemnification from Ex Log. Under Recall's contract with Ex Log, the latter was required to maintain various insurance policies, including a $2 million commercial general liability policy and a $5 million umbrella liability policy. Following Recall's request for indemnification, Ex Log sought coverage from its insurers, but the insurers denied coverage. Following that denial of coverage, Recall and Ex Log entered into a settlement agreement whereby Ex Log, among other things, assigned all of its rights under the insurance policy to Recall.

Shortly thereafter, Recall sued the insurers for breach of contract. The insurers moved for summary judgment, arguing that: 1) they had no duty to defend with respect to IBM's demand and the negotiations that followed; and 2) Recall's loss was not covered by the policy. The trial court granted summary judgment for the insurers, finding that the insurers had no duty to defend Recall in its settlement negotiations with IBM and that the data loss was not covered under the policy.

Recall appealed. The appellate court first affirmed that the insurers had no duty to defend Recall with respect to the negotiations that followed IBM's demand against Recall. The court held that the term “suit” under the policy (for purposes of establishing when a duty to defend is owed) was not meant to encompass negotiations following a demand.

The appellate court then addressed Recall's argument that the trial court misinterpreted the personal injury provision in the policy. The policy at issue provided coverage for “personal injury,” which the policy defined as “injury, other than bodily injury, property damage or advertising injury, caused by an offense of ' electronic, oral, written or other publication of material that ' violates a person's right to privacy.” Recall maintained that this language covered the cost of notifying the affected employees following the loss of the data tapes because the confidential information stored on those tapes, including Social Security information and other private data, had been published to the thief and/or other persons unknown. The Appellate Court disagreed, disputing that the information on the tapes had been published. According to the Appellate Court, “the dispositive issue [was] not the loss of the physical tapes themselves; rather, it [wa]s whether the information in them ha[d] been published.” The Appellate Court held that Recall had failed to cite any evidence that the information on the tapes was ever accessed by anyone. Accordingly, the Appellate Court found that the settlement Recall reached with IBM was not covered under the policy's personal injury policy, and affirmed summary judgment for the insurers.

3. Travelers v. Federal Recovery Services, Inc.

While Sony and Recall Total involved the application of a traditional commercial general liability policy to a data breach, the case of Travelers v. Federal Recovery Services, Inc., No. 14 Civ. 170 (D. Utah 2015), generated a coverage ruling interpreting traditional insurance law concepts contained in a cyber insurance policy.

In Travelers, the insured, Federal Recovery Services, Inc. (“FRS”), provided processing, storage, transmission and other handling of electronic data for its customers. One of FRS's clients was Global Fitness Holdings, LLC (“Global Fitness”), which contracted with FRS to have the latter process Global Fitness's gym members' payments under a Servicing Retail Installment Agreement (“Servicing Agreement”). The Servicing Agreement provided, in part, that FRA would retain the only copy of the member accounts data on behalf of Global Fitness. In connection with a corporate transaction with another gym, Global Fitness agreed to transfer all of its member accounts data to the other gym. In order to so, though, Global Fitness needed FRA to return the original member data to Global Fitness. After several unsuccessful efforts to obtain all the member account data from FRA, Global Fitness filed suit, alleging, inter alia, that FRA wrongfully withheld the member data unless and until Global Fitness provided significant compensation beyond what was provided for in the Servicing Agreement.

FRA tendered defense of the lawsuit to Travelers Property Casualty Company of America (“Travelers”), which had issued a CyberFirst insurance policy to FRA. Included in the policy was a Technology Errors and Omissions Liability form, which stated that Travelers “will pay those sums that the insured must pay as 'damages' ' caused by an 'errors and omissions wrongful act.'” The policy defined “errors and omissions wrongful act” as meaning “any error, omission or negligent act.” Prior to accepting FRA's tender of defense, Travelers filed a declaratory relief action seeking a determination that it did not owe FRA a duty to defend. When Travelers later accepted FRA's tender of defense, it did so under a full and complete reservation of rights. FRA then moved for partial summary judgment seeking a determination that Travelers did owe FRA a duty to defend.

Travelers argued that the Global Fitness action did not trigger its duty to defend FRA because the allegations against FRA did not allege damages arising from any error, omission or negligent act. The District Court agreed. In denying FRA's motion for partial summary judgment, the court found that Global Fitness's allegations against FRA did not include any claims of error, omission or negligence. Rather, Global Fitness alleged that FRA knowingly withheld the member accounts data and refused to turn it over to Global Fitness until Global Fitness met certain compensation demands. In the court's view, these allegations sounded in “knowledge, willfulness, and malice,” not negligence. Consequently, the court held that Travelers had no duty to defend FRA against Global Fitness's allegations.

4. Columbia Casualty Co. v. Cottage Health System

Like the Travelers case, Columbia Casualty Co. v. Cottage Health System, No. 15 Civ. 3432 (C.D. Cal. 2015), was an insurance coverage dispute under a cyber liability insurance policy. But, Columbia Casualty, unlike Travelers, involved a true electronic data breach incident.

This matter arose out of a data breach that resulted in the release of electronic private health care patient information for over 32,000 individuals stored on network servers owned, maintained and utilized by Cottage Health System (“Cottage”). Following that data breach, Cottage faced a class action lawsuit in which plaintiffs asserted claims against Cottage based on its alleged breach of California's Confidentiality of Medical Information Act. In addition, the California Department of Justice (“DOJ”) opened an investigation following the breach to determine whether Cottage complied with its obligations under HIPAA and related state and federal laws. The class action complaint alleged that the breach occurred because Cottage and one of its service vendors stored medical records on a system fully accessible to the internet, but without any encryption or security safeguards to keep the information private. A settlement of $4.125 million was reached in the underlying class action.

Columbia Casualty Co. (“Columbia”), as Cottage's insurer, agreed to fund the settlement, subject to a complete reservation of rights. Columbia had issued to Cottage a “NetProtect 360″ claims-made liability policy for the policy period covered by the data breach and resulting class action (“Policy”). The Policy provided $10 million in coverage for damages arising out of privacy injury claims (such as the class action lawsuit) and privacy regulation proceedings (such as the DOJ investigation). Significantly, the Policy contained a “Failure to Follow Minimum Required Practices” exclusion, which relieved Columbia from having to cover any loss based upon the failure of its insured to continuously implement the risk controls procedures identified in the insured's insurance application. In Cottage's application, it made several representations in the “Risk Control Self Assessment” questionnaire attesting to the security settings, configurations and oversight Cottage provided to its system network.

Subsequent to funding the settlement, Columbia filed a declaratory judgment action against Cottage seeking a declaration that it was not obligated to provide Cottage with coverage and was entitled to reimbursement of all costs arising out of the settlement of the class action proceeding. Based upon the allegations in the complaint, there did not appear to be any dispute that the data breaches, resulting lawsuit and DOJ investigation implicated the Policy. Columbia thus sought a declaration that it had no duty to defend on two main grounds: the minimum required practices exclusion and misrepresentation defense. As to the minimum required practices exclusion, Columbia principally argued that it was entitled to disclaim coverage because Cottage failed to continuously implement the risk management protocols identified in its insurance application. Specifically, Columbia claimed that the privacy claims resulting from the class action were excluded from coverage because Cottage: 1) permitted anonymous user access, which made electronic personal information publicly available via a simple Google search; 2) failed to replace factory default settings to ensure that information security systems were securely configured; and 3) failed to regularly check and maintain security patches on its system.

Relatedly, Columbia cited to the Policy's provision that precluded coverage if the Policy's application contained any material misrepresentations or omissions. In particular, the application required Cottage to warrant that it maintained all risk controls identified in its application. Columbia claimed that the data breach at issue was caused by Cottage's failure to maintain the application's risk controls, by, among other things, failing to replace factory default settings to ensure that its information security systems were securely configured. Columbia, therefore, alleged that Cottage's application contained material misrepresentations and/or omissions, such that Columbia was not obligated to defend or indemnify Cottage under the Policy.

Columbia's lawsuit against Cottage did not progress far. On June 18, 2015, after Columbia filed suit, Cottage moved to dismiss on the ground that Columbia failed to comply with the Policy's mandatory alternative dispute resolution requirement that called for the parties to mediate any disputes prior to commencing litigation. On July 17, 2015, the district court granted Cottage's motion to dismiss and dismissed Columbia's complaint without prejudice so that the parties may pursue the mediation called for by the Policy.

Important Takeaways

As the foregoing makes clear, litigation involving cyber- or technological-based incidents and the role of insurance coverage in this burgeoning practice area are increasing. While there have been relatively few substantive decisions to date analyzing the scope and effect of pure cyber liability insurance policies, the cases thus far offer important insights for participants in the cyber liability insurance arena. For one, despite the uniquely technological fact patterns, cyber insurance disputes will inevitably rely upon and drawn heavily from traditional insurance law principles.

As Sony, Travelers and Recall Total illustrate, the outcome of cyber insurance disputes will often turn on the interpretative principles and case law established in the non-cyber insurance law context, such as jurisprudence involving errors and omissions or commercial liability precedents. In addition, as demonstrated in the Columbia action, negotiating the best possible cyber policy language is crucial. Because cyber liability issues do not fit neatly within traditional liability policy language, it is important for insurers to understand the unique potential risk profile associated with technological or cyber issues and draft language that helps minimize the insurer's possible exposure.

Chet A. Kronenberg, a member of this newsletter's Board of Editors, is a litigation partner in the Los Angeles office of Simpson Thacher & Bartlett LLP. Tyler Z. Bernstein is a litigation associate in the same office.