Examining Coverage for Cyber Risks Under Property and Liability Policies
This article explores courts' differing conclusions when faced with claims for cyber risks under different types of insurance policies, looks at some of the recent cyber-crimes and the direct financial and legal impact on businesses, and posits solutions to address insurance coverage for cyber-related risks.
March 02, 2018 at 03:00 PM
8 minute read
Over the past few years, data breaches have become more frequent and have impacted an increasing number of people. As computer hacking and data breaches become more common, an issue that is often raised is whether, and to what extent, damages resulting from these incidents fall within the coverage of the policies held by the corporate victims of the attacks. This article explores courts' differing conclusions when faced with claims for cyber risks under different types of insurance policies, looks at some of the recent cyber-crimes and the direct financial and legal impact on businesses, and posits solutions to address insurance coverage for cyber-related risks.
A cyber-hacking or data breach event, such as the ones suffered recently by Equifax, Target, Yahoo, and Sonic, typically involves a third-party gaining unauthorized access to a company's computer system, stealing customer information and then using that stolen information to apply for mortgages, credit cards and student loans, and tapping into bank debit accounts, filing insurance claims and tax refunds, and racking up substantial debts. The theft of the personal financial information of their customers causes direct loss to the company itself, through lost records, reputational damage, business interruption, and costs to correct and repair the damage done by intruders, and may also subject the company to lawsuits from their customers.
Naturally, companies have sought coverage for these cyber-losses from their insurers. An insured seeking to protect itself from losses due to data breaches and cyber-attacks can procure specific first-party policies that will cover such loss. For example, certain property policies have been found to provide coverage for data breaches when the policy contains a specific definition of property to include electronic data.
In NMS Services v. The Hartford, 62 Fed.Appx. 511 (4th Cir. 2003), the Fourth Circuit held that there was coverage under a business property policy for an insured's loss of business and costs to restore records lost when a former employee hacked into the insured's network. Similarly, in Lambrecht & Associates v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. Ct. 2003), the insured suffered direct losses due to a hack of its system. The Texas Court of Appeals found that the insurer could not prove as a matter of law that the damaged property was not covered under the insured's business property policy, which covered “accidental direct physical loss to business personal property.” However, the court also denied the insured's motion for summary judgment, finding an issue of fact as to whether the insured's losses were “accidental.”
Under certain circumstances, crime policies may also provide coverage for the insured's direct loss as a result of a data breach. In Retail Ventures v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) the insured incurred $6.8 million in losses arising from a data breach caused by a hacker that compromised customer credit card and checking account information. The insured was covered by a blanket crime policy, which contained a specific rider that covered computer fraud. As a result, the expenses related to the hack, including attorney fees associated with municipal investigations, were all found to be covered.
Although business property and crime policies may provide coverage for direct losses suffered by the insured as a result of a data breach, there is no coverage for liability to third-parties under these policies. For example, in Camp's Grocery v. State Farm Fire & Cas. Co., No. 4:16-cv-0204-JEO, 2016 U.S. Dist. LEXIS 147361 (N.D. Ala. Oct. 25, 2016), the court rejected the insured's argument that an inland marine endorsement in the policy provided coverage for an underlying lawsuit arising from a data breach, holding that the endorsement only provided first-party coverage for certain computer related losses, and did not provide coverage against claims brought by third parties.
The policies available on the market which may provide coverage for liability due to data breaches are cyber-policies. However, cyber-policies vary, they are not held by all companies and not all liabilities may be covered. For instance, in P.F. Chang's China Bistro v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749, (D. Ariz. May 26, 2016), the insured's credit card transactions were hacked by a third party. The insurer covered substantially all of the damages suffered directly by the insured as well as the liability claims brought by the insured's customers. However, the district court found that there was no coverage for the fees the insured owed to its credit card service-provider as a result of the breach. Unlike the customers, who suffered a covered “Privacy Injury,” the service-provider did not suffer any covered injury and, as a result, there was no coverage for the fees.
Insureds have also sought coverage for data breaches and cyber-attacks from their commercial general liability insurers. The oft-used theory for coverage for these lawsuits is that the data breach is a covered “publication” under Coverage B of the standard Commercial General Liability policy. While policies may differ, “personal and advertising injury” is typically defined as “injury, including consequential 'bodily injury', arising out of one or more of the following offenses: … e. Oral or written publication, in any manner, of material that violates a person's right of privacy.” The argument raised by insureds in favor of coverage is typically that when a third-party hacker obtains personally identifiable information the “publication” requirement of Coverage B has been satisfied. This, however, has not been a successful argument.
Nationally, courts have generally rested their decisions regarding coverage for data breaches under a CGL policy on whether the insured was responsible for the act of “publication.” Recently, in Innovak Int'l v. Hanover Ins. Co., No. 8:16-CV-2453-MSS-JSS, 2017 U.S. Dist. LEXIS 191271 (M.D. Fla. Nov. 17, 2017), the insured was sued for damages resulting from the release of the underlying claimants' personal private information after the insured was the subject of a data breach. The District Court upheld the insurer's denial of coverage because there was no alleged publication of the personal information by the insured. The District Court explained that even if the hacker's actions in appropriating the personal information could be considered a “publication,” the policy required publication by the insured.
The Innovak holding followed that of the New York Supreme Court in Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), which arose out of the April 2011 hacking of Sony Corp.'s PlayStation online services. The court held that there was no “publication” by the insured, rather, the only “publication” was perpetrated by the hackers, and therefore, because Coverage B was not triggered there was no coverage under the policy.
Conversely, in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, 644 Fed.Appx. 245 (4th Cir. 2016), which arose out of a class-action wherein it was alleged that the insured negligently permitted the class's private medical records to be available to search engines on the Internet for more than four-months, the Fourth Circuit found a covered “publication” by the insured. There was coverage in this case because it was the insured's act that published the medical records on the Internet. The Fourth Circuit rejected the insurer's argument that its publication was unintentional or that information was not published to a specific third party. The fact that the information was made publicly available by the insured over the Internet rendered it a covered publication.
The requirement that the act of “publication” be done by the insured, while not explicit in the policy language, is consistent with prior non-data breach case law. In Evanston Insurance Co. v. Gene by Gene, 155 F. Supp. 3d 706 (S.D. Tex. 2016), the allegations that the insured improperly published the plaintiff's DNA results on its website triggered a duty to defend. However, in Penn-America Insurance Co. v. Tomei, No. 480 WDA 2015, 2016 WL 2990093 (Pa. Super. May 24, 2016), there was no covered publication where the insured was sued by plaintiffs whose claims arose from the videotaping and publication by a third party of videos of patrons as they undressed during tanning sessions. The Pennsylvania court reasoned that because a third party made the video-tapes available, and not the insured, there was no publication by the insured.
The national trend is that a “publication” must be made by the insured in order to trigger coverage under a standard CGL policy. This requirement, although not plain in the language of the standard provision, is supported by the manner in which courts have historically applied the provision. Accordingly, absent the unusual circumstance where the insured publishes personal information itself, an insured is unlikely to be able to obtain coverage for third-party losses due to data breaches under their CGL policies.
Insureds who are concerned about coverage for data breaches and cyber attacks would be well-advised to purchase cyber policies and carefully review the coverage afforded therein and to make sure than any business property and crime policies are endorsed to provide coverage for cyber and electronic losses.
Eric B. Stern is a partner in Kaufman Dolowich & Voluck LLP's Woodbury, NY office where he concentrates his practice in all aspects of insurance coverage litigation. Andrew A. Lipkowitz is an associate in the same office and primarily focuses his practice in insurance coverage litigation and monitoring.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250