Examining Coverage for Cyber Risks Under Property and Liability Policies
This article explores courts' differing conclusions when faced with claims for cyber risks under different types of insurance policies, looks at some of the recent cyber-crimes and the direct financial and legal impact on businesses, and posits solutions to address insurance coverage for cyber-related risks.
March 02, 2018 at 03:00 PM
8 minute read
Over the past few years, data breaches have become more frequent and have impacted an increasing number of people. As computer hacking and data breaches become more common, an issue that is often raised is whether, and to what extent, damages resulting from these incidents fall within the coverage of the policies held by the corporate victims of the attacks. This article explores courts' differing conclusions when faced with claims for cyber risks under different types of insurance policies, looks at some of the recent cyber-crimes and the direct financial and legal impact on businesses, and posits solutions to address insurance coverage for cyber-related risks.
A cyber-hacking or data breach event, such as the ones suffered recently by Equifax, Target, Yahoo, and Sonic, typically involves a third-party gaining unauthorized access to a company's computer system, stealing customer information and then using that stolen information to apply for mortgages, credit cards and student loans, and tapping into bank debit accounts, filing insurance claims and tax refunds, and racking up substantial debts. The theft of the personal financial information of their customers causes direct loss to the company itself, through lost records, reputational damage, business interruption, and costs to correct and repair the damage done by intruders, and may also subject the company to lawsuits from their customers.
Naturally, companies have sought coverage for these cyber-losses from their insurers. An insured seeking to protect itself from losses due to data breaches and cyber-attacks can procure specific first-party policies that will cover such loss. For example, certain property policies have been found to provide coverage for data breaches when the policy contains a specific definition of property to include electronic data.
In NMS Services v. The Hartford, 62 Fed.Appx. 511 (4th Cir. 2003), the Fourth Circuit held that there was coverage under a business property policy for an insured's loss of business and costs to restore records lost when a former employee hacked into the insured's network. Similarly, in Lambrecht & Associates v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. Ct. 2003), the insured suffered direct losses due to a hack of its system. The Texas Court of Appeals found that the insurer could not prove as a matter of law that the damaged property was not covered under the insured's business property policy, which covered “accidental direct physical loss to business personal property.” However, the court also denied the insured's motion for summary judgment, finding an issue of fact as to whether the insured's losses were “accidental.”
Under certain circumstances, crime policies may also provide coverage for the insured's direct loss as a result of a data breach. In Retail Ventures v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) the insured incurred $6.8 million in losses arising from a data breach caused by a hacker that compromised customer credit card and checking account information. The insured was covered by a blanket crime policy, which contained a specific rider that covered computer fraud. As a result, the expenses related to the hack, including attorney fees associated with municipal investigations, were all found to be covered.
Although business property and crime policies may provide coverage for direct losses suffered by the insured as a result of a data breach, there is no coverage for liability to third-parties under these policies. For example, in Camp's Grocery v. State Farm Fire & Cas. Co., No. 4:16-cv-0204-JEO, 2016 U.S. Dist. LEXIS 147361 (N.D. Ala. Oct. 25, 2016), the court rejected the insured's argument that an inland marine endorsement in the policy provided coverage for an underlying lawsuit arising from a data breach, holding that the endorsement only provided first-party coverage for certain computer related losses, and did not provide coverage against claims brought by third parties.
The policies available on the market which may provide coverage for liability due to data breaches are cyber-policies. However, cyber-policies vary, they are not held by all companies and not all liabilities may be covered. For instance, in P.F. Chang's China Bistro v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749, (D. Ariz. May 26, 2016), the insured's credit card transactions were hacked by a third party. The insurer covered substantially all of the damages suffered directly by the insured as well as the liability claims brought by the insured's customers. However, the district court found that there was no coverage for the fees the insured owed to its credit card service-provider as a result of the breach. Unlike the customers, who suffered a covered “Privacy Injury,” the service-provider did not suffer any covered injury and, as a result, there was no coverage for the fees.
Insureds have also sought coverage for data breaches and cyber-attacks from their commercial general liability insurers. The oft-used theory for coverage for these lawsuits is that the data breach is a covered “publication” under Coverage B of the standard Commercial General Liability policy. While policies may differ, “personal and advertising injury” is typically defined as “injury, including consequential 'bodily injury', arising out of one or more of the following offenses: … e. Oral or written publication, in any manner, of material that violates a person's right of privacy.” The argument raised by insureds in favor of coverage is typically that when a third-party hacker obtains personally identifiable information the “publication” requirement of Coverage B has been satisfied. This, however, has not been a successful argument.
Nationally, courts have generally rested their decisions regarding coverage for data breaches under a CGL policy on whether the insured was responsible for the act of “publication.” Recently, in Innovak Int'l v. Hanover Ins. Co., No. 8:16-CV-2453-MSS-JSS, 2017 U.S. Dist. LEXIS 191271 (M.D. Fla. Nov. 17, 2017), the insured was sued for damages resulting from the release of the underlying claimants' personal private information after the insured was the subject of a data breach. The District Court upheld the insurer's denial of coverage because there was no alleged publication of the personal information by the insured. The District Court explained that even if the hacker's actions in appropriating the personal information could be considered a “publication,” the policy required publication by the insured.
The Innovak holding followed that of the New York Supreme Court in Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), which arose out of the April 2011 hacking of Sony Corp.'s PlayStation online services. The court held that there was no “publication” by the insured, rather, the only “publication” was perpetrated by the hackers, and therefore, because Coverage B was not triggered there was no coverage under the policy.
Conversely, in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, 644 Fed.Appx. 245 (4th Cir. 2016), which arose out of a class-action wherein it was alleged that the insured negligently permitted the class's private medical records to be available to search engines on the Internet for more than four-months, the Fourth Circuit found a covered “publication” by the insured. There was coverage in this case because it was the insured's act that published the medical records on the Internet. The Fourth Circuit rejected the insurer's argument that its publication was unintentional or that information was not published to a specific third party. The fact that the information was made publicly available by the insured over the Internet rendered it a covered publication.
The requirement that the act of “publication” be done by the insured, while not explicit in the policy language, is consistent with prior non-data breach case law. In Evanston Insurance Co. v. Gene by Gene, 155 F. Supp. 3d 706 (S.D. Tex. 2016), the allegations that the insured improperly published the plaintiff's DNA results on its website triggered a duty to defend. However, in Penn-America Insurance Co. v. Tomei, No. 480 WDA 2015, 2016 WL 2990093 (Pa. Super. May 24, 2016), there was no covered publication where the insured was sued by plaintiffs whose claims arose from the videotaping and publication by a third party of videos of patrons as they undressed during tanning sessions. The Pennsylvania court reasoned that because a third party made the video-tapes available, and not the insured, there was no publication by the insured.
The national trend is that a “publication” must be made by the insured in order to trigger coverage under a standard CGL policy. This requirement, although not plain in the language of the standard provision, is supported by the manner in which courts have historically applied the provision. Accordingly, absent the unusual circumstance where the insured publishes personal information itself, an insured is unlikely to be able to obtain coverage for third-party losses due to data breaches under their CGL policies.
Insureds who are concerned about coverage for data breaches and cyber attacks would be well-advised to purchase cyber policies and carefully review the coverage afforded therein and to make sure than any business property and crime policies are endorsed to provide coverage for cyber and electronic losses.
Eric B. Stern is a partner in Kaufman Dolowich & Voluck LLP's Woodbury, NY office where he concentrates his practice in all aspects of insurance coverage litigation. Andrew A. Lipkowitz is an associate in the same office and primarily focuses his practice in insurance coverage litigation and monitoring.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trending Stories
- 1Rejuvenation of a Sharp Employer Non-Compete Tool: Delaware Supreme Court Reinvigorates the Employee Choice Doctrine
- 2Mastering Litigation in New York’s Commercial Division Part V, Leave It to the Experts: Expert Discovery in the New York Commercial Division
- 3GOP-Led SEC Tightens Control Over Enforcement Investigations, Lawyers Say
- 4Transgender Care Fight Targets More Adults as Georgia, Other States Weigh Laws
- 5Roundup Special Master's Report Recommends Lead Counsel Get $0 in Common Benefit Fees
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
