Data breaches continue to impact businesses throughout the world. The following addresses some of the coverage issues that arise when companies suffer a data breach.
Home Depot, Target, Michael’s, TJ Maxx, Snapchat, Facebook, Twitter, Sony, Kmart, Apple’s iCloud, First Commonwealth Bank, and P.F. Chang’s are just a few of the companies that have reported a major data breach.
The Russian hacking of the Democratic National Committee during the 2016 Presidential campaign may have impacted the election. Similarly, DDos (Denial of Service) attacks have targeted banks and other financial service providers.
Companies may receive lawsuits seeking damages as a result of a data breach. Claims of invasion of privacy, lost or stolen data, loss of use of computers, misappropriation of confidential business information, etc. can cost companies thousands of dollars to defend. Governmental and regulatory actions related to data breaches are also common. When faced with a data breach or an electronic data loss, many companies may look to their commercial general liability (“CGL”) policies and first-party property policies for coverage. A dispute often arises between the insurance carrier and the policyholder regarding the availability of coverage.[1]
Sometimes the battle is over whether there is a privacy violation or a publication such that there would be coverage under CGL policies.[2] See Zurich Am. Ins. Co., v. Sony Corp. of Am., 2014 N.Y. Misc. LEXIS 5141 (2014); Hartford Cas. Ins. Co. v. Corcino & Assoc., 2013 U.S. LEXIS 152836 at *12 (C.D. Cal. Oct. 7, 2013) (the court rejected the insurance carrier’s argument that the personal injury coverage excluded claims for disclosure of personal data of hospital patients, and observed that “medical records have been considered private and confidential for well over 100 years at common law”); Recall Total Info. Mgmt. v. Fed. Ins. Co., 83 A.3d 664 (Conn. App. 2014), aff’d 115 A.3d 458 (Conn. 2015); Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, 35 F. Supp.3d 765 (E.D. Va. 2014); Pietras v. Sentry Ins. Co., 2007 U.S. Dist. LEXIS 16015 (N.D. Ill. Mar. 6, 2007); Valley Forge Ins. Co. v. Swiderski Elec., Inc., 860 N.E.2d 307 (Ill. 2006); Zurich Am. Ins. Co. v. Fieldstone Mortgage Co., 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007); Park Univ. Enter., Inc. v. Am. Cas. Co., 442 F.3d 1239 (10th Cir. 2006); Columbia Cas. Co v. HIAR Holding, LLC, 411 S.W.3d 258 (Mo. 2013).
Often the battle is over whether there has been “property damage”. In many insurance policies “Property Damage” is defined as “physical injury to tangible property, including all resulting loss of use of that property” and “loss of use of tangible property that is not physically injured.”[3] Insurance carriers argue that electronic data is excluded from the definition of tangible property. See Arch Ins. Co. v. Michaels Stores, Inc., No 12-00786 (N.D. Ill. Feb. 3, 2012). Many courts find that data does not amount to “tangible property” because computer information lacks physical substance. See Ward Gen. Servs. Inc. v. Employers Fire Ins. Co., 114 Cal. App. 4th 548, 556-57 (Cal. App. 4 Dist. 2003) (where a computer crash, due at least in large part to human operator error, resulted in data loss, the court held that there was no physical loss or damage. The court held that data loss was simply a “loss of organized information . . . (such as client names and addresses). . . .” concluding that such information “cannot be said to have a material existence, be formed of tangible matter, or be perceptible to the sense of touch”). See also America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89,93-98 (4th Cir. 2003) (the court concluded that “physical magnetic material on the hard drive is tangible”, but concluded that software and data was not tangible); Liberty Corp. Capital Ltd. v. Security Safe Outlet, Inc., 937 F. Supp.2d 891 (E.D. Ky. Mar. 27, 2013); Cincinnati Ins. Co. v. Prof’l Data Servs., Inc. 2003 U.S. Dist. LEXIS 15859 (D. Kan. July 18, 2003); AFLAC, Inc. v. Chubb & Sons, Inc., 581 S.E.2d 317, 319 (Ga. Ct. App. 2003). But see Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185, 2000 U.S. Dist. LEXIS 7299, at 6 (D. Ariz. April 18, 2000) (holding that there was physical damage when information stored on random access memory was destroyed); Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. Minn. 2010) (Insurer had duty to defend lawsuit alleging that a virus caused computer to be unusable, even though the insurance policy excluded “software, data, or other information that is in electronic form” from the definition of “tangible property”); NMS Servs., Inc. v. The Hartford, 62 Fed. Appx. 511, 514 (4th Cir. 2003) concurring opinion of Judge Widener; Centennial Ins. Co. v. Applied Health Care Sys. Inc., 710 F.2d 1288 (7th Cir. 1983) (because it was possible that the losses arose from damage to the customer’s tangible property, the duty to defend was triggered); See Southeast Mental Health Ctr., Inc., v. Pacific Ins. Co., 439 F.Supp.2d 831, 837-39 (W.D. Tenn. 2006); Lambrecht & Assoc., Inc. v. State Farm Lloyds, 119 S.W. 3d 16, 25 (Tex. App. 2003); Retail Sys. Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380, slip op. at 3-4 (2d Dist. Ct. N.M. May 24, 2000), rev’d in part on other grounds 46 P.3d 1264 (N.M. Ct. App. 2002).
In first-party property policies, there must be “physical loss or damage” to the covered property for coverage to be triggered. Many first-party property policies contain a broad definition of “Covered Property” that includes all “personal property owned by” the insured. However, software and data may not constitute “personal property” and as such, may not be covered under the policy. Several cases have addressed data losses under first-party property policies. In Ward General Insurance Services, Inc. v. Employers Fire Insurance Co., 114 Cal. App.4th 548 (2003), the insured suffered a computer crash which resulted in a significant loss of electronically stored data. The insurer denied coverage. The court found that the loss did not result in “direct physical loss of or damage to” property and that the data stored on a tangible medium was not tangible. Other courts have found coverage under first-party property policies. See NMS Servs., Inc. v. The Hartford, 62 Fed. App’x 511 (4th Cir. 2003) (the court found property damage to hacked computers per a business interruption endorsement); Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. 2003) (the court found property damage to hacked computers per a business income endorsement); American Guar. & Liab. Co. v. Ingram Micro, Inc., No. 99-185, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000)(the court found coverage and held that “physical damage” is not restricted to the physical destruction of the computer, but also includes loss of access, loss of use and loss of functionality).
Companies that suffer a data breach incur significant costs including but not limited to, forensic investigation costs, breach notification costs, credit monitoring costs, crisis management costs, lost business, and legal/litigation costs. To protect themselves, companies can purchase a specialty insurance policy referred to as “Cyber” insurance. Cyber insurance policies can provide coverage for first-party (cyber crime) coverage as well as third-party (cyber liability) coverage. They can provide coverage for direct loss and legal liability with resulting consequential loss caused by cyber security breaches. Cyber insurance policies are usually claims made and can be very expensive, although the costs have come down as more carriers have entered the market. Depending on the policy, there is an ability to insure notification costs, credit monitoring and other direct expenses covered if there is a data breach EVEN if there is never a liability claim. Regulatory fines and penalties are endorseable. Some insurance carriers provide crisis management, a call center, and other services to the policyholder when cyber insurance is purchased. It is important that companies review the policy wording carefully to make sure that it meets their business needs. Some policies are better written than others.
Cyber breaches can be risky for businesses. A good risk management plan, along with appropriate insurance, can help businesses successfully maneuver coverage obstacles in the event of a cyber breach. Cyber policies[4], commercial property policies and CGL policies are just a few of the sources of coverage to evaluate. Depending upon the circumstances, policyholders should also review their crime policies[5], directors & officers’ liability policies and their errors and omissions or professional liability policies. Some insurance policies may not include exclusions and other language to limit coverage for cyber breaches. Should a cyber-breach occur, it is worth reviewing various policies carefully to see what coverage, if any, may be available.
[1] An excellent article that discusses insurance coverage for cyber attacks is “Viruses, Trojans, and Spyware, Oh My! The Yellow Brick Road to Coverage in the Land of the Internet” by Roberta D. Anderson, 49 Tort & Ins. L.J. 529 (Winter, 2014). See also “Claims Made and Insurance Coverage Available for Losses Arising Out of or Related to Electronic Data”, by Jeffrey S. Price and Justin D. Wear, 51 Tort & Ins. L.J. 51 (Fall, 2015) and “Insurance for Cyber Risks: A Comprehensive Analysis of the Evolving Exposure, Today’s Litigation and Tomorrow’s Challenges”, by Gregory D. Podolak, 33 Quinnipiac L.Rev. 369 (2015).
[2] The 2007 and later ISO insurance forms contain an exclusion for privacy-related laws.
[3] The current standard ISO form and other ISO forms since December 1, 2001 specifically exclude “electronic data” from the “property damage” definition. Sometimes endorsements add the coverage back to the policy. It is important to review the insurance policy carefully.
[4] Cyber extortion policies are also available on the market.
[5] See Retail Ventures, Inc. v. Nat. Union Fire Ins., 691 F.3d 821 (6th Cir. 2012), where the claim was submitted under a computer fraud rider to a Blanket Crime Policy and the court found that the data breach loss “resulted directly from the hacking, and an exclusion for loss of confidential information did not apply to the loss of customer information; Medidata Solutions, Inc. v. Fed. Ins. Co., Civ. Action, 2016 U.S. Dist. LEXIS 178501 (S.D.N.Y 2016); Bitpay, Inc. v. Mass.Bay Ins. Co., Case No. 1:15-cv-03238 (N.D. Georgia Mar. 17, 2016); Ameriforge Group, Inc. v. Fed.Ins. Co., Case No. 4:16-cv-00377 (S.D. Tex. 2016); Principle Solutions Group, LLC v. Ironshore Indem., Inc.,Case No. 1:15-cv-04130 (N.D. Georgia Aug. 30, 2016); and Taylor & Lieberman v. Fed. Ins. Co., 2015 U.S. Dist. LEXIS 7935 (C.D. Cal. 2015).