Increasing reports of cyber intrusions, data theft andcomputer-system malfunctions have led a rapidly growing number ofcompanies to purchase insurance coverage to protect themselves fromtechnology and cyber-privacy risks.

As our technology-driven economy continues to evolve andbusinesses become more reliant on electronic communication and datastorage, they are developing a heightened awareness that anunauthorized intrusion could endanger their tangible and intangibleassets (including intellectual property) and, in many cases, theirreputation and ability to conduct business.

As such, prospective policyholders are becoming more cognizantof the necessity for insurance covering such growing exposures.

Still, there is significant uncertainty about the nature andscope of insurance products which might cover a company'stechnology and cyber-privacy risks, whether the entity is in thetechnology space or in a vertical that uses technology to run itsbusiness operations.

While businesses and their insurance brokers typically areknowledgeable about insurance policies covering traditional generaland professional liability exposures, today's online societyintroduces new dynamics, many of which are not covered undertraditional policy forms.

The growing number of technology and cyber products offeredthroughout the global-insurance markets highlights the importanceof the insurance-brokerage community and the value of asophisticated broker who can perform a thorough analysis of apolicyholder's insurance needs and can work with underwriters toobtain and tailor insurance policies to meet those needs.

Many policyholders are surprised to learn that a standard CGLpolicy likely would not apply to a technology or cyber-privacyclaim, notwithstanding that the form typically includes coveragefor “property damage” and “personal and advertising injury.” More surprisingly, some insurance brokers are not aware of a CGLpolicy's limitations or their clients' needs for a comprehensivemulti-line insurance program. But, such is the nature of ourchanging society and a client's evolving insurance needs.

Cyber Risks As Property Damage

A typical CGL policy defines property damage as “physical injuryto tangible property, including all resulting loss of use of thatproperty.” While it is well and widely known that this definitionwould apply to traditional property damage losses (such as thosearising from fires, impaired property and the like) manypolicyholders and brokers, without due consideration, mistakenlytake it for granted that this definition also includes technologyand cyber-privacy losses involving intangible property such aselectronic data. But, that is clearly not the case or the policy'sintent. To emphasize this point, and to add a belt to thesuspenders, some CGL policy forms specifically exclude electronicdata from their definition of property damage. In such policies,“electronic data” is generally defined as the “information, factsor programs stored as or on, created or used on, or transmitted toor from computer software.” Despite this self-evident precept, somepolicyholders have elected to test this principle, arguing thatproperty damage includes damage to computer software, informationand data. And in most cases, they have lost.

In the most well-reasoned cases, the results were notsurprising. For example, in America Online Inc. v. St. PaulMercury Insurance Co. (Fourth Cir. 2003), the court properlyrecognized that data, web pages and computer systems do notconstitute tangible property because they are not capable of beingtouched, held or sensed by the human mind. As such, they were notproperty damage, according to a CGL policy. The Eighth Circuitconcurred with this self-evident proposition, holding inEyeblaster Inc. v. Federal Insurance Co. that a “complaintwould have had to make a claim for physical injury to the hardwarein order for [the policyholder] to have coverage for 'physicalinjury to tangible property'” under a general liability policy'sproperty-damage coverage.

Despite the inherent logic of these appellatedecisions, one trial court, in dicta, endorsed a distorted view ofproperty damage, expanding its definition beyond the plain andordinary language. In Am. Guar. & Liab. Ins. Co. v. IngramMicro Inc., the court considered whether a first-partyproperty policy covered losses incurred after a power outagerendered a computer system inoperable. The court purported to focuson the physical attributes of “bytes,” as well as the particles andatoms that comprise a hard drive, in order to justify itsresult-oriented conclusion that the corruption of data constitutes“physical damage,” as required by the policy. The courtrationalized its construct by hypothesizing that “at a time whencomputer technology dominates our professional as well as ourpersonal lives…'physical damage' is not restricted to the physicaldestruction or harm of computer circuitry but includes loss ofaccess, loss of use and loss of functionality.” Though the policyinsured against “direct physical loss or damage,” the courtincorrectly conflated the phrases “physical damage” and “propertydamage” and held that the loss of programming information andnetwork configurations “does allege property damage.” TheIngram Micro decision is frequently cited by policyholdercounsel seeking to argue away the realities of a CGL policy'slimitation, despite the fact that the issues there arose in thecontext of a property policy.

Cyber Risks Under Endorsements

Notwithstanding the “property damage” jurisprudence and plainold logic, certain CGL policy forms may expand the scope oftraditional coverage to include certain data losses. Becausetraditional CGL policies typically do not provide property coveragefor technology and cyber-privacy risks, insurance companies aremarketing specific policies and endorsements with specialized formsof coverage. For example, there is an ISO form endorsement for usewith CGL policies that provides coverage for loss and loss of useof electronic data resulting from physical injury to tangibleproperty. Insurers also offer technology stretch, computers andmedia, and technology services coverage endorsements in combinationwith CGL policies.

Cyber Risks As “Personal And AdvertisingInjury”

Of course, this is not to say that a standard CGL policy maynever apply to a cyber-privacy claim. Indeed, many generalliability policies include “personal and advertising injury”coverage which, in some cases, may subsume to certain portions of acyber-privacy event. The term “personal injury and advertisinginjury” typically is defined to include a list of enumeratedoffenses such as injury arising out of the infringement ofanother's copyright and the oral or written publication of materialthat slanders a person or organization, or violates a person'sright to privacy.

Overlapping Coverage

The question of whether a CGL insurer has a duty to defend, oreven a duty to indemnify, a technology and/or cyber-privacy claimis not the only one which a policyholder—or a CGL insurer—may face.In many cases where a policyholder has obtained multiple policiescovering multiple types of exposures and risks—as a proactivepolicyholder with a sophisticated insurance broker should—a CGLpolicy's coverage could overlap and converge with those provided byother insurance products. These include pure cyber and technologyforms, third-party professional liability and directors andofficers liability policies, and first-party andbusiness-interruption certificates. This situation will thenpresent issues such as what damages are covered under what form,allocation of defense costs, the implications of “other insurance”clauses, and the scope of an insurer's duty to defend and/or paydefense costs under a pure indemnity policy.

Conclusion

In short, product-related and service-oriented businessesreliant on technology can—and should—take all reasonable steps toensure that they have virtually seamless insurance coverage byworking with sophisticated insurance brokers well versed in themyriad policies and forms available to cover technology andcyber-privacy risks. Just as our economy is quickly evolving, sotoo are the types of insurance products and coverage available tomeet a policyholder's changing needs. Understanding the componentsof these new-age policies is critical, and prudent businessexecutives should devote the necessary time and resources toidentify a sophisticated insurance broker who can assess acompany's vulnerabilities and ensure that the necessary insuranceproducts are purchased. Having written such policies—and havingworked with many brokers and underwriters—we can assure readersthat the exercise will not be easy; but it certainly will be worthit in the end.

Richard J. Bortnick and Abby J.Sher practice in the GlobalInsurance Group at CozenO'Connor, ranked among the 100 largest law firms in the UnitedStates. Residing in the Philadelphia office, Bortnick is a memberof the firm and litigates cyber and technology risks. He is alsoco-publisher of a leading cyber-industry blog (www.cyberinquirer.com). Contacthim at [email protected]. Sher is anassociate in the Philadelphia office and concentrates her practicein insurance coverage litigation, focusing on matters involvingcyber and technology risks. Contact her at [email protected].