Increasingly, insureds such as financial institutions, retailers, and other companies that manage, maintain or process the personal information of their customers are facing claims relating to the improper management of that information.

These claims may arise out of a computer intrusion, when personal information is accessed by unauthorized individuals, and may ultimately lead to unauthorized financial transactions and/or identity theft.

Claims may also arise out of violations of the Fair Credit Reporting Act (FCRA), or the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the FCRA. These statutory provisions are intended to protect the privacy of consumer data within our banking and credit systems by limiting the circumstances under which merchants may access consumer reports, and by limiting the information that may be included on credit card and debit card receipts.

Finally, consumers may assert claims regarding the improper collecting of private information. For example, a company may utilize a "cookie" in order to identify users of its Web site, and thereby gather information, without the user's knowledge, regarding the user's economic preferences. The company may also collect information such as e-mail addresses, mailing addresses and phone numbers. This information allows a company to tailor Web content and related advertisements to a user's specific preferences.

Certain specialized policies of insurance may be designed to provide coverage for these types of claims, and may be purchased by those companies most at risk. However, this article focuses on the coverage issues that are likely to arise under general liability policies of insurance. While many of the companies facing potential liability in this area may not have procured specialized policies to deal with the risks involved, most of those companies are likely to have standard general liability insurance.

Accordingly, coverage litigation regarding the scope of coverage provided under general liability policies is bound to ensue.

These types of claims may give rise to three distinct insurance coverage issues under general liability insurance policies:

(1) Whether any real or potential liability results from "bodily injury."

(2) Whether any real or potential liability results from "property damage."

(3) Whether any real or potential liability results from "personal injury."

As discussed below, we believe none of these theories is likely to result in coverage under a standard general liability insurance policy.

It is possible that claimants may allege they have suffered mental anguish or emotional distress as a result of the mismanagement of their personal information. However, under standard general liability policies, and under most states' laws, purely mental injuries without physical manifestations do not constitute "bodily injury."

For example, in 2005, in U.S. Liability Ins. Group v. Sec. Ins. Co. of Hartford, a New Jersey appellate court held that "bodily injury" within the meaning of a liability policy "does not include purely emotional injuries without physical manifestations."

Similarly, in Richardson v. Liberty Mutual Fire Ins. Co., a Massachusetts appellate court ruled that the term "bodily injury" as used in an insurance policy is a narrow and unambiguous term which includes only actual physical injuries to the human body and the consequences thereof-- not humiliation, mental anguish and suffering, mental pain, or emotional distress.

Offering the same reasoning in Trinity Universal Ins. Co. v. Cowan, Texas' highest court ruled in 1997 that coverage of bodily injury under a homeowners policy "requires injury to the physical structure of the human body."

Taking a similar tack the same year in Mains v. State Auto. Mut. Ins. Co., an Ohio appellate court held that claims against insureds for extreme anxiety, emotional distress, loss of income, expense and embarrassment did not allege "bodily injury" under the insureds' general business liability policy.

In those limited jurisdictions that may recognize coverage for purely emotional injuries, unaccompanied by any physical manifestation of such injuries, an insurer may seek to rely upon policy exclusions to preclude coverage. For example, an insurer may argue that the standard exclusion for expected or intended injury applies to bar coverage. The applicability of this exclusion, however, would likely turn on the specific facts involved.

An insurer may argue that the standard exclusion for contractual liability applies to preclude coverage. The exclusion may apply in situations where an insured's potential liability flows from an alleged breach of a contractual duty to protect a consumer's information from disclosure--for example, the provisions of a credit card agreement.

In situations where claimants allege loss of use of money or financial accounts, policyholders may seek coverage against such allegations under "property damage" provisions of their liability policies. The definition of "property damage" contained in standard general liability policies, however, includes loss of use of tangible property only.

Items such as money and financial accounts have been held by courts to constitute intangible property. Leading cases include: Nationwide Mut. Fire Ins. Co. v. City of Rome, (Ga. App. 2004); In re Russell, (Bankr. M.D.N.C. 2001); Mack v. Nationwide Mutual Fire Ins. Co., (Ga. App. 1999); Johnson v. AMICA Mutual Ins. Co., (Maine 1999).

Insureds may also argue that the loss of "personal information"--addresses, account numbers, security access codes, Social Security numbers--should implicate the "property damage" coverage of their policies.

Although there is very little guidance in the context of such information as held by a consumer, courts have generally held that information such as compilations of data owned by other parties, constitutes "intangible" property in the insurance coverage context.

For example, in America Online, Incorp. v. St. Paul Mercury Ins. Co., the 4th Circuit, applying Virginia law, held that the policy at issue did not provide coverage for the abstract ideas, logic, instructions and information stored electronically. The court held that, while the policy provides coverage for "damage that may have been caused to circuits, switches, drives and any other physical components of the computer, it does not cover the loss of instructions to configure the switches or the loss of data stored magnetically."

Also, in State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, the United States District Court for the Western District of Oklahoma held that "computer data is intangible, not tangible, personal property."

Accordingly, it is unlikely that a court would consider such personal information, as held by an individual consumer, to be "tangible" property.

Even if the loss of money, financial accounts or other "personal information" were to fall within the definition of "property damage," an insurer should be able to rely upon the standard "damage to property" exclusion to disclaim coverage.

Ordinarily, that exclusion contains a provision precluding coverage for "personal property in the care, custody or control of the insured." Under most fact scenarios, this exclusion should apply to claims arising out of the improper collecting and disclosure of personal information in the possession of the insured.

Finally, insurers may face the argument that these claims implicate the "personal injury" coverage of the policy. Standard general liability policies provide "personal injury" coverage for the oral or written publication of material that violates a person's right of privacy.

The relevant inquiry is likely to be whether claims involving computer intrusion or violations of the FCRA and/or FACTA involve the "publication" of material.

With respect to a computer intrusion (or other breach of security relating to personal information), insurers will likely argue that the "theft" of information is not synonymous with "publication." After all, the insured, in simply failing to adequately protect the information, would not have actively "published" the information in any normal sense of the word. Rather, the insured would have allowed unauthorized parties to access the information.

With respect to violations of the FCRA, it is not clear how improperly accessing an individual's consumer report could be considered a "publication." Simply accessing such a report, without sharing it with a third party, should not be considered "publishing."

Finally, with respect to violations of the FACTA, insureds may argue that providing customers with receipts containing improper personal information is a "publication," since it potentially makes that information available to the general public if not adequately disposed of by the customer.

However, based on our review of past decisions surrounding the use of the term "publication," we believe courts are unlikely to agree with that position. For example, in, TIG Ins. Co. v. Dallas Basketball, Ltd., et al., a Texas court held that publish "is generally understood to mean disclose, circulate, or prepare and issue printed material for public distribution."

In Park Univ. Enterprises, Inc. v. American Cas. Co. of Reading, Pa., the 10th Circuit Court, applying Kansas law in a 2006 ruling, noted that a dictionary definition of the word "publication" included "the act of bringing before the public [or] making something generally known [through a] public declaration or announcement."

In addition, in Valley Forge Ins. Co., et al. v. Swiderski Elec., Inc., et al., Illinois' highest court noted that "publication" has been defined as "[g]enerally, the act of declaring or announcing to the public" and "[t]he offering or distribution of copies of a work to the public."

It is difficult to imagine that a court applying a definition of the term "publication" consistent with the ones set forth in these and other similar cases, could hold that furnishing a receipt to a customer amounts to a "publication."

Additionally, it is possible that certain exclusions might apply to preclude coverage under the "personal injury" portion of a standard liability insurance policy. For example, the standard exclusion for "'personal injury' caused by or at the discretion of the insured with the knowledge that the act would violate the rights of another" might well apply to losses relating to statutory violations such as the FCRA and FACTA.

Also, to the extent that certain statutory violations relating to the improper management of private information could be characterized as criminal in nature, exclusions for "'personal injury' arising out of criminal acts committed by or at the discretion of the insured" might apply to preclude coverage.

In addition to the specific coverage issues addressed above, it is important to keep in mind that claims resulting from identify theft, and from the improper gathering or disclosure of private information, are much more likely than more traditional claims to involve conduct that crosses international borders.

Many cases of identify theft involve perpetrators from outside of the United States. Personal information may be accessed, by computer or otherwise, from another country.

It is important when dealing with these types of claims to look closely at all "coverage territory" provisions and to examine issues relating to the location of the relevant conduct carefully.

In conclusion, it is unlikely that claims relating to the improper management of personal information, whether or not it leads to identity theft, will be covered under standard general liability insurance policies. However, as specific allegations may differ, and since the relevant policy language at issue may vary considerably, it is important to examine closely those items before reaching a coverage position.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.