Increasing reports of cyber intrusions, data theft and computer-system malfunctions have led a rapidly growing number of companies to purchase insurance coverage to protect themselves from technology and cyber-privacy risks.
As our technology-driven economy continues to evolve and businesses become more reliant on electronic communication and data storage, they are developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including intellectual property) and, in many cases, their reputation and ability to conduct business.
As such, prospective policyholders are becoming more cognizant of the necessity for insurance covering such growing exposures.
Still, there is significant uncertainty about the nature and scope of insurance products which might cover a company’s technology and cyber-privacy risks, whether the entity is in the technology space or in a vertical that uses technology to run its business operations.
While businesses and their insurance brokers typically are knowledgeable about insurance policies covering traditional general and professional liability exposures, today’s online society introduces new dynamics, many of which are not covered under traditional policy forms.
The growing number of technology and cyber products offered throughout the global-insurance markets highlights the importance of the insurance-brokerage community and the value of a sophisticated broker who can perform a thorough analysis of a policyholder’s insurance needs and can work with underwriters to obtain and tailor insurance policies to meet those needs.
Many policyholders are surprised to learn that a standard CGL policy likely would not apply to a technology or cyber-privacy claim, notwithstanding that the form typically includes coverage for “property damage” and “personal and advertising injury.” More surprisingly, some insurance brokers are not aware of a CGL policy’s limitations or their clients’ needs for a comprehensive multi-line insurance program. But, such is the nature of our changing society and a client’s evolving insurance needs.
Cyber Risks As Property Damage
A typical CGL policy defines property damage as “physical injury to tangible property, including all resulting loss of use of that property.” While it is well and widely known that this definition would apply to traditional property damage losses (such as those arising from fires, impaired property and the like) many policyholders and brokers, without due consideration, mistakenly take it for granted that this definition also includes technology and cyber-privacy losses involving intangible property such as electronic data. But, that is clearly not the case or the policy’s intent. To emphasize this point, and to add a belt to the suspenders, some CGL policy forms specifically exclude electronic data from their definition of property damage. In such policies, “electronic data” is generally defined as the “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software.” Despite this self-evident precept, some policyholders have elected to test this principle, arguing that property damage includes damage to computer software, information and data. And in most cases, they have lost.
In the most well-reasoned cases, the results were not surprising. For example, in America Online Inc. v. St. Paul Mercury Insurance Co. (Fourth Cir. 2003), the court properly recognized that data, web pages and computer systems do not constitute tangible property because they are not capable of being touched, held or sensed by the human mind. As such, they were not property damage, according to a CGL policy. The Eighth Circuit concurred with this self-evident proposition, holding in Eyeblaster Inc. v. Federal Insurance Co. that a “complaint would have had to make a claim for physical injury to the hardware in order for [the policyholder] to have coverage for ‘physical injury to tangible property’” under a general liability policy’s property-damage coverage.
Despite the inherent logic of these appellate decisions, one trial court, in dicta, endorsed a distorted view of property damage, expanding its definition beyond the plain and ordinary language. In Am. Guar. & Liab. Ins. Co. v. Ingram Micro Inc., the court considered whether a first-party property policy covered losses incurred after a power outage rendered a computer system inoperable. The court purported to focus on the physical attributes of “bytes,” as well as the particles and atoms that comprise a hard drive, in order to justify its result-oriented conclusion that the corruption of data constitutes “physical damage,” as required by the policy. The court rationalized its construct by hypothesizing that “at a time when computer technology dominates our professional as well as our personal lives…‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use and loss of functionality.” Though the policy insured against “direct physical loss or damage,” the court incorrectly conflated the phrases “physical damage” and “property damage” and held that the loss of programming information and network configurations “does allege property damage.” The Ingram Micro decision is frequently cited by policyholder counsel seeking to argue away the realities of a CGL policy’s limitation, despite the fact that the issues there arose in the context of a property policy.
Cyber Risks Under Endorsements
Notwithstanding the “property damage” jurisprudence and plain old logic, certain CGL policy forms may expand the scope of traditional coverage to include certain data losses. Because traditional CGL policies typically do not provide property coverage for technology and cyber-privacy risks, insurance companies are marketing specific policies and endorsements with specialized forms of coverage. For example, there is an ISO form endorsement for use with CGL policies that provides coverage for loss and loss of use of electronic data resulting from physical injury to tangible property. Insurers also offer technology stretch, computers and media, and technology services coverage endorsements in combination with CGL policies.
Cyber Risks As “Personal And Advertising Injury”
Of course, this is not to say that a standard CGL policy may never apply to a cyber-privacy claim. Indeed, many general liability policies include “personal and advertising injury” coverage which, in some cases, may subsume to certain portions of a cyber-privacy event. The term “personal injury and advertising injury” typically is defined to include a list of enumerated offenses such as injury arising out of the infringement of another’s copyright and the oral or written publication of material that slanders a person or organization, or violates a person’s right to privacy.
The question of whether a CGL insurer has a duty to defend, or even a duty to indemnify, a technology and/or cyber-privacy claim is not the only one which a policyholder—or a CGL insurer—may face. In many cases where a policyholder has obtained multiple policies covering multiple types of exposures and risks—as a proactive policyholder with a sophisticated insurance broker should—a CGL policy’s coverage could overlap and converge with those provided by other insurance products. These include pure cyber and technology forms, third-party professional liability and directors and officers liability policies, and first-party and business-interruption certificates. This situation will then present issues such as what damages are covered under what form, allocation of defense costs, the implications of “other insurance” clauses, and the scope of an insurer’s duty to defend and/or pay defense costs under a pure indemnity policy.
In short, product-related and service-oriented businesses reliant on technology can—and should—take all reasonable steps to ensure that they have virtually seamless insurance coverage by working with sophisticated insurance brokers well versed in the myriad policies and forms available to cover technology and cyber-privacy risks. Just as our economy is quickly evolving, so too are the types of insurance products and coverage available to meet a policyholder’s changing needs. Understanding the components of these new-age policies is critical, and prudent business executives should devote the necessary time and resources to identify a sophisticated insurance broker who can assess a company’s vulnerabilities and ensure that the necessary insurance products are purchased. Having written such policies—and having worked with many brokers and underwriters—we can assure readers that the exercise will not be easy; but it certainly will be worth it in the end.
Richard J. Bortnick and Abby J. Sher practice in the Global Insurance Group at Cozen O’Connor, ranked among the 100 largest law firms in the United States. Residing in the Philadelphia office, Bortnick is a member of the firm and litigates cyber and technology risks. He is also co-publisher of a leading cyber-industry blog (www.cyberinquirer.com). Contact him at email@example.com. Sher is an associate in the Philadelphia office and concentrates her practice in insurance coverage litigation, focusing on matters involving cyber and technology risks. Contact her at firstname.lastname@example.org.