As computer hacking and data breaches become more common, an issue that is often raised is whether, and to what extent, damages resulting from these incidents fall within the coverage of the policies held by the corporate victims of the attacks.
This article explores courts’ differing conclusions when faced with claims for cyber risks under different types of insurance policies, looks at some of the recent cybercrimes and the direct financial and legal impact on businesses, and posits solutions to address insurance coverage for cyber-related risks.
Pinpointing the problem
Generally, a data breach event on par with what happened to Equifax, Target or Yahoo involves a third-party gaining unauthorized access to a company’s computer system, stealing customer information and then using that stolen information to apply for mortgages, credit cards and student loans, as well as tapping into bank debit accounts, filing insurance claims and tax refunds, and racking up substantial debts.
The theft of the personal financial information of their customers causes direct loss to the company itself, through lost records, reputational damage, business interruption, and costs to correct and repair the damage done by intruders, and may also subject the company to lawsuits from their customers.
Related: The 3 R’s to remedy a cyber breach
The insurer’s role
An insured seeking to protect itself from losses due to data breaches and cyberattacks can procure cyber liability policies that will cover such loss.
But certain property and business liability policies also have been found to provide coverage for data breaches, as long as the policy contains a specific definition of property that includes electronic data.
In NMS Services v. The Hartford, 62 Fed.Appx. 511 (4th Cir. 2003), the Fourth Circuit held that there was coverage under a business property policy for an insured’s loss of business income as well as the costs to restore records lost when a former employee hacked into the insured’s network.
Similarly, in Lambrecht & Associates v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. Ct. 2003), the insured suffered direct losses due to a hack of its system. The Texas Court of Appeals found that the insurer could not prove as a matter of law that the damaged property was not covered under the insured’s business property policy, which covered “accidental direct physical loss to business personal property.”
However, the court also denied the insured’s motion for summary judgment, finding an issue of fact as to whether the insured’s losses were “accidental.”
Lesser common cybercrime coverage
Under certain circumstances, crime policies may also provide coverage for the insured’s direct loss as a result of a data breach. In Retail Ventures v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012), the insured incurred $6.8 million in losses arising from a data breach caused by a hacker that compromised customer credit card and checking account information.
The insured was covered by a blanket crime policy, which contained a specific rider for computer fraud. As a result, the expenses related to the hack, including attorney fees associated with municipal investigations, were all found to be covered.
Although business property and crime policies may provide coverage for direct losses suffered by the insured as a result of a data breach, there is no coverage for liability to third-parties under these policies.
For example, in Camp’s Grocery v. State Farm Fire & Cas. Co., No. 4:16-cv-0204-JEO, 2016 U.S. Dist. LEXIS 147361 (N.D. Ala. Oct. 25, 2016), the court rejected the insured’s argument that an inland marine endorsement in the policy provided coverage for an underlying lawsuit arising from a data breach, holding that the endorsement only provided first-party coverage for certain computer related losses, and did not provide coverage against claims brought by third parties.
Cyber liability insurance specifics
Cyber liability policies vary. They are not held by all companies, and not all liabilities may be covered.
For instance, in P.F. Chang’s China Bistro v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749, (D. Ariz. May 26, 2016), the insured’s credit card transactions were hacked by a third party. The insurer covered substantially all of the damages suffered directly by the insured as well as the liability claims brought by the insured’s customers.
However, the district court found that there was no coverage for the fees the insured owed to its credit card service-provider as a result of the breach. Unlike the customers, who suffered a covered “Privacy Injury,” the service-provider did not suffer any covered injury and, as a result, there was no coverage for the fees.
Insureds have also sought coverage for data breaches and cyberattacks from their commercial general liability insurers. The oft-used theory for coverage for these lawsuits is that the data breach is a covered “publication” under Coverage B of the standard Commercial General Liability policy.
While policies may differ, “personal and advertising injury” is typically defined as “injury, including consequential ‘bodily injury’, arising out of one or more of the following offenses: … e. Oral or written publication, in any manner, of material that violates a person’s right of privacy.”
The argument raised by insureds in favor of coverage is typically that when a third-party hacker obtains personally identifiable information the “publication” requirement of Coverage B has been satisfied. This, however, has not been a successful argument.
Related: Uncovering silent cyber risk
Setting new precedent
Nationally, courts have generally rested their decisions regarding coverage for data breaches under a CGL policy on whether the insured was responsible for the act of “publication.” Recently, in Innovak Int’l v. Hanover Ins. Co., No. 8:16-CV-2453-MSS-JSS, 2017 U.S. Dist. LEXIS 191271 (M.D. Fla. Nov. 17, 2017), the insured was sued for damages resulting from the release of the underlying claimants’ personal private information after the insured was the subject of a data breach.
The District Court upheld the insurer’s denial of coverage because there was no alleged publication of the personal information by the insured. The District Court explained that even if the hacker’s actions in appropriating the personal information could be considered a “publication,” the policy required publication by the insured.
The Innovak holding followed that of the New York Supreme Court in Zurich American Insurance Company v. Sony Corporation of America, No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Ct. Feb. 21, 2014), which arose out of the April 2011 hacking of Sony Corp.’s PlayStation online services.
The court held that there was no “publication” by the insured, rather, the only “publication” was perpetrated by the hackers, and therefore, because Coverage B was not triggered there was no coverage under the policy.
Conversely, in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, 644 Fed.Appx. 245 (4th Cir. 2016), which arose out of a class-action wherein it was alleged that the insured negligently permitted the class’s private medical records to be available to search engines on the Internet for more than four-months, the Fourth Circuit found a covered “publication” by the insured.
There was coverage in this case because it was the insured’s act that published the medical records on the Internet. The Fourth Circuit rejected the insurer’s argument that its publication was unintentional or that information was not published to a specific third party. The fact that the information was made publicly available by the insured over the Internet rendered it a covered publication.
Related: Emerging cyber risks
Deciphering policy language
The requirement that the act of “publication” be done by the insured, while not explicit in the policy language, is consistent with prior non-data breach case law.
In Evanston Insurance Co. v. Gene by Gene, 155 F. Supp. 3d 706 (S.D. Tex. 2016), the allegations that the insured improperly published the plaintiff’s DNA results on its website triggered a duty to defend.
However, in Penn-America Insurance Co. v. Tomei, No. 480 WDA 2015, 2016 WL 2990093 (Pa. Super. May 24, 2016), there was no covered publication where the insured was sued by plaintiffs whose claims arose from the videotaping and publication by a third party of videos of patrons as they undressed during tanning sessions. The Pennsylvania court reasoned that because a third party made the video-tapes available, and not the insured, there was no publication by the insured.
The national trend is that a “publication” must be made by the insured in order to trigger coverage under a standard CGL policy. This requirement, although not plain in the language of the standard provision, is supported by the manner in which courts have historically applied the provision. Accordingly, absent the unusual circumstance where the insured publishes personal information itself, an insured is unlikely to be able to obtain coverage for third-party losses due to data breaches under their CGL policies.
Insureds who are concerned about coverage for data breaches and cyberattacks would be well-advised to purchase cyber policies and carefully review the coverage afforded therein and to make sure than any business property and crime policies are endorsed to provide coverage for cyber and electronic losses.
Eric B. Stern is a partner in Kaufman Dolowich & Voluck LLP’s Woodbury, NY office where he concentrates his practice in all aspects of insurance coverage litigation. Andrew A. Lipkowitz is an associate in the same office and primarily focuses his practice in insurance coverage litigation and monitoring.
This article published first in the New York Law Review.