The second panel of the MReBA Symposium addressed the two types of policies that protect against data breaches: CGL policies and cyber security products. The panelists were John Derwin, Esq. (Liberty Mutual Insurance), Anna M. Stafford, Esq. (Travelers), Jessica Park, Esq. (Sugarman, Rogers, Barshak & Cohen, P.C.) and moderator, John Love, Esq. (Robins Kaplan LLP).
1. CGL Policies
The panel opened the discussion by providing an overview of the CGL policy and two commonly filed cyber security claims—class actions for loss of privacy data and claims brought by facilitators of credit cards during hacking incidents. Most cyber-security claims are asserted against the CGL policy under Coverage B, while relatively few seek coverage under Coverage A.
One common attempt to hook into Coverage B derives from the phrase “publication in any manner” found in some CGL policies. As applied to data breaches, disputes often turn on the definition of a “publication,” and an interpretation of the commonly used “in any manner” clause after “publication” . The question becomes, does my CGL policy protect against instances where a third party, as compared to the insured, publishes the information? Courts are examining that question now, and the case law is still developing.
In comparison, Coverage A brings less exposure for carriers. This is in part because emotional damages are not traditionally covered in the definition of “bodily injury” (although some policies are now redefining the term to include “anguish”). With regard to property damage, Coverage A does include protection against the “loss of use” of property. Claims then arise in instances where the replacement of debit cards or credit cards is necessary, and whether this constitutes loss of use.
Coverage in CGL policies is frequently narrowed by exclusions, including the common exclusions for electronic data, insureds in Internet and media businesses, and/or a “knowing violation.”
2. Cyber Security Products
The panel then provided an overview of the available cyber security products. While cyber security products are not entirely new to the insurance industry, policyholders are increasingly willing to pay extra premium for the purchase of cyber-specific coverages. To respond to the increased demand, certain insurers offer modular products where customers pick and choose their desired types of coverage. Options include coverage for communications and media liability, network and/or information security liability, technology errors and omissions, and expense reimbursement. These types of customized products provide coverage for losses that do not call within CGL coverage, such as for example where there is no coverage for damage or impairment to data because property damage is defined as physical damage to tangible property and data is not considered tangible property.
The coverage option for technology errors or omissions, for example, protects against liability for the financial injury to third parties due to a failure of the insured’s product or service, including errors, omissions or a negligent act. Companies that benefit from this type of coverage provide customers with a product or service that stores sensitive customer information, the disclosure of which would result in financial harm to the customer.
The coverage option for expense reimbursement protects against insured loss related to certain wrongful acts or first party incidents involving a data breach event. Thus, if a business is incurring a loss due to attempts to misappropriate or misuse information in its care, such coverage would afford the company protection—by managing these first party expenses it mitigates further harm to its insured or customers.
Indeed, in today’s ever-changing data driven world, cyber security products with modular options are essential to providing an insured with a breadth of coverage.
3. Recent Cyber Security Court Rulings
The panel concluded its discussion by providing an update on recent cyber security court rulings, and in particular, how courts have recently defined the term “publication.”
As previously described, the definition of a “publication” is often in dispute. For example, in Recall Total Info. Mgmt. v. Fed. Ins. Co. the Appellate Court of Connecticut found that there was no publication where computer tapes were stolen, but the data on the tapes were not accessed. 147 Conn. App. 450 (2014). In Zurich American Ins. Co. v. Sony Corp. of America et al, a New York trial court found that a publication existed where hackers broke into the Play Station network and stole personal information from millions of customers. N.Y. Sup. Ct. Index No. 651982/2011 (Mar. 10, 2014 Order). The publication requirement, however, was not satisfied because the third-party hackers perpetrated the publication, not the insured-Sony.
With regard to cyber security policies, published decisions and precedent are limited, largely because there is great variability in policy language and underlying facts. Hence, judgments seldom create precedent for future cases. For example, in Columbia Cas. Co. v. Cottage Health System, the insured was an operator of a network of hospitals. C.D. Cal., 2:15-cv-03432 (Filed May 7, 2015). When a breach of patient information occurred, the insurer sought shelter in an exemption to coverage, arguing that the breach arose from the insured’s failure to implement the security protocols it outlined in its application for insurance. Although the issue was ultimately not decided—the case was dismissed on procedural grounds—it raises interesting compliance questions that are likely to resurface again in future cyber security disputes.
Ms. Staab is an associate in the Boston office of Day Pitney LLP. She can be reached at email@example.com.
© 2016 Day Pitney LLP. All rights reserved.