From a “dollars and cents” perspective, the financial impact on businesses of data breaches is nothing if not costly given that data breaches rarely happen in a vacuum or affect only a few of a company’s records or customers. In 2011, for example, hackers breached Sony’s PlayStation network, exposing an estimated 77 million user accounts.[7] Sony estimated the total cost of the breach to be around $170 million, but several analysts have calculated the overall impact (including loss of customers and drop in share price) to be a “significant multiple” beyond this figure.[8] In 2013, hackers installed malware in Target’s security and payments system that ultimately led to the theft of about 40 million credit and debit card records and 70 million other records containing information such as addresses and phone numbers of Target customers.[9] Target reported a 46 percent drop in net profit during the 2013 holiday quarter and $61 million in costs related to the breach.[10]
A report issued by the Ponemon Institute—calculating the cost of data breaches sustained by organizations across a variety of industries (including, among others, health care, financial, pharmaceuticals, transportation, and communications)[11] —considered both direct and indirect expenses incurred by the organizations.[12] The report concluded that U.S. companies had the second most costly data breaches in the world (behind German companies), costing approximately $188 per record.[13] This figure comprises different types of data breaches, including those resulting from active hacking efforts, human error, and system glitches.[14] Malicious and criminal attacks, accounting for roughly 37 percent of all data breaches, cost U.S. companies approximately $277 per compromised record.[15] The Ponemon Institute also calculated the average company cost, in 2014, for investigations, satisfying notification obligations to consumers, and ex-post incident responses following a data breach at a staggering $3.5 million.[16] That is a 15 percent increase from 2013.[17] As a result, it is not surprising that Ernst & Young’s 2013 Global Information Security Survey identified “cyber risks/cyber threats” as “top priorities” for 38 percent of all companies surveyed.[18]
The Divergent Nature of Cyber Liability Exposures
One issue that can make the assessment and mitigation of cyber risks so complicated is their differing nature, which can result in a variety of exposures for businesses. Some data breaches occur as a result of relatively straightforward logistical errors, such as one situation involving an employee’s use of his own vehicle to transport storage tapes containing hospital patient information.[19] The data breach occurred when the tapes were stolen from the employee’s vehicle while it was parked outside his home.[20] In another example, an employee at Riverside Community College District in California exposed the records of 35,212 students enrolled for the Spring 2014 semester by mistyping an email address while using a personal email account to send a file that was too large for the school’s protected email system.[21]
Other incidents, like the recent Target data breach or hacking efforts targeted at large banks and hedge funds, involve more sophisticated approaches. For example, news broke in late August, 2014 that hackers stole data from J.P. Morgan Chase & Co. and as many as four other banks.[22] The FBI is reportedly investigating the incident to determine whether Russian hackers were behind the incident and whether the breach was a retaliatory measure in response to U.S. government-sponsored sanctions in Russia.[23] Authorities are also investigating whether recent infiltrations of major European banks are linked to the J.P. Morgan attack.[24] In one of those attacks, hackers used a software flaw on one of the banks’ websites, then “plowed through layers of elaborate security to steal the data, a feat security experts said appeared far beyond the capability of ordinary criminal hackers.”[25] While the investigation remains ongoing, a spokeswoman for J.P. Morgan stated that “[c]ompanies of our size unfortunately experience cyberattacks nearly every day. We have multiple layers of defense to counteract any threats and constantly monitor fraud levels.”[26]
The means utilized to carry out a data breach often depends on the type of entity that is the target of the breach and the preventative mechanisms the entity has in place. Trustwave, a cybersecurity firm, recently identified the most common methods of intrusion that hackers use to effect data breaches, which include the use of weak passwords and vulnerable off-the-shelf software as well as file uploading flaws.[27] The data breach at Target, a company with access to volumes of customer information, utilized a “point of sale” malware that remotely exploited businesses’ administrator accounts and stole consumers’ payment data, such as their credit and debit card numbers.[28]
The wealth of information available on social media outlets has also garnered attention in the hacking world. Facebook had an estimated 180 million users in the United States as of January 2014, as calculated by iStrategyLabs,[29] and approximately 1.1 billion users worldwide.[30] In a massive data breach in 2013, hackers stole user names and passwords for approximately 318,000 Facebook accounts.[31] In that same breach, hackers also stole log-in credentials for 22,000 Twitter accounts and 8,000 LinkedIn accounts.[32] According to Trustwave, the breach was a result of key-logging software maliciously installed on computers around the world that captured log-in credentials and sent user names and passwords to a server controlled by the hackers.[33] A Trustwave spokesperson explained that the breach was not a result of any weakness in those companies’ networks—instead, individual users had malware installed on their computers and had their passwords stolen.[34]
While many social media users likely do not keep sensitive information stored in their accounts (such as credit card information and Social Security numbers), experts say that breaches involving user names and passwords are nonetheless dangerous for consumers, who frequently use the same credentials for multiple sites.[35] For example, after hackers took customer credentials from Adobe in a 2013 attack, Facebook discovered that some of its users employed the same user name and password combination on their Facebook accounts.[36] Criminals have also used hacked data to send phishing spam on social media accounts.[37]
In addition, companies are becoming more aware of the cyber liability risks presented by vendors and consultants, such as law firms, with which they do business. An increasing number of corporate clients are now demanding that their legal counsel take further steps to guard against data breaches and other online intrusions.[38] Some corporate clients are asking law firms to fill out lengthy questionnaires detailing their cybersecurity practices, while others are conducting their own on-site inspections.[39] Many other companies have demanded that law firms stop putting files on portable flash drives, emailing documents to nonsecure tablets or other devices, or working on computers linked to shared networks in countries like China and Russia, where hacking is prevalent.[40] The vulnerability of law firms is particularly concerning to law enforcement agencies, given that law firms maintain a wealth of corporate secrets, business strategies, and intellectual property.[41]
Even considering the persistent threat from third-party hackers, information technology professionals insist that the biggest threat to a law firm’s information security comes from its own employees.[42] [BN1] One commentator has suggested that law firms are vulnerable to data breaches from three main sources: (1) an employee who downloads a virus or mistakenly leaves an unencrypted laptop somewhere, like a taxi; (2) breach of the law firm’s vendors who have access to client information; or (3) foreign hackers looking to get information from firms working on major business deals or intellectual property matters.[43]
A data breach can also result in exposure for a company’s management and board of directors. Some incidents have engendered allegations that a company’s board members breached their fiduciary duties by failing to take sufficient steps to protect the company from a data breach and the resulting consequences.[44] This is precisely the predicament in which Target finds itself, as it has been named as a defendant in at least two shareholder derivative suits against the company’s directors and officers, as well as against the company itself.[45] The two lawsuits are similar, alleging that the defendants were aware of the importance of keeping customer information secure, as well as the risks to the company that a data breach could present.[46] The lawsuits also allege that Target’s directors and officers failed to implement internal controls designed to detect and prevent such a data breach.[47] Even if Target and its directors and officers ultimately prevail in the litigation, they will almost certainly incur substantial defense fees and forensic experts’ costs in order to do so.
State and federal regulators are becoming increasingly involved in addressing cyber liability issues, which can raise a company’s exposure for loss under some circumstances. Following a series of data breaches sustained by Wyndham Worldwide Corporation, a shareholder for the company initiated a derivative lawsuit against certain directors and officers of the company, as well as against the company itself as a nominal defendant.[48] Adding to its concerns, the company was also the target of a Federal Trade Commission (FTC) enforcement action in connection with the breaches.[49] In the FTC’s enforcement action, the FTC alleged that Wyndham’s failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information was a violation of the prohibition found in section 5(a) of the Federal Trade Commission Act of “acts or practices in or affecting commerce” that are “unfair” or “deceptive.”[50] The FTC’s action seeks to compel Wyndham to improve its security measures and to remedy any harm its customers have suffered.[51]
The federal government has also begun creating rules and requirements for entities to follow in the wake of security breaches or other unintended disclosures of private information. In 2013, the U.S. Department of Health and Human Services issued a final omnibus rule with the intent of strengthening the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act (HIPAA).[52] That rule expanded many of HIPAA’s privacy and security rules to business associates of entities that receive protected health information, such as contractors and subcontractors.[53] It also strengthened the Health Information Technology for Economic and Clinical Health Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to the Department of Health and Human Services.
In 2009, the FTC issued the Health Breach Notification Rule to require certain businesses not covered by HIPAA to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information.[54] The FTC treats each violation of this rule as an unfair or deceptive act or practice in violation of an FTC regulation, and businesses violating the rule may be subject to a civil penalty of up to $16,000 per violation.[55]
Moreover, state legislatures have begun creating security breach notification requirements. For example, under Massachusetts law, where a person or agency who owns or licenses personal information knows or has reason to know of a security breach or that the personal information of a Massachusetts resident was acquired or used by an unauthorized person or for an unauthorized purpose, that person or agency must notify the Massachusetts attorney general and the Office of Consumer Affairs and Business Regulation of that breach or unauthorized acquisition or use.[56] Under Ohio law, any person who owns or licenses computerized data that include personal information must disclose any breach of the security of the system following its discovery or notification of the breach to any resident of Ohio whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.[57]
Coverage (or Lack Thereof) for Cyber Losses under Traditional Insurance Policies
In recognition of the increasing need for companies to mitigate potential loss from cyber crimes and other cyber-related risks, some corporate risk managers are beginning to see insurance against cyber crime as a necessary expense, rather than a luxury.[58] Marsh & McLennan Companies estimates that the U.S. cyber insurance market was worth $1 billion in 2013 in gross written premiums and could increase to as much as $2 billion this year.[59] Still, the insurance industry is in the “relative infancy stage” regarding cyber insurance products, as insurers lack data and claims history to build an accurate analysis of exposure and are therefore reluctant to offer broad coverage wording and capacity for cyber attacks.[60] Insurance companies are rushing to gain expertise in cyber technology but are still having difficulty pricing the risk due to a lack of statistically significant actuarial data available, according to Robert Parisi, head of cyber products at Marsh.[61]
When faced with cyber liability claims, businesses automatically turn to their insurance agents for help—asking them to submit claims for cyber losses under their existing portfolio of insurance products, which often do not include stand-alone cyber liability insurance policies. As a result, businesses are seeking coverage for such claims under more traditional forms of coverage, such as directors’ and officers’ liability, general liability, fidelity, and property policies that do not commonly cover cyber exposures expressly. Given the large losses typically arising from cyber claims, insureds may need to resolve claim disputes under traditional policies in court. In other words, without the life preserver afforded by stand-alone cyber liability coverage, companies facing substantial cyber claims may find themselves frantically treading water trying to avoid drowning as they seek the safety of a distant shoreline.
Commercial crime policies. Two recent cases involving commercial crime coverage indicate that the extent of coverage that may be provided for data breaches or other fraud involving an insured’s computer systems is still very much evolving. In Retail Ventures v. National Union Fire Insurance Co.,[62] the Sixth Circuit Court of Appeals held that a claim arising from a data breach was covered under a “Computer & Funds Transfer Fraud Coverage” endorsement to a “Blanket Crime Policy.” The endorsement provided, in relevant part, that the insurer would pay for loss the insured sustained “resulting directly from . . . [t]he theft of any Insured Property by Computer Fraud . . . .” The insurer denied the claim, arguing the loss was not covered because it was not a loss “resulting directly from” the theft of insured property, citing cases in which courts have recognized that crime coverage is generally first-party insurance that would not extend to circumstances involving third-party liability. However, while the Sixth Circuit acknowledged that courts applying Illinois, California, New York, Wisconsin, and Utah law have followed the “direct means direct” approach, limiting crime coverage to first-party loss, other courts applied a more relaxed “proximate cause” standard to fidelity losses, which would not prohibit an insured’s recovery for payments made to third parties.[63] The court cited cases in New Jersey, Pennsylvania, and Tennessee in this regard, and predicted from a review of non-fidelity cases addressing the concept of “direct loss” that an Ohio court would apply the broader proximate-cause analysis.[64] The court concluded that losses the insured suffered as the result of its liability to customers for the data breach was a direct loss covered under the computer and funds transfer fraud coverage endorsement.[65]
The Sixth Circuit in Retail Ventures also held that the policy’s exclusion for proprietary and other confidential information did not preclude coverage. That exclusion stated that coverage “does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.” The court reasoned that even if the copying of customer information qualified as a “loss,” it was not a loss of “proprietary information” or “other confidential information.”[66] Instead, the court reasoned that customers’ credit card and account information was not proprietary because it was owned or held by many different entities, including the customers, the financial institutions issuing the cards, and all the merchants involved in the stream of commerce.[67] Further, the court held that the exclusion was limited to the insured’s confidential or proprietary information related to the manner in which the insured conducted its own business. It did not, therefore, apply to customer information because that information did not “involve the manner in which the business is operated.”[68]
Retail Ventures opens a door, but is certainly not definitive, as to whether commercial crime or fidelity policies would generally cover an insured’s liability losses from a data breach. Not only does it remain possible that an Ohio court might not follow the prediction of the Sixth Circuit ruling; the ruling itself underscores the split of authority in regard to treatment of crime and fidelity coverage as being solely first-party insurance.
In another recent ruling, in Universal American Corp. v. National Union Fire Insurance Co.,[69] a New York court examined the scope of a “Computer Systems Fraud” endorsement in the context of a scheme in which fraudulent insurance claims had been submitted to a health insurer by Medicare service providers. The health insurer argued that the scheme created “loss resulting from a fraudulent . . . entry of Electronic Data . . . into [the health insurer’s] proprietary Computer System.”[70] However, the insurer avoided payment for the loss, arguing that such language does not extend coverage to authorized users of the system and that it applies instead to situations involving computer hackers or imposters. Because the computer system was used as intended, by an authorized user submitting false claims data, the computer systems fraud endorsement did not provide coverage.[71]
General liability policies. Courts in recent cases have held that cyber liability claims are not covered under general liability policies because the underlying claim does not assert a “publication” sufficient to satisfy the policies’ definitions of “personal injury.” For example, in National Union Fire Insurance Co. of Pittsburgh, PA v. Coinstar, Inc.,[72] the court found there was no coverage under a general liability policy as the injury alleged in an underlying suit arose out of the collection of personal information, rather than its oral or written publication. The coverage dispute in Coinstar arose from a lawsuit against Redbox Automated Retail, LLC, a wholly owned subsidiary of Coinstar, Inc., which operates automated DVD-vending machines in various locations throughout the United States. A class action lawsuit captioned Sterk v. Redbox Automated Retail, LLC[73] alleged that Redbox maintains customers’ “personally identifiable information” including their names, billing and contact information, credit card numbers, and video rental history for indefinite periods of time after customers obtain rentals from Redbox kiosks.[74] The lawsuit asserted that Redbox used its customers’ personal information for marketing purposes and disclosed customers’ personal information to third parties without their express permission. The plaintiffs alleged that such retention and disclosure of personal information violates the Video Privacy Protection Act, 18 U.S.C. § 2710 et seq. (VPPA).[75]
The coverage litigation involved two consecutive commercial general liability (CGL) policies issued by National Union to Coinstar, each providing coverage for personal injury and advertising injury. The policies each stated, in relevant part, that “personal injury and advertising injury” means “injury, including consequential ‘bodily injury’, humiliation, mental anguish or shock, arising out of” several enumerated offenses, including “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[76]
The policies also included an exclusion for “Violation of Statutes in Connection with Sending, Transmitting, or Communicating Any Material or Information.” That exclusion provided:
This insurance does not apply to any loss, injury, damage, claim, suit, cost or expense arising out of or resulting from, caused directly or indirectly, in whole or in part by, any act that violates any statute, ordinance or regulation of any federal, state or local government, including any amendment of or addition to such laws, that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever.[77]
National Union moved for partial summary judgment, arguing, among other things, that the “Violation of Statutes” exclusion precluded coverage for alleged violations of the VPPA. The court agreed, finding that the VPPA expressly “prohibits a ‘video tape service provider’ from disclosing [to any person] ‘personally identifiable information’ about one of its customers.”[78] The sole purpose of the VPPA, the court reasoned, is to protect consumers’ privacy by prohibiting the “sending, transmitting or communicating” of their personal information “to any person” except in specific, limited circumstances.[79] Therefore, because neither the underlying class of plaintiffs, nor defendant Redbox, suggested any other cause of action to be gleaned from the facts alleged, the court found that the “Violation of Statutes” exclusion applied to preclude coverage.[80]
Recall Total Information Management Inc. v. Federal Insurance Co.[81] involved a claim under a general liability policy, issued by Federal Insurance Company, and an umbrella policy, issued by Scottsdale Insurance Company, for loss arising from the loss of information stored on computer data tapes. In Recall, the plaintiff had entered into a distribution agreement with IBM, pursuant to which the plaintiff agreed to transport and store IBM’s electronic media. The plaintiff subsequently subcontracted with Ex Log, a transportation company, to transport IBM’s media for the insured. On February 23, 2007, an IBM cart containing electronic media fell out of the transporter’s van. The cart and approximately 130 computer data tapes, containing personal information for over 500,000 IBM employees, were taken by an unknown person and never recovered. IBM and the plaintiff settled for the full amount of IBM’s loss (nearly $6.2 million), and the plaintiff thereafter sought indemnification from the transport company. The insurers denied coverage for the settlement under the CGL policy.[82]
In the ensuing coverage litigation, the appellate court affirmed the trial court’s finding that the insurers had no duty to defend, given that the losses associated with the incident were not personal injuries covered by the policy. In so ruling, the court looked to the policy provision stating “we will pay damages that the insured becomes legally obligated to pay by reason of liability: imposed by law; or assumed in an insured contract; for advertising injury or personal injury to which this coverage applies.”[83] The court noted that the policy defined “personal injury” to mean “injury, other than bodily injury, property damage or advertising injury, caused by an offense of . . . electronic, oral, written or other publication of material that . . . violates a person’s right to privacy.”[84] The court reasoned that the definition of personal injury under the policy “presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published.”[85] As there was nothing in the record to suggest that the information on the tapes had been accessed by anyone, the court found the “publication” requirement had not been met.[86]
However, even when courts find that a “publication” has been made, they may still hold that a general liability policy precludes coverage where such publication was not made by the insured. Such was the case in Zurich American Insurance Co. v. Sony Corp. of America,[87] where the court reasoned that, although third-party hackers’ taking of personal information met the publication requirement, coverage did not apply because the hackers, not the insured, were the publishers.[88]
Some courts, however, have found coverage under general liability policies for cyber liability issues, specifically finding that the policies’ publication requirement was satisfied. For example, in Netscape Communications Corp. v. Federal Insurance Co.,[89] the court concluded coverage was available by finding an “oral or written publication . . .” where related entities shared consumer information with each other and files were circulated among employees of the insureds. Similarly, in Zurich American Insurance Co. v. Fieldstone Mortgage Co.,[90] the court held that a general liability policy provided coverage for claims alleging violations of the Fair Credit Reporting Act where, among other things, receipt of prescreened mortgage refinance offers constituted a publication under the policy’s advertising injury provision.
Directors’ & officers’ liability policies. As discussed above, directors and officers may have exposure for business decisions involving cyber liability issues that result in harm to their companies. Given that most directors’ and officers’ (D&O) insurance policies covering “wrongful acts” define that term very broadly, a director’s or officer’s “acts, errors or omissions” may well encompass cyber-related claims absent any express exclusion for such liability. Because D&O policies have not historically contained express exclusions for losses arising from cyber liability losses, in the event of a data breach, the insured company’s management may initially rejoice when they learn that the company has coverage under its D&O policy for the claim. However, management’s jubilation may quickly dim upon realizing that the D&O policy’s limit of liability will be reduced by any cyber liability losses, including fees and costs incurred in defending lawsuits, leaving the company with little or no coverage for more traditional D&O claims during the same policy period. Consequently, prudent insureds may wish to purchase a separate limit of liability under their D&O policies for cyber risks or buy a stand-alone cyber liability policy. Commercial entities should also remember that the definition of “loss” in most D&O policies explicitly excludes some types of losses that may arise from cyber claims such as “fines and penalties” and “uninsurable matters” such as restitutionary losses, which are not insurable in many jurisdictions.
Although disputes involving coverage for cyber claims under D&O insurance policies are pending in some jurisdictions, few decisions are currently publicly available. However, in one case, First Bank of Delaware, Inc. v. Fidelity & Deposit Co. of Maryland,[91] the insurer, Fidelity and Deposit Company of Maryland, denied coverage under the entity liability and electronic risk liability sections of the D&O liability policy it had issued to the insured. In that case, hackers gained access to debit card numbers and personal identification numbers, resulting in unauthorized withdrawals of millions of dollars from customer accounts. Following the breach, the insured was notified by Visa and MasterCard of issuer cost reimbursement assessments it was required to pay. The insured sought coverage under its D&O policy, but the insurer denied coverage for the losses under both section 3 (Entity Liability) and section 4 (Electronic Risk Liability). The parties agreed that if coverage existed under section 4 of the policy, there could be no coverage under section 3. Therefore, the court’s analysis was limited to section 4.[92]
The policy’s section 4 provided coverage for “all loss resulting from any electronic risk claim . . . (1) for an electronic publishing wrongful act or (2) that arises out of a loss event.” The policy defined “loss event” to include “any unauthorized use of, or unauthorized access to electronic data or software with a computer system.” The policy required that a “Computer System” be “used by the Company or used to transact business on behalf of the Company.” The issue, therefore, was whether the computer system was used “on behalf of” the insured.[93]
The insurer denied coverage, contending that the computer system in which the data breach occurred was not used to transact business on the insured’s behalf and that the associated losses were therefore not covered under the policy. The court rejected this argument, reasoning it did not read the phrase “on behalf of” to require that the computer system be used to primarily benefit the insured. The court found that the computer system was used to benefit multiple parties, including the insured, thus satisfying the policy’s requirement that the computer system be used “on behalf of” the insured.[94]
Turning to the policy’s exclusions, the court noted that Exclusion M precluded coverage for any claim against the insured “based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data or in any credit, debit, charge, access, convenience, customer identification or other card, including, but not limited to the card number.” The court accepted the insurer’s argument that there was a “meaningful link” between the hackers’ fraudulent use of the breached data and the resulting credit card reimbursement assessments issued for payment by the insured. The court therefore found that the insurer met its initial burden of proving that Exclusion M applied, as the court was satisfied that the fraudulent use of data and subsequent assessments were meaningfully linked in a way that qualified as “arising from” under Exclusion M.[95]
Because the insurer met its initial burden of demonstrating that Exclusion M applied, the burden shifted back to the insured to prove that an exception to the exclusion applied. The insured argued that Exclusion M did not apply because (1) Exclusion M was unintelligible and ambiguous; and (2) application of Exclusion M would render coverage illusory. With respect to the insured’s first argument, the court found Exclusion M was unclear grammatically based on the use of the word “or” between the clause ending with “of any data” and the clause beginning with “in any credit.” Nevertheless, the court reasoned, it was clear that the first half of the clause (“based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data”) was intended to exclude the “fraudulent use” of data, however that fraud occurs. The court therefore found that Exclusion M could not reasonably be interpreted to have a meaning other than excluding the fraudulent use of data, and for that reason, no relevant ambiguity existed in Exclusion M.[96]
With respect to the insured’s second argument, the court found that applying Exclusion M would “swallow the coverage” granted under the policy’s provision for “any unauthorized use of, or unauthorized access to electronic data . . . with a computer system.”[97] The court reasoned that, while it is theoretically possible that an example of non-fraudulent unauthorized use of data exists, in the context of the policy at issue, all unauthorized use could be, to some extent, fraudulent. As a result, the court found that Exclusion M was “almost entirely irreconcilable” with the policy’s “loss event” coverage and therefore held that the policy provided coverage.[98]
Physical loss or damage. Some courts have found that loss of electronic data does not amount to a loss of physical or tangible property. For example, in America Online, Inc. v. St. Paul Mercury Insurance Co.,[99] the court observed:
The insurance policy in this case covers liability for “physical damage to tangible property,” not damage to data and software, i.e., the abstract ideas, logic, instructions, and information. Thus, while it covers any damage that may have been caused to circuits, switches, drives, and any other physical components of the computer, it does not cover the loss of instructions to configure the switches or the loss of data stored magnetically.[100]
Similarly, in Ward General Insurance Services, Inc. v. Employers Fire Insurance Co.,[101] the court noted: “Thus, relying on the ordinary and popular sense of the words, we say with confidence that the loss of plaintiff’s database does not qualify as a ‘direct physical loss,’ unless the database has a material existence, formed out of tangible matter, and is perceptible to the sense of touch.”[102]
Other courts, however, have determined that loss of data does satisfy a policy’s requirement for physical loss or damage to property. Thus, in NMS Services Inc. v. The Hartford,[103] the court found there was “direct physical loss of or damage to property” where an ex-employee erased vital computer files and databases necessary for the operation of the company’s manufacturing, sales, and administrative systems.[104] Likewise, in Southeast Mental Health Center, Inc. v. Pacific Insurance Co., Ltd.,[105] the court held that the loss of data in the insured’s pharmacy computer caused by a power outage constituted a “direct physical loss of or damage to property.”[106]
Some courts have gone further, finding that an insured’s loss of access to, or use of, its computers or network system satisfies a physical loss or damage requirement. For example, in Vonage Holdings Corp. v. Hartford Fire Insurance Co.,[107] the court concluded that the insured’s loss of the ability to use the full capacity of its servers, although only temporary, was a “plausible interpretation of what constitutes a loss of property.”[108] Consistent with this line of thought, the court in American Guaranty & Liability Insurance Co. v. Ingram Micro, Inc.[109] pointed out:
At a time when computer technology dominates our professional as well as personal lives, this Court must side with Ingram’s broader definition of “physical damage.” The Court finds that “physical damage” is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.[110]
Errors and omissions policies. As illustrated by the court’s decision discussed below, some errors and omissions insurance policies may afford coverage for cyber claims. However, most errors and omissions policies will not provide such coverage because they require errors or omissions occurring in the performance of professional services by the insured. Although there are exceptions given the varying nature of cyber claims, they commonly would not arise from the provision of “professional services” as that term is typically defined in errors and omissions policies.
In one recent case, however, the Eighth Circuit Court of Appeals held that the underlying claim alleged a “wrongful act” as defined in an errors and omissions policy. In Eyeblaster, Inc. v. Federal Insurance Co.,[111] the insured’s business involved providing “rich media advertising” services, allowing its customers to create interactive ads and to track and manage the performance of their advertising campaigns. Its services used cookies, to measure and enhance the effectiveness of its advertising campaigns, and JavaScript and Flash technology, to “enliven web pages and increase the Internet’s utility.” The plaintiff in the underlying action alleged that his computer was infected with a spyware program from the insured. He alleged he lost all the data on a tax return on which he was working and that he incurred many thousands of dollars of loss. He also alleged he experienced numerous pop-up ads, a hijacked browser that communicated with websites other than those directed by the operator, random error messages, slowed computer performance that sometimes resulted in crashes, and ads oriented “toward his past web viewing habits.”[112] The plaintiff alleged violations of federal and state statutes and asserted various tort claims. The insured sought coverage under a general liability policy and an information and network technology errors or omissions liability policy.
The errors or omissions policy obligated the insurer to pay for financial injury caused by a wrongful act that results in the failure of the insured’s product to perform its intended purpose. The policy defined “wrongful act” to include an error, an unintentional omission, or a negligent act. Examining the allegations of the underlying complaint, the court of appeals reversed the district court’s ruling that the policy did not cover allegedly intended acts that resulted in unintended injuries.[113] The court reasoned that the underlying plaintiff alleged the insured installed tracking cookies, Flash technology, and JavaScript on his computer, all of which were intentional acts. However, the court noted, the insurer could not point to evidence that doing so, in and of itself, was intentionally wrong. The insurer, therefore, could not label such conduct as intentionally wrongful merely because it was included in the plaintiff’s complaint; the insurer had a duty to show that the use of such technology was outside the policy’s coverage. Because it failed to do so, the court held the complaint did allege a wrongful act.[114]
Conclusion
As reflected by the court decisions discussed in this article, an insured’s ability to obtain coverage for cyber claims under more traditional policies, which were not designed to cover cyber risks, is unclear and may require the institution of legal proceedings in some circumstances. From the insurer’s perspective, an insured’s decision to pursue coverage for claims not contemplated, in either the underwriting process or the rates charged for the policy, can be problematic on many levels. What seems clear, however, is that business conducted on the Internet will continue to expand, generating countless opportunities for growth and prosperity for well-situated companies. The risk of loss from cyber-related activities will likely grow in tandem with that expansion. For those of us committed to swimming in uncharted water—and who among us can resist the lure of deep water on a beautiful day—prudence would suggest that we bring a life preserver along, rather than leave our survival to the vagaries of the briny deep.
Keywords: litigation, insurance, coverage, cyber liability, commercial crime policy, directors’ and officers’ liability, general liability, errors or omissions policy, fidelity, property policy
Carrie E. Cope and Ian Reynolds are with Schuyler, Roche & Crisham, P.C., Chicago.
[1] Carrie E. Cope is a shareholder with Schuyler, Roche & Crisham, P.C., Chicago. Ian Reynolds is an associate with the firm.
[2] Ctr. for Strategic & Int’l Studies, Net Losses: Estimating the Global Cost of Cybercrime 7 (June 2014).
[3] Net Losses: Estimating the Global Cost of Cybercrime, supra note 2, at 7.
[4] Crawford & Company, The Future of Cyber Insurance 3.
[5] Identity Theft Res. Ctr., 2014 Data Breach Category Summary (Aug. 26, 2014).
[6] 2014 Data Breach Category Summary, supra note 5.
[7] The Future of Cyber Insurance, supra note 4, at 3.
[8] The Future of Cyber Insurance, supra note 4, at 3.
[9] Dhanya Skariachan & Jim Finkle, “Target’s Cyber Insurance Softens Blow of Massive Credit Breach,” Ins. J., Feb. 26, 2014.
[10] “Target’s Cyber Insurance Softens Blow of Massive Credit Breach,” supra note 9.
[11] Ponemon Inst., 2013 Cost of Data Breach Study: Global Analysis 6 (May 2013).
[12] 2013 Cost of Data Breach Study: Global Analysis, supra note 11. The Ponemon Institute identifies “direct expenses” to include engaging forensic experts, outsourcing hotline support, providing free credit monitoring subscriptions to customers, and discounts for future products and services. It identifies “indirect expenses” to include in-house investigations and communications and extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
[13] 2013 Cost of Data Breach Study: Global Analysis, supra note 11.
[14] 2013 Cost of Data Breach Study: Global Analysis, supra note 11, at 7.
[15] 2013 Cost of Data Breach Study: Global Analysis, supra note 11.
[16] Press Release, Ponemon Inst., 2014 Cost of Data Breach: Global Analysis (May 5, 2014).
[17] 2014 Cost of Data Breach: Global Analysis, supra note 16.
[18] Ernst & Young, Under Cyber Attack: EY’s Global Information Security Survey 2013, at 5.
[19] Colo. Cas. Ins. Co. v. Perpetual Storage, Inc., No. 2:10-cv-00316 DAK, 2011 U.S. Dist. LEXIS 34049 Shepardize (D. Utah 2013).
[20] Colorado Casualty Insurance Co., No. 2:10-cv-00316 DAK, 2011 U.S. Dist. LEXIS 34049.
[21] Kate Vinton, “Data Breach Bulletin,” Forbes, June 23, 2014.
[22] Danny Yadron, Emily Glazer & Devlin Barrett, “FBI Probes Possible Hacking Incident at J.P. Morgan,” Wall St. J., Aug. 28, 2014.
[23] Michael Riley & Jordan Robertson, “FBI Examining Whether Russia Is Tied to JPMorgan Hacking,” Bloomberg, Aug. 27, 2014.
[24] “FBI Examining Whether Russia Is Tied to JPMorgan Hacking,” supra note 23.
[25] “FBI Examining Whether Russia Is Tied to JPMorgan Hacking,” supra note 23.
[26] Ellen Nakashima & Andrea Peterson, “FBI Probes Hack into Computers of JPMorgan Chase, Other U.S. Banks,” Wash. Post, Aug. 27, 2014.
[27] Trustwave, 2014 Trustwave Global Security Report 33.
[28] Andrea Peterson, “Secret Service Estimates Type of Malware That Led to Target Breach Is Affecting Over 1,000 U.S. Businesses,” Wash. Post, Aug. 22, 2014.
[29] iStrategyLabs, 3 Million Teens Leave Facebook in 3 Years: The 2014 Facebook Demographic Report (Jan. 15, 2014).
[30] Gerry Shih, “Facebook Admits Year-Long Data Breach Exposed 6 Million Users,” Reuters, June 21, 2013.
[31] Jose Pagliery, “2 Million Facebook, Gmail and Twitter Passwords Stolen in Massive Hack,” CNN Money, Dec. 4, 2013.
[32] Cheryl Chumley, “Hack Attack: 2 Million Facebook, Twitter Passwords Stolen,” Wash. Times, Dec. 5, 2013.
[33] “2 Million Facebook, Gmail and Twitter Passwords Stolen in Massive Hack,”supra note 31.
[34] Samantha Murphy Kelly, “Hackers Compromise 2 Million Facebook, Twitter and Gmail Accounts,” Mashable, Dec. 4, 2013.
[35] Danny Yadron, “Russian Hackers Steal 1.2 Billion Usernames and Passwords, Security Firm Says,” Wall St. J., Aug. 5, 2014.
[36] “Russian Hackers Steal 1.2 Billion Usernames and Passwords, Security Firm Says,” supra note 35.
[37] “Russian Hackers Steal 1.2 Billion Usernames and Passwords, Security Firm Says,” supra note 35.
[38] Matthew Goldstein, “Law Firms Are Pressed on Security for Data,” N.Y. Times, Mar. 26, 2014.
[39] “Law Firms Are Pressed on Security for Data,” supra note 38.
[40] “Law Firms Are Pressed on Security for Data,” supra note 38.
[41] “Law Firms Are Pressed on Security for Data,” supra note 38.
[42] Gina Passarella, “Law Firms’ Prime Data Security Threat: Their Own Employees,” Legal Intelligencer, Mar. 11, 2014.
[43] “Law Firms’ Prime Data Security Threat: Their Own Employees,” supra note 42.
[44] Kevin LaCroix, “Target Directors and Officers Hit with Derivative Suits Based on Data Breach,” D&O Diary, Feb. 3, 2014.
[45] “Target Directors and Officers Hit with Derivative Suits Based on Data Breach,” supra note 44.
[46] “Target Directors and Officers Hit with Derivative Suits Based on Data Breach,” supra note 44.
[47] “Target Directors and Officers Hit with Derivative Suits Based on Data Breach,” supra note 44.
[48] Kevin LaCroix, “Wyndham Worldwide Board Hit with Cyber Breach-Related Derivative Lawsuit,” D&O Diary, May 7, 2014.
[49] “Wyndham Worldwide Board Hit with Cyber Breach-Related Derivative Lawsuit,” supra note 48.
[50] “Wyndham Worldwide Board Hit with Cyber Breach-Related Derivative Lawsuit,” supra note 48.
[51] “Wyndham Worldwide Board Hit with Cyber Breach-Related Derivative Lawsuit,” supra note 48.
[52] Press Release, U.S. Dep’t of Health & Human Servs., New Rule Protects Patient Privacy, Secures Health Information (Jan. 17, 2013).
[53] New Rule Protects Patient Privacy, Secures Health Information, supra note 52.
[54] Press Release, Fed. Trade Comm’n, FTC Issues Final Breach Notification Rule for Electronic Health Information (Aug. 17, 2009).
[55] Press Release, Fed. Trade Comm’n, Complying with the FTC’s Health Breach Notification Rule (Apr. 2010).
[56] Mass. Gen. Laws ch. 93H, § 1 et seq.
[57] Ohio Rev. Code Ann. § 1349.19.
[58] Leigh Thomas & Jim Finkle, “Insurers in Dash for Expertise to Master Cyber Risk Insurance,” Ins. J., July 14, 2014.
[59] “Insurers in Dash for Expertise to Master Cyber Risk Insurance,” supra note 58.
[60] Crawford & Company, The Future of Cyber Insurance 4.
[61] Leigh Thomas & Jim Finkle, Insurers Struggle to Get Grip on Burgeoning Cyber Risk Market, Reuters, July 24, 2014.
[62] Retail Ventures v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012).
[63] Retail Ventures, 691 F.3d at 828–29.
[64] Retail Ventures, 691 F.3d at 830–32.
[65] Retail Ventures, 691 F.3d at 830–32.
[66] Retail Ventures, 691 F.3d at 833.
[67] Retail Ventures, 691 F.3d at 833.
[68] Retail Ventures, 691 F.3d at 834.
[69] Universal American Corp. v. National Union Fire Ins. Co., 959 N.Y.S. 2d 849 (N.Y. Sup. Ct. 2013).
[70] Universal American Corp., 959 N.Y.S. 2d at 851–52.
[71] Universal American Corp., 959 N.Y.S. 2d at 853.
[72] Sterk v. Redbox Automated Retail, LLC, No. C13-1014-JCC, 2014 U.S. Dist. LEXIS 109338 (W.D. Wash. Aug. 7, 2014).
[73] No. C11-1720, 2013 U.S. Dist. LEXIS 116077 (N.D. Ill. 2011).
[74] Sterk, 2013 U.S. Dist. LEXIS 116077, at *2–3.
[75] Sterk, 2013 U.S. Dist. LEXIS 116077, at *5.
[76] Nat’l Union Fire Ins. Co. of Pittsburgh, PA v. Coinstar, Inc., No. C13-1014-JCC, 2014 U.S. Dist. LEXIS 109338, at *4 (W.D. Wash. Aug. 7, 2014).
[77] Coinstar, Inc., 2014 U.S. Dist. LEXIS 109338, at *4–5.
[78] Nat’l Union Fire Ins. Co. of Pittsburgh, PA v. Coinstar, Inc., No. C13-1014-JCC, 2014 U.S. Dist. LEXIS 31441, at *7–9 (W.D. Wash. Feb. 28, 2014).
[79] Coinstar, Inc., 2014 U.S. Dist. LEXIS 31441, at *8.
[80] Coinstar, Inc., 2014 U.S. Dist. LEXIS 31441, at *8–9.
[81]Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co 83 A.3d 664 (Conn. App. Ct. Jan. 14, 2014).
[82] Recall Total 83 A.3d at 668.
[83] Recall Total, 83 A.3d at 672.
[84] Recall Total, 83 A.3d at 672 (emphasis in original).
[85] Recall Total, 83 A.3d at 672 (emphasis in original).
[86] Recall Total, 83 A.3d at 673.
[87] Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 65198/2011 (N.Y. Sup. Ct., N.Y. Cnty., Feb. 21, 2014).
[88] Sony Corp., No. 65198/2011. Courts have also precluded coverage for cyber liability claims under general liability policies under “violation of statutes” exclusions. See Nat’l Union Fire Ins. Co. of Pittsburgh, PA v. Coinstar, Inc., No. C13-1014-JCC, 2014 U.S. Dist. LEXIS 31441 (W.D. Wash. Feb. 28, 2014) (finding coverage precluded under general liability policy with exclusion for violation of statutes in connection with sending, transmitting, or communicating any material or information where underlying suit alleged retention of private customer information and disclosure of same to third-parties violated the federal Video Protection Privacy Act). But see Hartford Cas. Ins. Co. v. Corcino & Assocs., No. CV 13-3728 GAF, 2013 U.S. Dist. LEXIS 158236 (C.D. Cal. Oct. 7, 2013) (finding coverage where underlying suit alleged violations of privacy statutes and policy contained exclusion for injury arising out of “violation of a person’s right to privacy created by any state or federal act,” because the right to medical privacy was a common law right not created by statute and a cause of action for violation of a right to medical privacy would have been available even without the statutory authority).
[89] Zurich Am. Ins. Co. v. Fieldstone Mortg. Co., 343 F. App’x 271 (9th Cir. 2009).
[90] First Bank of Del., Inc. v. Fidelity & Deposit Co. of Md., No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007).
[91] First Bank of Del., Inc. v. Fidelity & Deposit Co. of Md., No. N11C-08-221 MMJ CCLD, 2013 Del. Super. LEXIS 465 (Del. Super. Ct. Oct. 30, 2013).
[92] Fidelity & Deposit Co., 2013 Del. Super. LEXIS 465, at *8.
[93] Fidelity & Deposit Co., 2013 Del. Super. LEXIS 465, at *12.
[94] Fidelity & Deposit Co., 2013 Del. Super. LEXIS 465, at *15.
[95] Fidelity & Deposit Co., 2013 Del. Super. LEXIS 465, at *18.
[96] Fidelity & Deposit Co., 2013 Del. Super. LEXIS 465, at *21.
[97] Fidelity & Deposit Co., 2013 Del. Super. LEXIS 465, at *25.
[98] Fidelity & Deposit Co., 2013 Del. Super. LEXIS 465, at *25.
[99] Am. Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003).
[100] America Online, Inc., 347 F.3d at 96.
[101] Ward Gen. Ins. Services, Inc. v. Employers Fire Ins. Co., 7 Cal. Rptr. 3d 844 (Cal. Ct. App. 2003).
[102] Ward General Insurance Services, 7 Cal. Rptr. 3d at 850.
[103] NMS Services Inc. v. The Hartford, 62 F. App’x 511 (4th Cir. 2003).
[104] NMS Services, 62 F. App’x at 514.
[105] Southeast Mental Health Center, Inc. v. Pacific Ins. Co., Ltd., 439 F. Supp. 2d 831 (W.D. Tenn. 2006).
[106] Southeast Mental Health Center, 439 F. Supp. 2d at 837–38.
[107] Vonage Holdings Corp. v. Hartford Fire Ins. Co., No. 11-6187, 2012 U.S. Dist. LEXIS 44401 (D.N.J. Mar. 29, 2012).
[108] Vonage Holdings Corp., 2012 U.S. Dist. LEXIS 44401, at *10.
[109] Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. CIV 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299 (D. Ariz. Apr. 18, 2000).
[110] Ingram Micro, Inc., 2000 U.S. Dist. LEXIS 7299, at *6.
[111] Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 800 613 F.3d 797 (8th Cir. 2010).
[112] Eyeblaster, Inc., 613 F.3d at 800.
[113] Eyeblaster, Inc., 613 F.3d at 804 –5.
[114] Eyeblaster, Inc., 613 F.3d at 804.