The Complex World of Cyber Claims
While the notion of cyber claims traditionally brings to mind an image of hackers sitting in a dark room trying to gain access to networks containing valuable information, the recent increase in data security breaches has taught us that cyber claims are not limited to this single cause. The Ponemon Institute, an independent research organization specializing in information security research,[12] [BN1] reports that, in 2013, 30 percent of data breaches, internationally, were caused by negligent employees or contractors.[13] This is the scenario that gave rise to the 2013 event experienced by Target. And, perhaps surprisingly to most, the criminal or malicious attacks we so often think of were reported as accounting for only 42 percent of all international data breaches during that same period.[14] Still not far behind are glitches within computer systems and other business process failures—scenarios that made up the remaining 29 percent of international data breaches in 2013.[15] It is this array of backdrops against which cyber claims may arise that present the varied answers to the question of whether a commercial general liability (CGL) policy provides coverage for the damages that result.
What Do CGL Policies Say about Publication?
In the wake of high-profile security breaches like those encountered by Sony, Adobe, and Target, the insurance community has come to recognize the need for cyber-specific insurance coverage. But that does not change the fact that such products were scarcely available, and even less often purchased, just a few years ago. As a result, policyholders facing a cyber claim have been left to look to their CGL insurance policies—in particular the personal and advertising injury coverage found in those policies—in hopes of finding coverage for their losses.
While the precise language triggering personal and advertising injury coverage can vary, typically the applicable insuring agreement provides that the insurer will pay for damages caused by “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”[16] At first glance, this seems like a fairly straightforward insuring agreement. But what has become increasingly clear as more and more data-related claims are brought under these policies is that there is little agreement regarding what constitutes the publication of electronic data sufficient to trigger this insuring agreement. In asking courts to interpret this undefined term, a number of questions have arisen: How many people must be able to access the information for publication to have occurred? Is it enough that the person about whom the information pertains sees that the information is exposed, or must a third party actually view it? And does it matter who does the publishing—the insured or a third party? No single clear answer has emerged with respect to any of these issues, raising the larger question: What really does constitute publication?
Why So Much Confusion over One Little Word?
Is third-party access necessary to create a publication? By far, the most litigated publication issue to date is whether a third party must actually access information in order for it to be considered to have been published. In fact, this issue received significant notice from the insurance bar and many courts prior to the recent uptick in data-related claims. The Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and the Fair and Accurate Credit Card Transaction Act (FACTA) provided ample basis for courts to consider this issue long before data breach claims made their recent rise.[17]
One of the earliest cases to address the issue of publication as it applied to the world of the Internet and the protection of public information was Netscape Communications Corp. v. Federal Insurance Co.[18] Netscape sought defense and indemnity from Federal in connection with a suit brought by Netscape users alleging that Netscape’s SmartDownload software violated the users’ privacy by collecting, storing, and disclosing to Netscape information about the users’ Internet usage.[19] Among the offenses insured against by the policy issued by Federal was “[m]aking known to any person or organization written or spoken material that violates a person’s right to privacy.”[20] In a very brief opinion, the Ninth Circuit held that the underlying complaint sufficiently alleged that Netscape had committed a “personal injury offense” within the definition of the policy by intercepting and internally disseminating private online communications.[21] The fact that the language of the relevant provision stated that disclosure to “any” person or organization would constitute the covered offense, the court stated, was the dispositive factor in this conclusion.[22]
Does it matter who does the publishing? On the other side of the equation, questions arise regarding who it is that must publish the accessed information in order for coverage to be triggered. The type of cyber claim involved—whether it arises out of the insured’s oversight or negligence (in which case the insured has some fault in the incident) or results from an attack by hackers (in which case the insured is an innocent victim)—is often determinative of this question.
Hoping to find coverage for the significant damages that can result from a data-related breach, insureds have taken the position that the insuring agreement applicable to personal and advertising injury coverage is triggered by any publication of material—whether made by the insured or by some third-party thief or hacker. This argument is often rooted in the “in any manner” language frequently found in the insuring agreement: “Oral or written publication, in any manner, of material that violates a person’s right of privacy.”[23] According to policyholders, the inclusion of this language necessitates a broad interpretation of the insuring agreement and its intended coverage.[24] “In any manner,” they argue, includes not only the method of the publication (by newspaper, Internet site, or otherwise) but also the persons responsible for making that publication.
On the other hand, insurers have argued that “Coverage B Personal and Advertising Injury Liability” is triggered only when a cyber claim arises from the insured’s conduct and that the underlying suit must allege that the insured’s conduct is what led to the covered offense. And insurers have found success in this position before several courts. While not in the cyber claim context, the West Virginia Supreme Court of Appeals held that there was no coverage for a claim that the insured induced a physician to breach his fiduciary duty because there was no oral or written publication of material that violated a person’s right to coverage.[25] The court concluded that coverage under this provision would be triggered only by allegations that the insured itself published material that invaded another’s right of privacy.[26] It is not enough that the insured played some role in ensuring that an uninsured third party published such material.[27] The court held that the “policy was not written to cover publication by a third-party” and no coverage existed with respect to this claim.[28] Other courts have reached similar rulings with respect to other types of personal and advertising injuries.[29]
The same result was reached earlier this year in Zurich American Insurance Co. v. Sony Corporation of America,[30] the coverage case that arose following the 2011 cyber attack on Sony’s PlayStation Network. Sony, focusing on the “in any manner” language of this provision, argued that it was of no consequence whether the publication was made by the policyholder or a third party (in this case, the hackers who accessed the Sony database).[31] “[T]he policy grants coverage for publication in any manner that violates the right to privacy,” counsel for Sony stated during oral argument.[32] “If they had wanted it only to apply to the policyholder, they could have done that.”[33] But the court disagreed. While it held that there had been a publication within the meaning of the policy, the critical issue, it stated, was whether or not the publication had been perpetrated by Sony.[34] “[T]he cases are clear about that,” the court stated, “the policyholder has to act.”[35] Thus, there could be no coverage under the relevant provision for a publication perpetrated by a third party. “And in this case it is without doubt in my mind, my finding is that the hackers did [the publication].”[36]
Does it matter where the information is displayed or how it is used? Although less often litigated, there is the question of to what extent, if at all, personal information that has been accessed must be displayed to the public for a covered publication to have occurred. Is it enough that hackers steal data for their personal use (for example, to make credit card purchases using account information that is not theirs), or must they post it on a blog, message board, or other website? Were this issue to be litigated, it seems more than likely that insurers will strictly interpret the term “publication,” arguing that a duty to defend is triggered only if allegations are made that the accessed information was displayed somewhere that the public (not just those who accessed it) could view it. Meanwhile, it can be expected that policyholders will encourage courts to find that a publication of private information can occur even if there is no actual display of that information to anyone other than the hackers or thieves themselves.
Conclusion
In light of the uncertainty about the scope of coverage for cybersecurity breaches under Coverage B, it is unsurprising that the Insurance Services Office (ISO) has recently introduced an endorsement that endeavors to curb the rise of such claims under standard CGL policies. Form CG 21 06 05 14, Exclusion—Access or Disclosure of Confidential or Personal Information and Data-Related Liability—With Limited Bodily Injury Exception, specifically excludes coverage for personal and advertising injury “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information. . . .”[37] The exclusion applies “even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.”
Although this endorsement appears likely to quell the rash of litigation on this topic in the future, insurers and businesses still face great uncertainty with respect to the scope of Coverage B. And while there is no general consensus as to whether those affected by data security issues will find coverage for what can quickly result in substantial losses, one thing is certain—there is a real and growing threat in the world of cybersecurity and no person or business is immune.
Keywords: publication, breach, data, security
Kathryn E. Kasper is a director with Hancock, Daniel, Johnson & Nagle, PC, in Richmond, Virginia.
[1] Kathryn E. Kasper is a director with Hancock, Daniel, Johnson & Nagle, PC, in Richmond, Virginia. She represents insurance companies in complex coverage litigation in numerous state and federal courts, including courts in Virginia, North Carolina, and the District of Columbia. She also advises insurers on a variety of coverage matters, such as policy rescission, extra-contractual liability avoidance, as well as the duty to defend and reservation of rights. Her practice involves a wide range of insurance coverages, including commercial general liability, professional liability, technology errors and omissions liability, directors’ and officers’ liability, fiduciary liability, commercial automobile/garage, auto, workers’ compensation, umbrella, property, business interruption, and various specialty coverages.
[2] Sid Shuman, “Update: PlayStation Network Is Back Online,” PlayStation.Blog (Aug. 24, 2014).
[3] Paul Tassi, “PSN Down as Sony, Blizzard, Riot and Others Are under Siege by Hackers,” Forbes,Aug. 24, 2014.
[4] Paul Tassi, “Hackers Ground Sony Executive’s Flight with Bomb-Threat Tweet,” Forbes,Aug. 24, 2014).
[5] Tassi, supra note 3.
[6] Nicole Perlroth, “JPMorgan and Other Banks Struck by Hackers,” N.Y. Times, Aug. 27, 2014.
[7] Perlroth, supra note 5.
[8] Perlroth, supra note 5.
[9] Chris Strohm, “From Russia with Love: JPMorgan Hack May Be Warning, Says Former NSA Chief,” Bloomberg (Sept. 3, 2014).
[10] Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011, 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. Feb. 21, 2014).
[11] See, e.g., Arch Ins. Co. v. Michaels Stores, Inc., No. 1:12-CV-00786 (N.D. Ill. dismissed July 3, 2013).
[12] Ponemon Inst., http://www.ponemon.org/ (last visited Sept. 8, 2014).
[13] Ponemon Inst., 2014 Cost of Data Breach Study: Global Analysis 8 (May 2014).
[14] Ponemon Inst., supra note 12, at 8.
[15] Ponemon Inst., supra note 12, at 8.
[16] ISO Form CG 00 01 10 01 (2000), V, § 14.
[17] Creative Hospitality Ventures, Inc. v. U.S. Liab. Ins. Co., 444 F. App’x 370, 376 (11th Cir. 2011) (holding that an insured’s issuance of sales receipts to customers revealing more than five digits of the customer’s credit card number or the card’s expiration date in violation of FACTA was not a “publication” sufficient to trigger coverage because “providing a customer a contemporaneous record of a retail transaction involves no dissemination of information to the general public” as the receipt is provided only to the customer); Am. Ins. Co. v. Fieldstone Mortg. Co., No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570, at *13 (D. Md. Oct. 26, 2007) (holding that there was coverage for alleged violations of the FCRA because sending pre-screened credit offers fell within the plain meaning of “publication”—“the act of publishing, or to produce or release for distribution”—which did not require the divulging of information to a third party); Pietras v. Sentry Ins. Co., No. 06 C 3576 , 2007 U.S. Dist. LEXIS 16015, at *10 (N.D. Ill. Mar. 6, 2007) (holding that there was coverage for the insureds’ alleged violations of the FCRA due to inappropriately accessing consumer credit reports and mailing solicitations for preapproved loans to those individuals whose credit reports have been accessed because “‘publication’ in a policy providing coverage for ‘advertising injury’ includes communication to as few as one person. . . .”). See also Park Univ. Enters. v. Am. Cas. Co., 442 F.3d 1239 (10th Cir. 2006); Whole Enchilada, Inc. v. Travelers Prop. Cas. Co. of Am., 581 F. Supp. 2d 677, 697 (W.D. Pa. 2008) (denying coverage for alleged violations of FACTA because there was no “publication”—defined as “made generally known, publicly announced, [or] disseminated to the public”—because the receipts were given only to the customers themselves); Columbia Cas. Co. v. Hiar Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013); Penzer v. Transp. Ins. Co., 29 So. 3d 1000 (Fla. 2010) (defining publication as communication of information to the public or the act or process of issuing copies for general distribution to the public and holding that sending unsolicited blast faxes to the plaintiff and others constituted a publication within this definition, triggering coverage); Valley Forge Ins. Co. v. Swiderski Elecs., Inc., 860 N.E.2d 307 (Ill. 2006) (holding that the plain meaning of the word “publication”—defined as communication or distribution of copies to the public—was implicated where the insured sent unsolicited facsimile advertisements, bringing claims for resulting violations of the TCPA within the coverage of the “advertising injury” coverage of the insured’s policy).
[18] 343 F. App’x 271 (9th Cir. 2009).
[19] Netscape Commc’ns Corp. v. Fed. Ins. Co., No. C -06-00198 JW, 2007 U.S. Dist. LEXIS 78400, at *3–4 (N.D. Cal. Oct. 10, 2007).
[20] Netscape, 2007 U.S. Dist. LEXIS 78400,at *5.
[21] Netscape, 343 F. App’x at 272.
[22] Netscape, 343 F. App’x at 272.
[23] See, e.g., ISO Form CG 00 01 12 07, at 14.
[24] See Nat’l Gypsum Co. v. Prostok, No. 3:98-CV-0869-P, 2000 U.S. Dist. LEXIS 16174, at *60–61 (N.D. Tex. Oct. 5, 2000) (“The word ‘any’ is a broad word. ‘A more comprehensive word than ‘any’ could hardly be employed. It means indiscriminate, or without limitation or restriction.’”) (quoting Commonwealth v. One 1939 Cadillac Sedan, 45 A.2d 406, 409 (Pa. Super. Ct. 1946)).
[25] Butts v. Royal Vendors, Inc., 504 S.E.2d 911, 917 (W.Va. 1998).
[26] Butts, 504 S.E.2d at 917.
[27] Butts, 504 S.E.2d at 917.
[28] Butts, 504 S.E.2d at 917.
[29] See Dryden Oil Co. of New England, Inc. v. Travelers Indem. Co., 91 F.3d 278, 286 (1st Cir. 1996) (“personal injury liability coverage obligates the insurer to indemnify for liability incurred for certain intentional acts by the insured”); Cnty. of Columbia v. Cont’l Ins. Co., 83 N.Y.2d 618, 627 (N.Y. 1994) (“[C]overage under the personal injury endorsement provision in question was intended to reach only purposeful acts undertaken by the insured or its agents.”).
[30] 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. Feb. 21, 2014).
[31] Transcript of February 21, 2014, Hearing on Defendants’ Motion for Partial Summary Judgment at 33 (lines 10–23), Zurich Am. Ins. Co. v. Sony Corp. of Am., 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. Feb. 21, 2014).
[32] Transcript, supra note 30, at 33 (lines 10–12).
[33] Transcript, supra note 30, at 33 (lines 15–17).
[34] Transcript, supra note 30, at 76 (lines 18–26), 77 (lines 2–11).
[35] Transcript, supra note 30, at 76 (line 5).
[36] Transcript, supra note 30, at 78 (lines 11–12).
[37] ISO Form CG 21 06 05 14, at 1.