September 14, 2017

The Evolution of Cyber Coverage Law: A Survey of Critical Decisions and the Market’s Response

Lorraine A. Armenti and Steven D. Cantarutti [1] – November 21, 2016

Until a few years ago, the coverage world was barely cognizant of cyber attacks or mega data breaches, let alone cyber insurance. While cyber-specific forms or policies were initially underwritten in anticipation of the Y2K bug, it was hardly on the radar for most policyholders thereafter and for good reason: The risks seemed too remote to affect a risk manager’s decision to purchase such insurance. It also did not help that cyber-specific insurance in the 2000s lacked consistency, had high deductibles or premiums, or had insufficient limits. Thus, there was little appetite on the policyholder or insurer side to purchase or develop a robust new coverage program for cyber-specific risks.

That dynamic abruptly changed by the turn of this decade when a cluster of highly publicized cyber attacks occurred, such as those against Sony, Target, Home Depot, and, more recently, Anthem. The risks were no longer too remote for risk managers to ignore. Companies suffering a data breach faced significant first- and third-party losses, which, in turn, exposed company executives and their board members. Companies also scrambled to secure coverage under so-called traditional policies, such as comprehensive general liability (CGL) policies. Insurers, in turn, argued that such risks fell outside the underwriting intent of these policies.

With the battle lines drawn, a perfect storm developed in the courts and in the insurance market, both of which we will explore. We first examine the critical and key decisions for cyber coverage under CGL policies. We then examine the market’s response to these decisions and how the battle over cyber coverage has shifted to cyber-specific policies.

Key Decisions under CGL Policies

Although courts have issued significant decisions involving cyber risks under other types of insurance forms or policies,[[2]] most of the battles over cyber coverage under traditional policies involve CGL policies because they have been a staple in the insurance market for several decades. These CGL cases have frequently turned on the “publication” requirement. However, another significant issue to emerge is whether the loss of personal identifiable information (PII) or electronic data falls within the meaning of “property damage.”

Must the insured affirmatively cause the publication? One of the first and critical areas to emerge involving coverage for cyber losses under CGL policies was the issue of whether the insured had to affirmatively cause the “publication” of the PII in order to obtain coverage. The leading case on that issue is Zurich American Insurance Co. v. Sony Corp. of America,[[3]] a New York trial court decision that rocked the coverage world when it came down. In that case, the trial court held that Sony did not have coverage under its primary CGL policies for the cyber attacks perpetrated against its online networks in April 2011.[[4]] The critical issue was whether the numerous class action complaints against Sony alleged a potentially covered offense within Coverage B, Personal and Advertising Injury.

Sony argued that even though the disclosure of the customers’ PII was caused by criminal hackers, the allegations in the complaints triggered the Coverage B offense for an “oral or written publication, in any manner, of material that violates a person’s right of privacy” (the “publication offense”). Sony argued that the complaints included allegations of negligence in failing to protect the PII or in preventing the cyber attacks, and also alleged that the PII had been disclosed in violation of the customers’ privacy rights. In other words, Sony argued that the publication offense should be construed broadly to include its negligent acts.

The trial court, however, rejected Sony’s arguments and instead agreed with the insurers that coverage under the publication offense “requires the policyholder to perpetrate or commit the act” of a publication, and the policy language “cannot be expanded to include 3rd party acts.”[[5]] In so deciding, the trial court found that in order to afford coverage, it would have to rewrite the policy language.[[6]] The trial court also found it dispositive that other “cases are clear . . . that[] the policyholder has to act” before coverage may be triggered within Coverage B.[[7]]

The trial court next found that each of the class action complaints contained allegations of hacking incidents by the criminal hackers, who had stolen PII that Sony had intended to keep safe. Although the trial court held that a publication had occurred once the PII was accessed by the criminal hackers, it concluded that the publication offense could not be expanded (as Sony argued) to allegations of negligence leading to a publication caused by third parties. Accordingly, the trial court found that the publication was not caused by Sony; rather, it was caused by criminal hackers, and this did not trigger coverage under the CGL policies.[[8]]

Those on the policyholders’ side have been critical of the Sony Corp. decision, contending, among other things, that the publication offense does not specify who must perform the act of the publication, and the term “in any manner” arguably means that the publication can be made by anyone. At the very least, policyholders argue that the language is ambiguous and should be construed in favor of coverage.

However, the New York trial court declined to treat the publication offense differently from the other enumerated tort offenses, and it also found that the term “in any manner” refers to the medium of the publication (e.g., by fax, by email), not by whom the information may be publicized.[[9]] The New York trial court’s decision is also consistent with many other decisions interpreting Coverage B, including the New York Court of Appeals’ decision in County of Columbia v. Continental Insurance Co.[[10]] Although County of Columbia involved a pollution claim, the court of appeals determined that the entire Coverage B personal injury endorsement “was intended to reach only purposeful acts undertaken by the insured or its agents.”[[11]]  In other words, the publication offense covers only acts of commission by the insured, not acts of omission. The rationale of County of Columbia has been followed or adopted by many other courts across the country.[[12]]

What is the meaning of a “publication”? Another critical issue involving the publication offense is the meaning of the term “publication,” which is typically not defined in CGL policies. For example, does the publication have to be widely disseminated to the public or is it sufficient for one individual to merely have access to the information? Another related question is whether the information disseminated needs to be actually accessed or only potentially accessible by a third party. Cases addressing these issues are Recall Total Information Management, Inc. v. Federal Insurance Co. [[13]] and Travelers Indemnity Co. of America v. Portal Healthcare Solutions [[14]].

In Recall Total, the Connecticut Supreme Court affirmed the appellate court’s decision that there was no coverage under the publication offense in the absence of any allegations that the information was accessed by an unauthorized third party. The “publication” at issue allegedly occurred when 130 IBM computer tapes containing PII of current and former employees was lost while in transport to another facility.[[15]] The appellate court rejected the insureds’[BN1]  arguments that the mere loss of the tapes constituted a “publication” or that it may have been “published” to the thief. Rather, the appellate court found that regardless of the precise meaning of the term “publication,” access to the information “is a necessary prerequisite” in order to find a “publication.”[[16]] In the absence of evidence that the tapes were accessed by anyone, the appellate court held that the insureds failed to meet their burden. The Connecticut Supreme Court’s affirmance of that decision was succinct, holding that it was “well-reasoned” and that it “would serve no purpose for us to repeat the discussion therein.”[[17]]

In contrast, the U.S. Court of Appeals for the Fourth Circuit in Portal Healthcare recently affirmed the district court’s decision that a publication had occurred even though there was no evidence of anyone accessing the confidential medical records on the Internet, other than the patients themselves. The district court reasoned that the term “publication” did not depend on the publisher’s intent, as the insurer had argued. Rather, it held that a “publication occurs” as long as the information is “placed before the public” and is not dependent on whether “a member of the public reads the information placed before it.”[[18]] The Fourth Circuit “commend[ed] the district court for its sound legal analysis” and rejected the insurer’s “efforts to parse alternative dictionary definitions” in order to avoid defending the policyholder.[[19]]

The Fourth Circuit’s rationale in Portal Healthcare is similar to the rationale in Sony Corp., in which the New York trial court held that a publication occurs when information “comes out of the vault,” whether or not it is actually used by anyone.[[20]] Nonetheless, it is notable that there was no issue in Portal Healthcare that the publication was caused by the insured, whereas in Sony Corp., the trial court found the publication was made by criminal hackers. For that reason, these cases must be viewed under this critical factual distinction.

Do statutory violations trigger the publication offense? A third line of cases involving CGL coverage turns on the exclusions in the policies. CGL policies often contain exclusions within Coverage B for statutory violations, and these can come into play even if a court determines that the publication requirement is satisfied.[[21]]

For example, in National Union Fire Insurance Co. of Pittsburgh, Pa. v. Coinstar, Inc.,[[22]] the insured faced two class action lawsuits after its subsidiary, Redbox, had collected and used its customers’ PII without their consent. In the first lawsuit, the consumers alleged violations under Michigan’s Video Rental Privacy Action (VRPA),[[23]] which prohibits the disclosure of any “record[s] or information concerning the purchase, lease, rental, or borrowing” of a video recording to any person other than the customer. The district court found that “because Exclusion (p) excludes from coverage any loss arising from the violation of a statute that ‘addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever,’” coverage for claims arising under the VRPA was barred.[[24]] In other words, the alleged disclosure of PII to noncustomers was found to fall squarely within the exclusion’s enumerated activities.[[25]]

In the second lawsuit, the consumers alleged a violation under California’s Song-Beverly Credit Card Act,[[26]] which “prohibits an entity from requesting or requiring [PII] from the holder of a credit card.”[[27]] The district court found that the alleged wrongful collection of PII was not an excluded activity within exclusion (p). However, the district court went on to hold that because the Song-Beverly Act “is not concerned with, and does not prohibit, the publication of any information,” the lawsuit did not trigger coverage under the publication offense.[[28]]

In contrast, the U.S. District Court for the Central District of California in Hartford Casualty Insurance Co. v. Corcino & Associates[[29]] rejected the insurer’s argument that the exclusion barred statutory claims that prohibited the disclosure of private medical information.[[30]] The court held that the exclusion at issue “applies if, and only if, a claim, arises out of the invasion of a private right that is created by statute” and there was an exception for liability for “damages that the insured would have in the absence of such state or federal act.”[[31]] In examining the statutes and privacy rights, the court found that California has a long history of recognizing “both a constitutional privacy right and a common law tort cause of action for violations of the right to privacy.”[[32]] As a result, the court concluded that the statutes were not intended to “create new privacy rights, but rather to codify existing rights” so as to fall within the exclusion’s exception.[[33]]

Both decisions illustrate how claims based on statutory violations may be barred from coverage should they fall within a Coverage B exclusion. However, the enforcement of these exclusions is not uniform and depends largely on the nature of the alleged statutory violations (Coinstar) or whether there is an exception that would preclude its application (Corcino).

What about coverage for property damage? While much of the focus for cyber coverage under CGL policies has been on the publication offense, another contentious, but not insignificant, coverage battle has been whether the loss of PII or electronic data qualifies as “property damage.” CGL policies typically define “property damage” to include physical injury to tangible property, including loss of use of that property or loss of use of tangible property that is not physically injured. Most CGL policies contain definitions or exclusions that exclude “electronic data” as being tangible property. Despite the clear intent of the policy language, courts appear split on the issue of whether electronic data are excluded.

In Carolina Casualty Insurance Co. v. Red Coats, Inc.,[[34]] the district court rejected the policyholder’s argument that the theft of laptops, which contained PII belonging to thousands of its client’s members, constituted property damage as defined in the CGL polices.[[35]] The district court explained that the theft itself did not render the PII unusable or lost, and that the policy expressly excluded “electronic data” from the definition of “property damage.” As the district court explained,

the problem was not that the HIPAA information was lost or rendered unusable. To the contrary, the problem was that it was useable and exploitable by third parties. Also, the loss of use of the laptops was not the problem—[the client] has a lot of other laptops—the problem was that others could access the HIPAA data. At best, the only coverage would be [the] cost of getting new laptops; there would be no coverage for the HIPAA information and any other data or programs on them, since they would represent electronic data, which is expressly excluded from coverage. Simply put, this is not property damage in any “man on the street” definition of the term.[[36]]

The U.S. Court of Appeals for the Eleventh Circuit vacated this decision and remanded the matter to the district court because the district court failed to properly analyze whether Florida or Maryland law applied.[[37]] The Eleventh Circuit explained that if the exclusion for “electronic data” is ambiguous, “then the difference between Florida and Maryland law may determine whether the insurer’s claim succeeds or fails.”[[38]] No further decision will be forthcoming, however, as the parties settled the case.

The district court in Nationwide Insurance Co. v. Hentz[[39]] addressed a similar factual scenario involving a CD-ROM that was stolen from the car of an insured accountant, although the insured sought coverage under her homeowner’s policy.[[40]] In surveying decisions made by other courts, the district court acknowledged that intangible losses are not considered “property damage” and that the language of the definition plainly excluded the loss of use of “purely intangible property.”[[41]] Nonetheless, the district court concluded that this was not a case in which someone had hacked into the insured’s computer system and had erased the data or had stolen the data without stealing the medium, which was tangible property. For that reason, the district court held that the insured “clearly suffered a ‘loss of use’ of that ‘tangible property’ when it was stolen from her car.”[[42]] We note that the homeowner’s policy at issue in Hentz did not appear to contain any language either within the definition of “property damage” or an exclusion explicitly stating that “electronic data” were not covered, which may have rendered a different result.[[43]

 

The Current State of the Cyber Insurance Market

With a significant rise in reported cyber-related events the past few years, the evolving nature of the risks, and uncertainty whether there is coverage under traditional policies, the insurance market has seen a resounding transformation on two fronts. First, many insurers issuing CGL policies now include or incorporate ISO’s new exclusion endorsement, “Access or Disclosure of Confidential or Personal Information.” This endorsement, which is offered in three forms, bars coverage for injury or damage arising out of access to or disclosure of any person’s or organization’s confidential information.[[44]] Although insurers have all along argued that cyber risks were never intended to be covered within the CGL coverage form, this endorsement essentially shuts the door for insureds to argue otherwise.

At the same time, insurers have seized the opportunity to significantly develop and grow the market for stand-alone cyber insurance policies. According to the Marsh & McClennan Companies, the number of U.S.-based clients purchasing stand-alone cyber insurance policies has grown by an average of about 27 percent each year between 2012 and 2015.[[45]][P3]  The global market for stand-alone cyber insurance in 2015 has been estimated around $1.5 billion in gross written premiums, with the U.S. accounting for the overwhelming majority of the market—about $1 billion in premiums.[[46]] Some analysts predict that the gross written premiums from stand-alone cyber policies may triple to $7.5 billion by 2020 in the U.S. market.

Approximately 60 insurers worldwide now underwrite cyber specific policies, and many others include endorsements in existing policies.[[47]] Stand-alone cyber insurance policies offer first-party coverage (covering the insured’s own losses), third-party coverage (covering defense and indemnity costs from third-party liabilities), or both.[[48]] They are written in manuscript forms, and for that reason, the terms and conditions can vary significantly in each policy. For example, coverage in some policies may be limited to damages arising from unauthorized access to PII. As a result, this type of insurance would not afford coverage for accidental disclosures by those authorized to access the information (e.g., the inadvertent posting of private health information on the Internet in Portal Healthcare). Other cyber insurance policies may offer broader protection to include damages resulting from any type of access or disclosure.

Like other types of insurance programs, stand-alone cyber insurance policies contain exclusions. For example, most exclude losses due to bodily injury, property damage, acts of war or terrorism, or intentional acts. As we discuss in the next section, some may also include exclusions for failing to maintain appropriate cybersecurity practices. Stand-alone insurance policies may also have sub-limits on certain coverages, such as crisis management, notification costs, and regulatory investigations or actions. Because the types of insurance can significantly vary in each policy, policyholders are well advised to closely work with their brokers as well as other experts, such as cybersecurity consultants, to determine the most appropriate cyber insurance program for their business.

 

The New Battlegrounds for Cyber Insurance

The growth of the cyber insurance market has given rise to new battlegrounds between policyholders and insurers. This is due to the untested and varying cyber insurance forms. In many ways, we are beginning to see a new emerging area of law that will help shape the boundaries of this relatively new market for years to come.

In perhaps the first reported decision examining a stand-alone cyber insurance policy, coverage turned on whether the underlying complaint alleged an “error, omission or negligent act” by the policyholder. In Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc.,[[49]] the district court held that there was no duty to defend the insureds (Federal Recovery) under a “CyberFirst Policy,” which included a Technology Errors and Omissions Liability Form. The plaintiff in the underlying lawsuit alleged that Federal Recovery refused to transfer electronic billing data until certain compensation demands were satisfied. Federal Recovery argued in the coverage action that the plaintiff’s claim was “broad enough to encompass a possible error, omission or negligent act by [Federal Recovery].”[[50]]

The district court, however, found that the complaint did not allege that Federal Recovery had withheld the data because of an error, omission, or negligence. Rather, the complaint alleged that Federal Recovery had knowingly withheld the information and refused to turn it over unless certain demands were satisfied. As the district court explained, “[i]nstead of alleging errors, omissions or negligence, [the plaintiff] alleges knowledge, willfulness, and malice.”[[51]] Thus, because the allegations did not sound in negligence, the district court concluded that the insurer had no duty to defend Federal Recovery in the underlying lawsuit.[[52]]

A more recent decision also turned in large part on the scope of the coverage grant in a stand-alone cyber policy, but the coverage language was very different than in Federal Recovery. The two cases exemplify the varied types of coverage that are available in the market and the types of disputes that can arise. In this recent case, P.F. Chang’s China Bistro Inc. v. Federal Insurance Co.,[[53]] the district court held that Federal did not have to cover more than $1.9 million in assessments that P.F. Chang’s had reimbursed its payment processor, Bank of America Merchant Services (BAMS) after the restaurant chain suffered a cyber attack that exposed more than 60,000 credit card numbers from several restaurants. P.F. Chang’s agreed to reimburse BAMS pursuant to a Master Services Agreement (MSA) that required payment for any fees, fines, penalties, or assessments imposed on BAMS.[[54]] Although Federal had paid more than $1.7 million in expenses associated with P.F. Chang’s forensic investigation of the breach and for defending P.F. Chang’s in third-party lawsuits, it denied coverage for the assessments based on various provisions within the insuring agreements and exclusions.

The court first addressed whether the claims triggered coverage under the insuring clause for “Privacy Injury.” In agreeing with Federal, the district court first held that because BAMS did not sustain a “Privacy Injury itself,” it could not “maintain a valid Claim for Injury against [P.F.] Chang’s” so as to establish coverage within Insuring Clause A. As the district court explained, a “Privacy Injury” claim requires an “actual or potential unauthorized access to such Person’s Record,” which did not occur because the information exposed was part of the credit card issuing banks’ record, not BAMS’ record.[[55]]

The district court also held that two exclusions (similar to the “contractual liability” exclusion found in CGL policies) and the definition of “loss” wholly barred coverage for any liability assumed by P.F. Chang’s.[[56]] The district court pointed to three places within the MSA where P.F. Chang’s agreed to reimburse or compensate BAMS for the assessments. The district court also rejected P.F. Chang’s argument that it would have been liable for the assessments in the absence of such an assumption, as there was no evidence in the record indicating that that was the case. Although the district court acknowledged that under Arizona law exclusions are to be narrowly construed, it ultimately concluded that “[s]imply put, these exclusions unequivocally bar coverage for the Assessments.”[[57]] P.F. Chang’s has indicated that it will appeal that decision to the U.S. Court of Appeals for the Ninth Circuit.

While Federal Recovery and P.F. Chang’s turned on the type of policy interpretation disputes over coverage grants and exclusions that will seem familiar to the insurance bar, stand-alone cyber policies can involve disputes that may feel somewhat less familiar. For example, in Columbia Casualty Co. v. Cottage Health Systems,[[58]] Columbia sought a declaratory judgment to enforce, among other things, a condition and exclusion in its “NetProtect360” cyber policy for Cottage Health’s failure to maintain minimum cybersecurity practices.[[59]] Columbia alleged that these provisions were enforceable because Cottage Health’s servers permitted unauthorized user access via the Internet, which resulted in the disclosure of approximately 32,500 patient records. Columbia also alleged that Cottage Health failed to continuously implement adequate procedures and risk controls identified it its application and had also failed to regularly check, maintain, and reassess its security systems in order to prevent the data breach.

The district court dismissed the lawsuit because Columbia failed to abide by the alternative dispute resolution provision.[[60]] Nonetheless, the case sparked an interesting debate on both sides of the insurance bar as to the viability of including the minimum cybersecurity practices exclusion or condition. Insureds argue that if there is no coverage for a data breach incident due to an error, such as the one in Cottage Health, the policy should be deemed illusory. Insurers, on the other hand, argue that such exclusions or conditions are not uncommon and point to industry-specific policies, such as environmental impairment liability policies, which have similar exclusions or conditions for noncompliance with the law or industry standards. This debate underscores one of the issues emerging in cyber insurance law.

           

Conclusion

The survey of cases and the market’s response discussed above are just a few examples of how far the cyber insurance market has transformed within the last few years. As the nature of cyber risks continue to evolve, so too will the market, with daunting challenges facing policyholders and insurers. For policyholders, they must anticipate and implement adequate cybersecurity practices, which is not easy given that cyber-risks change almost daily. Policyholders must also understand the cyber insurance market in order to best mitigate their losses. Insurers, too, must adapt their forms and policies to the market. With a claims history that is relatively new and for the most part unpredictable, insurers may be reluctant to aggressively underwrite these risks. These and other challenges likely mean that the battles over cyber coverage will continue to intensify for the foreseeable future, with more litigation and the emergence of a new area of insurance law.

Keywords: litigation, insurance, cyber attack, data breach, cyber risk, property damage (Coverage A), personal and advertising injury (Coverage B), oral or written publication offense, electronic data exclusion, cyber insurance

Lorraine A. Armenti is a partner and Steven D. Cantarutti is of counsel with Coughlin Duffy LLP in Morristown, New Jersey.

 

[[1]] Lorraine A. Armenti is a partner and Steven D. Cantarutti is of counsel with Coughlin Duffy LLP. The views expressed in this article are their own and should not be construed as those expressed by their clients.

[[2]] See, e.g., Metro Brokers, Inc. v. Transp. Ins. Co., No. 14-12969, 2015 U.S. App. LEXIS 3473 (11th Cir. Mar. 5, 2015) (affirming district court’s decision that the fraudulent electronic transfer of funds fell outside the scope of coverage provided in a business policy that included first-party property coverage); Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (finding “Computer & Funds Transfer Fraud Coverage” endorsement was broad enough to cover all losses arising from a cyber attack involving the theft of customers’ credit card and checking account information).

[[3]]No. 651982/2011, 2014 N.Y. Misc. LEXIS 5141 (N.Y. Sup. Ct. Feb. 24, 2014). Coughlin Duffy LLP represented the plaintiffs, Zurich American Insurance Company and Zurich Insurance Company.

[[4]] The cyber attacks occurred against Sony’s PlayStation and SOE Networks, which exposed personal information belonging to over 100 million of Sony’s customers (one of the largest breaches reported to date).

[[5]] Sony Corp., 2014 N.Y. Misc. LEXIS 5141, at *70.

[[6]] Sony Corp., 2014 N.Y. Misc. LEXIS 5141, at *71–72.

[[7]] Sony Corp., 2014 N.Y. Misc. LEXIS 5141, at *68.

[[8]] Sony Corp., 2014 N.Y. Misc. LEXIS 5141, at *69–72. Although Sony appealed that decision, which was briefed and argued before the New York Appellate Division, First Department, the case was settled in April 2014.

[[9]] Sony Corp., 2014 N.Y. Misc. LEXIS 5141, at *68–70.

[[10]]83 N.Y.2d 618 (N.Y. 1994), aff’g, 189 A.D.2d 391 (N.Y. App. Div.).

[[11]] County of Columbia, 83 N.Y.2d at 627.

[[12]] See, e.g., Harrow Prods. v. Liberty Mut. Ins. Co., 64 F.3d 1015, 1025 (6th Cir. 1995) (applying Michigan law) (“[a]s noted by the New York Court of Appeals [in County of Columbia], each enumerated tort in the personal injury clause requires an intentional act”); Gregory v. Tenn. Gas Pipeline Co., 948 F.2d 203, 209 (5th Cir. 1991) (“Each of the enumerated risks assumed [within the definition of ‘personal injury’ under Coverage B] requires active, intentional conduct by the insured”); Grain Dealers Mut. Ins. Co. v. Farmers Alliance Mut. Ins. Co., No. CIV-00-370-T, 2001 U.S. Dist. LEXIS 24299, at *21 (W.D. Okla. May 14, 2001) (adopting County of Columbia for proposition that torts enumerated in Coverage B “support the conclusion that ‘only purposeful acts were to fall within the purview of the personal injury endorsement.’”) (quoting County of Columbia, 83 N.Y.2d at 627); Buell Indus. v. Greater N.Y. Mut. Ins. Co., 791 A.2d 489, 510-11 (Conn. 2002) (agreeing with County of Columbia that “the personal injury provisions [in a CGL policy] were intended to reach only intentional acts by the insured”); Butts v. Royal Vendors, Inc., 504 S.E.2d 911, 917 (W. Va. 1998) (holding that publication offense requires act of publication to be committed by insured, not by third party). Notably, too, the Supreme Court of Delaware has ruled that personal injury coverage under Coverage B “clearly do[es] not extend coverage to negligence claims.” Liggett Grp. v. Ace Prop. & Cas. Ins. Co., 798 A.2d 1024, 1032 (Del. 2002).

[[13]]115 A.3d 458 (Conn. 2015), aff’g, 83 A.3d 664 (Conn. App. Ct.).

[[14]]No. 14-1944, 2016 U.S. App. LEXIS 6554 (4th Cir. Apr. 11, 2016), aff’g, 35 F. Supp. 3d 765 (E.D. Va.).

[[15]] In Recall Total, the tapes fell out of the back of a truck onto the road and were never recovered by IBM.

[[16]] Recall Total, 83 A.3d at 672.

[[17]] Recall Total, 115 A.3d at 460.

[[18]] Portal Healthcare, 35 F. Supp. 3d at 770–71.

[[19]] Portal Healthcare, 2016 U.S. App. LEXIS 6554, at *5–6.

[[20]] Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011, 2014 N.Y. Misc. LEXIS 5141, at *37, *68 (N.Y. Sup. Ct. Feb. 24, 2014). Insurers point to other cases that have interpreted the meaning of a “publication” more narrowly to require a communication intended for the public or the act of distributing it to the public. See, e.g., Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 444 F. App’x 370, 376 (11th Cir. 2011) (holding that there was no publication if the insured “neither broadcasted nor disseminated the . . . information to the general public”); Ticknor v. Rouse’s Enters., LLC, 2 F. Supp. 3d 882, 896 (E.D. La. 2014) (“for there to be ‘publication’ under the ‘personal and advertising’ provision . . . the material must be made generally known, announced publicly, disseminated to the public, or released for distribution”); TIG Ins. Co. v. Dallas Basketball, Ltd., 129 S.W.3d 232, 238 (Tex. App. 2004) (“the word ‘publish’ is generally understood to mean disclose, circulate, or prepare and issue printed material for public distribution”).

[[21]] At least 47 states in the United States, plus Puerto Rico, the U.S. Virgin Islands, Guam, and Washington, D.C., have some form of data breach laws. Of those, 17 states or territories permit a private right of action against the violator. Other statutory laws, typically consumer protection or businesses practices statutes, are broad enough to also include a potential violation for data breach disclosures.

[[22]]39 F. Supp. 3d 1149 (W.D. Wash. 2014).

[[23]] Mich. Comp. Laws § 445.1712.

[[24]] Coinstar, 39 F. Supp. 3d at 1156.

[[25]] Coinstar, 39 F. Supp. 3d at 1156.

[[26]] Cal. Civ. Proc. Code § 1747.08(a).

[[27]] Coinstar, 39 F. Supp. 3d at 1158.

[[28]] Coinstar, 39 F. Supp. 3d at 1158.

[[29]]No. CV 13-3728, 2013 U.S. Dist. LEXIS 152836 (C.D. Cal. Oct. 7, 2013).

[[30]] The statutes at issue were California Civil Code § 56.36 et seq. (the Confidentiality of Medical Information Act, or CMIA) and California Welfare & Institutions Code § 5330 et seq. (the Lanterman Petris Short Act, or LPS).

[[31]] Corcino, 2013 U.S. Dist. LEXIS 152836, at *11.

[[32]] Corcino, 2013 U.S. Dist. LEXIS 152836, at *12.

[[33]] Corcino, 2013 U.S. Dist. LEXIS 152836, at *13.

[[34]]No. 1:12-cv-00232, slip op. (N.D. Fla. Apr. 22, 2014).

[[35]] One of the security guards employed by Admiral had stolen several laptops from the client’s office, a Florida health insurer. The laptops contained PII belonging to thousands of the client’s members, exposing the client to violations under the Health Insurance Portability and Accountability Act (HIPAA) and other laws. As a result, the client sued Admiral, which, in turn, sought coverage from its CGL insurer.

[[36]] Red Coats, No. 1:12-cv-00232, slip op. at 10 (citations omitted).

[[37]] Carolina Cas. Ins. Co. v. Red Coats, 624 F. App’x 992, 995 (11th Cir. 2015).

[[38]] Red Coats, 624 F. App’x at 995. The Eleventh Circuit solely focused on the “electronic-data” exclusion instead of the definition of “property damage,” which was the focus of the district court’s decision.

[[39]]No. 11-cv-618, 2012 U.S. Dist. LEXIS 29181 (S.D. Ill. Mar. 6, 2012), aff’d on other grounds, 704 F.3d 522 (7th Cir. 2013).

[[40]] The lost CD-ROM contained PII belonging to members and beneficiaries of a pension fund. As in Red Coats, the insured sought coverage for the consequential damages incurred by the pension fund to protect those affected by the breach, such as notification costs, credit monitoring services, and insurance.

[[41]] Hentz, 2012 U.S. Dist. LEXIS 29181, at *10.

[[42]] Hentz, 2012 U.S. Dist. LEXIS 29181, at *11. Despite this ruling, the district court went on to hold that the “in the care of the insured” exclusion had applied to bar coverage for the claim. Nationwide Ins. Co. v. Hentz, 704 F.3d 522, 525–28 (7th Cir. 2013). The U.S. Court of Appeals for the Seventh Circuit has affirmed that portion of the district court’s decision, holding that the “in care of the insured” exclusion and a “business” exclusion applied, but the appellate court did not address the issue of whether the electronic data within the CD-ROM are deemed intangible property. Hentz, 704 F.3d at 525–28.

[[43]] In contrast, the trial court in Recall Total agreed with the insurers that the definition of “property damage” and the “electronic data” exclusion barred the claim because “there were no claims for actual damage to the tapes, the cost of the lost tapes or the cart.” Recall Total, 2012 Conn. Super. LEXIS 227, at *17. Instead, the trial court found the loss arose from preventative measures taken by IBM (i.e., setting up call center, notifying employees). Recall Total, 2012 Conn. Super. LEXIS 227, at *18. In citing other cases, the trial court concluded that “[t]his was not damage to tangible property” and also found the exclusion to be unambiguous. Recall Total, 2012 Conn. Super. LEXIS 227, at *18.

[[44]] The three exclusionary endorsement forms are as follows: (1) CG 21 06 05 14 Exclusion—Access Or Disclosure Of Confidential Or Personal Information and Data-Related Liability—With Limited Bodily Injury Exception; (2) CG 21 07 05 14 Exclusion—Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability—With Limited Bodily Injury Exception Not Included; and (3) CG 21 08 05 14 Exclusion—Access Or Disclosure of Confidential Or Personal Information (Coverage B only).

[[45]] See Marsh & McLennan Cos., Benchmarking Trends: Operational Risks Driver Cyber Insurance Purchases (last visited Oct. 10, 2016).

[[46]] Keith Kirkpatrick, “Cyber Policies on the Rise,” 58 Communications of the ACM, No. 10, Oct. 2015, at 21. Other analysts have estimated gross written premiums in 2014 to be over $2 billion for the U.S. market alone. See “U.S. Cyber Insurance Market Demonstrates Growth, Innovation in Wake of High Profile Data Breaches,” Ins. Info. Inst., Oct. 21, 2015.

[[47]] See “U.S. Cyber Insurance Market Demonstrates Growth, Innovation in Wake of High Profile Data Breaches,” Ins. Info. Inst., Oct. 21, 2015.

[[48]] First-party losses covered typically include the costs of forensic investigations, hiring outside counsel to handle breach responses, hiring a public relations firm to handle media communications, notifying affected individuals and regulators, offering credit monitoring services, setting up call centers, making extortion payments, paying card industry–related fines or penalties, business interruptions (e.g., paying for alternative network services, employee overtime, lost profits), and repairing or restoring compromised systems. Third-party losses covered typically include defense and indemnity costs associated with civil individual lawsuits and class actions, administrative and regulatory investigations and litigation (e.g., Federal Trade Commission or Securities Exchange Commission), and derivative lawsuits brought by shareholders.

[[49]] 103 F. Supp. 3d 1297 (D. Utah 2015).

[[50]] Travelers Property, 103 F. Supp. 3d at 1302.

[[51]] Travelers Property, 103 F. Supp. 3d at 1302.

[[52]] Travelers Property, 103 F. Supp. 3d at 1302.

[[53]] No.CV-15-01322, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. May 31, 2016).

[[54]] MasterCard initially imposed the assessments to BAMS, which included costs associated with fraudulent charges on the cards ($1,716,798.85), notifying affected cardholders ($163,122.72), and a case management fee ($50,000). BAMS then sought reimbursement from P.F. Chang's pursuant to the MSA.

[[55]] P.F. Chang’s, 2016 U.S. Dist. LEXIS, at *12–15.

[[56]] P.F. Chang’s, 2016 U.S. Dist. LEXIS, at *22–24.

[[57]] P.F. Chang’s, 2016 U.S. Dist. LEXIS, at *25.

[[58]] Complaint for Declaratory Judgement and Reimbursement of Defense and Settlement Payments, Columbia Cas. Co. v. Cottage Health Sys., No. 15-cv-03432 (C.D. Cal. May 7, 2015).

[[59]] Columbia specifically argued that under an exclusion entitled “Failure to Follow Minimum Required Practices,” coverage was barred for “[a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” The cyber risk policy also contained the “Application” condition, which rendered the policy null and void in the event the insurance application contained any misrepresentations or omissions, as well as the “Minimum Required Practices” condition. Complaint for Declaratory Judgment and Reimbursement of Defense and Settlement at ¶¶ 39–44, Columbia Casualty, No. 15-cv-03432 (First Cause of Action).

[[60]] See Columbia Cas. Co. v. Cottage Health Sys., No. 15-cv-03432, 2015 U.S. Dist. LEXIS 93456 (C.D. Cal. July 17, 2015).

 

Lorraine A. Armenti and Steven D. Cantarutti [1] – November 21, 2016