With the growing awareness and magnitude of recent cyber- and privacy-related risks, the focus has now shifted to trying to insure adequately against these risks. The National Computer Security Survey1 describes three different types of cybercrime:
- Cyberattacks are crimes in which the computer system is the target. Cyberattacks consist of computer viruses (including worms and Trojan horses), denial of service attacks, and electronic vandalism or sabotage.
- Cyber theft comprises crimes in which a computer is used to steal money or other things of value. Cyber theft includes embezzlement, fraud, theft of intellectual property, and theft of personal or financial data.
- Other computer security incidents encompass spyware, adware, hacking, phishing, spoofing, pinging, port scanning, and theft of other information, regardless of whether the breach was successful.
Cyber insurance has become a booming industry, but many policyholders still do not recognize the importance of having dedicated coverage, whether as a stand-alone policy or as part of a packaged policy.2 Many insurers now extend coverage under traditional policies via computer or cyber endorsements. Insurers also offer stand-alone first-party and third-party coverage under cyber risk, privacy, or media liability policies. These policy forms, however, are still developing; and, as yet, there is no real consistency among the forms issued by different insurers.
Relying on traditional lines of coverage to insure against data and privacy risks, however, can prove a costly mistake. First, cyber-related exclusions are becoming industry standard across many lines of liability insurance policies.3 The Insurance Services Office (ISO) has introduced an exclusionary endorsement for use with general liability policies, and many insurers in the specialty lines, such as management liability, employment liability, and professional liability insurance, are either making data and privacy exclusions standard or affording only limited coverage subject to small sublimits. Second, even for those liability policies issued without data or privacy exclusions, questions remain as to whether coverage is available for cyber- or privacy-related harms.
Commercial General Liability Policies
The most prevalent coverage dispute involves commercial general liability policies, which, among other things, insure against property damage, including loss of use of tangible property that is not physically injured, as well as the personal injury offense of invasion of privacy. In terms of property damage, the standard ISO general liability form defines property damage to exclude electronic data. But there are situations where a piece of hardware, such as a smartphone or laptop or even an appliance with internet capacities, becomes unusable because of outside influences such as malware. It is arguable that in such scenarios, there could be general liability coverage.
Case law on this issue, however, is mixed. Some courts have held that data can qualify as tangible property,4 but these cases appear to be a distinct minority.5 In one of the more high-profile cases to address coverage under a general liability policy, the Eighth Circuit Court of Appeals held that when a claimant’s computer became unusable because of spyware, this constituted “loss of use of tangible property” for the purpose of triggering coverage under a general liability policy, even though the insurer had no coverage obligation with respect to the lost data.6 Absent any true loss of use, however, the property damage coverage part of a general liability policy will not respond to a cyber-related claim.7
Case law also has been mixed, and highly fact specific, on questions involving the personal injury offense of publication of material that allegedly violates a person’s right of privacy. Factors to be considered include how applicable law construes this offense (i.e., the right to privacy versus the right to be left alone), as well as whether the insured actually publishes private data or instead fails to protect data that is subsequently published by third parties.
Courts have also been split on the concept of what constitutes “publication.” Some courts have held that for coverage to be triggered, the insured must actually publish the claimant’s protected data, not merely have it stolen by a third party or lost altogether.8 Similarly, in connection with the Sony PlayStation data breach, the court held that where hackers stole confidential user information and subsequently sold that information, the information had not been published by Sony for the purpose of triggering coverage under a general liability policy.9 But there are instances where courts have found the publication requirement satisfied for matters involving privacy-related claims.10 One example is Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, in which the court found coverage where the insured negligently allowed patient data to become searchable online to the public.11
While there may be limited coverage under general liability policies for data- and privacy-related claims, there is even less certainty under specialty lines. These policies are typically written on a claims-made and reported basis, and most of the policies now issued have been amended to preclude or limit coverage for such harms. For example, while an employers liability practice policy arguably would afford coverage for theft of an employee’s personal information or a management liability policy might be expected to afford broad coverage for any wrongful act, error, or omission, most of these policies now expressly exclude coverage altogether for privacy-related harms—or provide very small sublimits for such claims, typically on an excess basis.
And even in the absence of such exclusions, coverage may be extremely limited under specialty lines policies. For instance, under professional liability policies, there is a long line of cases limiting coverage to acts, errors, or omissions committed in connection with the insured activity, such as medical or legal services, rather than backroom functions such as maintaining client data.
Crime and fidelity policies may afford coverage for fraud-related events, even if the instrument of the fraud involves computers. An example of this is Retail Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh, Pennsylvania, in which coverage was available under a crime policy where the theft of client credit card information was committed by computer fraud.12 By contrast, however, in a very recent decision on this issue, the Eleventh Circuit Court of Appeals held that the theft of debit card information from an insured’s credit card information system was not insured under a computer fraud policy because the loss of money was not the direct result of the computer fraud but instead was several steps removed.13
Most cyber-related claims involve some degree of harm to the policyholder’s own data or systems, thus creating the need for first-party insurance in addition to third-party liability insurance. Some courts have found coverage for costs associated with restoring data or other losses associated with hacking under commercial property policies.14 But this outcome is by no means a certainty. For example, a California state court held that lost data resulting from a crashed computer system was not insured under a property policy because the data was not tangible property.15
The gaps under the traditional lines of insurance, both liability and first-party, have fueled the need for dedicated cyber insurance. And as the liability scenarios have evolved and have continued to evolve, so, too, has cyber coverage.
There is no “standard” cyber policy, but the typical cyber policy will afford first-party coverage extending from the forensics and investigation necessary following a breach to the costs associated with reporting the breach (if necessary) and to the costs necessary to remediate the breach (such as data restoration). Certain first-party policies may also cover the cost of business lost and additional expenses incurred due to an interruption of the insured’s computer systems. Other policies may provide coverage for extortion or “ransom” incidents. On the third-party side, cyber policies typically afford coverage for government investigations and/or prosecutions as well as claims that may be brought by third parties for harms resulting from the breach. These policies also may be packaged with other lines of coverage, such as professional liability insurance for media- or data-related risks. Given the market competition, most insurers will work with the brokers and insureds to ensure that the policy is suitably tailored to the insured’s profession and its likely risks.
One of the benefits of stand-alone cyber insurance is that even for scenarios where there may be overlapping coverage with other lines of insurance, cyber policies often have primary other-insurance clauses. This helps to ensure that insurance benefits that may otherwise be available under other insurance policies remain intact and available for a risk truly insured under that policy. In addition, cyber policies often have lower deductibles or retentions than other lines of insurance, which again ensures that cyber policies respond to cyber-related risks before other lines of insurance.
Evaluating Cyber Policies and Claims
Because cyber policies and endorsements vary significantly, it is important for any business to analyze carefully the scope of the coverage it is considering purchasing, or the scope of coverage available in the event of a cyberattack. A useful framework follows:16
- Does the policy apply to acts by this person?17
- Does the policy cover this act?18
- Does the policy bar coverage because of this person’s intent?19
- Does the policy cover this injury?20
- Does the policy limit coverage to losses that computer activity caused “directly”?21
Courts nationally continue to grapple with insurance coverage issues arising from the growing threat of cyberattacks. Specific policy coverages and exclusions differ; but even when they don’t, state courts have come to different conclusions with respect to analogous provisions. It is important to review carefully the policy form at issue and consider whether the applicable state’s courts have addressed the relevant language in evaluating any cyber claim.
2. According to one recent survey, 50 percent of U.S. companies do not have cyber insurance, and 27 percent of U.S. companies have no intention of purchasing such coverage. Why 27% of U.S. Firms Have No Plans to Buy Cyber Insurance, Ins. J. (May 31, 2017), http://www.insurancejournal.com/news/national/2017/05/31/452647.htm.
3. ISO Comments on CGL Endorsements for Data Breach Liability Exclusions, Ins. J. (July 18, 2014), http://www.insurancejournal.com/news/east/2014/07/18/332655.htm.
4. See, e.g., Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185, 2000 WL 726789 (D. Ariz. Apr. 18, 2000); Retail Sys., Inc. v. CNA Ins. Cos., 469 N.W.2d 735 (Minn. Ct. App. 1991).
5. See, e.g., RSVT Holdings, LLC v. Main St. Am. Assurance Co., 25 N.Y.S.3d 712 (App. Div. 2016) (concluding that electronic credit card data was not tangible property for the purpose of a general liability policy).
6. Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).
7. Ciber, Inc. v. Fed. Ins. Co., No. 16-cv-01957, 2018 WL 1203157 (D. Colo. Mar. 5, 2018) (distinguishing Eyeblaster where the insured failed to demonstrate any loss of use of the computer system or any computers or hardware).
8. See, e.g., Innovak Int’l, Inc. v. Hanover Ins. Co., 280 F. Supp. 3d 1340 (M.D. Fla. 2017); Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 83 A.3d 664 (Conn. App. Ct. 2014).
9. Transcript of Oral Argument, Zurich Am. Ins. v. Sony Corp. of Am., No. 651982/2011, 2014 WL 8382554 (N.Y. App. Div. Feb. 21, 2014).
10. See, e.g., Netscape Commc’ns Corp. v. Fed. Ins. Co., No. 06-cv-00198-JW, 2007 U.S. Dist. LEXIS 78400 (N.D. Cal. Oct. 10, 2007).
11. 644 F. App’x 245 (4th Cir. 2016).
12. 691 F.3d 821 (6th Cir. 2012).
13. Interactive Commc’ns Int’l, Inc. v. Great Am. Ins. Co., 731 F. App’x 929 (11th Cir. 2018).
14. See, e.g., NMS Servs. Inc. v. Hartford, 62 F. App’x 511 (4th Cir. 2003); Lambrecht & Assocs. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. Ct. App. 2003).
15. Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 114 Cal. App. 4th 548 (Cal. Ct. App. Dec. 17, 2003).
16. See Alan Rutkin & Robert Tugander, Cybercrimes: How Courts Are Dealing with Insurance Implications of this Emerging Risk, 45 Brief, no. 4, (Summer 2016) at 14.
17. See Apps Commc’n, Inc. v. Hartford Cas. Ins. Co., No. 11 C 3994, 2011 WL 4905628 (N.D. Ill. Oct. 14, 2011) (dismissing complaint where the insured failed to allege a virus was introduced by someone other than an employee); Universal Am. Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 37 N.E.3d 78 (N.Y. 2015) (finding that loss arising from fraudulent information entered by authorized users was not covered); Milwaukee Area Tech. Coll. v. Frontier Adjusters of Milwaukee, 752 N.W.2d 396 (Wis. Ct. App. 2008) (concluding that unauthorized action by an authorized party was excluded from coverage).
18. See Vonage Holdings Corp. v. Hartford Fire Ins. Co., No. 11-6187, 2012 WL 1067694 (D.N.J. Mar. 29, 2012) (concluding that “transfer” need not be physical in order to be covered under the policy); Brightpoint, Inc. v. Zurich Am. Ins. Co., No. 1:04-CV-2085-SEB-JPG, 2006 WL 693377 (S.D. Ind. Mar. 10, 2006) (reasoning that “transfer” must be physical for coverage to apply); Northside Bank v. Am. Cas. Co. of Reading, No. GD 97-19482, 2001 WL 34090139 (Pa. Ct. Com. Pl. Jan. 10, 2001) (determining that the policy covered “hacking” but not simply using a computer).
19. See Lambrecht & Assocs., 119 S.W.3d 16 (determining that the intent of the insured, not the intent of the hacker, is relevant to an intentional acts exclusion).
20. See Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010) (determining that a frozen computer was a loss of use of tangible property); Vonage Holdings, 2012 WL 1067694 (concluding that loss of ability to use servers was a loss of property); Landmark Am. Ins. Co. v. Gulf Coast Analytical Labs., Inc., No. 10-809, 2012 WL 1094761 (M.D. La. Mar. 6, 2012) (reasoning that data is “physical” and “must be considered a corporeal movable or physical” property); State Auto Prop. & Cas. Ins. Co. v. Midw. Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001) (observing that data is not tangible property); Lambrecht & Assocs., 119 S.W.3d 16 (finding that destruction of the server, software, and data constituted physical loss).
21. See Tooling, Mfg. & Techs. Ass’n v. Hartford Fire Ins. Co., 693 F.3d 665 (6th Cir. 2012) (reasoning that “direct is direct”—i.e., the immediate cause); Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (finding that directly means the proximate cause of the loss).