chevron-down Created with Sketch Beta.
March 03, 2021 Feature

Screens Locked and Files Blocked—You Have That Covered, Right?

Margaret A. Reetz, Joanne L. Zimolzak, and Roberta Anderson Sutton

Know the ins and outs of the coverage provided to insure against cyber-related risks and consider the impact of both court decisions and evolving risk scenarios.

With the continuing threat from new and evolving cyber risks, entities will seek to pursue recovery for liabilities and losses from a variety of available sources.1 This is particularly true in light of recent events, with reports confirming that cyberattacks have increased precipitously during the COVID-19 pandemic as cybercriminals have attempted to exploit network vulnerabilities resulting from the increase in remote working environments.2

Although specific cyber policies have been in the marketplace for over two decades,3 not all entities have the most up-to-date policy forms, and not all entities purchased either specific cyber coverage or the relevant cyber coverage. As a result, much of the case law involving coverage for cyber risks has developed around other types of coverages, e.g., general liability, directors/officers, crime, and fidelity.4 However, it appears that disputes involving cyber-specific coverages are now also playing out in the courts, after years of anticipation regarding how some of these novel risks and policy forms would fare under judicial scrutiny.

Some of the takeaways from these disputes include the following:

  • Stakeholders may need to pay particular attention to definitions of certain common terms like “security failure” and “confidential information.”
  • Other terms that warrant a higher level of scrutiny include those involving the scope of regulatory coverages: Do the terms refer to “data privacy” regulations or “data security” regulations, or do the terms specify exactly which regulations would trigger coverage (e.g., General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), banking regulations, etc.)?
  • Even though some of the fact patterns appear to be novel, most courts will adhere to traditional principles, where ambiguities may be construed in favor of coverage and reasonable expectations are given due consideration.
  • Risk managers, brokers, and insurers may be pressed to focus on what the policyholder views as the “real” risk (e.g., disruption to systems versus systems that are entirely off-line or unusable).

Security Failure, Privacy Event, or Breach of Contract?

Dispute. In HUB Parking Technology USA, Inc. v. Illinois National Insurance Co., a policyholder and its insurer got into a dispute regarding whether a cybersecurity and privacy insurance policy provided coverage in connection with the exposure of customer credit card numbers at an airport parking facility.5 The underlying litigation stemmed from a putative consumer class action against an airport parking facility operator, which allegedly provided customers with computer-generated parking receipts that displayed eight digits of their credit cards—more than the four or five digits permitted under federal law. The parking facility operator joined HUB in the proposed class action by way of a third-party complaint, claiming that HUB—which develops, manufactures, installs, and provides after-sales services for parking access and revenue control systems—controlled the equipment/software involved in the relevant parking transactions and breached its contract to keep them working properly, in accordance with applicable law.

HUB tendered the third-party complaint to its insurer, Illinois National, requesting both defense and indemnity under its “CyberEdge Security and Privacy Liability Insurance” policy. After Illinois National denied coverage, HUB filed its coverage action in June 2019. HUB subsequently moved for summary judgment on grounds that the underlying action constituted a “Claim” alleging a “Security Failure” and/or a “Privacy Event” under the terms of the policy. Illinois National opposed the motion.

Coverage issues. The policy provided coverage for losses resulting from claims alleging a “Security Failure” or a “Privacy Event.” These key policy terms and others were defined as follows:

  • “Privacy Event” means, in relevant part, “any failure to protect Confidential Information” (including, e.g., information that could result in identity theft) and/or “any violation of a federal, state, foreign or local privacy statute” alleged in connection with such conduct.
  • “Security Failure” means, e.g., “a failure or violation of the security of a Computer System including, without limitation, that which results in or fails to mitigate any unauthorized access, unauthorized use, denial of service attack or receipt or transmission of a malicious code.”
  • “Confidential Information” includes “information from which an individual may be uniquely and reliably identified, including . . . account relationships [and] account numbers,” that is within the insured’s “care, custody or control” or for which the insured “is legally responsible.”6

HUB contended that the underlying lawsuit was the result of a failure to protect customers’ private information due to a failure of its computer system. In support of its position, HUB pointed to the parking facility operator’s allegations that HUB “fail[ed] to protect Confidential Information [i.e., credit card account numbers]” by allowing HUB’s parking equipment to print receipts containing more than the last four digits of the customers’ credit card numbers.7 HUB asserted that these allegations “fall squarely within the Policy’s definition of a ‘Privacy Event’ for which coverage should be afforded.”8 Further, HUB pointed to allegations that it violated the Fair and Accurate Credit Transactions Act of 2003 (FACTA)9—which (among other provisions) prohibits the printing of more than five digits of a customer’s credit card number or card expiration date on a receipt provided to the cardholder at the point-of-sale transaction—as evidence that the tendered third-party complaint constituted a “violation of a federal, state, foreign or local privacy statute alleged in connection with a Claim” and, therefore, constituted an additional ground for coverage under the policy.10

HUB further argued that under the policy, a security failure occurs where there is “a failure or violation of the security of a Computer System.”11 In its view, the printing of eight digits of a credit card number, as alleged, would constitute such a failure because the computer system responsible for generating and printing credit card receipts should print only four digits of a credit card number when operating properly. And, while HUB asserted that the referenced allegations fell squarely within the policy’s insuring agreement, it added that even the possibility that the loss arose from either a security failure or a privacy event was sufficient to trigger coverage under the policy.

Illinois National, for its part, disagreed that the underlying third-party complaint constituted a covered claim. First, the insurer maintained that the claim was not the result of unauthorized access to or an attack on HUB’s data or hardware, as it must be to constitute a security failure under the policy. Rather, Illinois National contended, it was HUB’s alleged failure to maintain its parking machines that caused the computer-generated receipts to include too many digits from customers’ credit cards. As such, Illinois National concluded, “This is not a Security Failure under the cyber policy.”12

Second, in terms of a potential privacy event, the policy required HUB to show that it had care, custody, or control of customers’ sensitive information that was then released. Whereas HUB argued that this was necessarily the case, given that the violative credit card information was eventually printed on customer receipts, Illinois National asserted that the mere passage of data through HUB’s equipment was not enough to establish the requisite control. As stated in Illinois National’s opposition brief, “[I]f one were to use a Hewlett-Packard printer to print out a list of social security numbers, it does not follow that Hewlett-Packard itself had ‘control’ or ‘custody’ over that personal information.”13 This is especially true, according to Illinois National, given that another company performed the actual payment processing: “There are no allegations in the Breach of Contract Suit that HUB had any involvement in the processing of customer payments.”14 Far from constituting a covered claim, the underlying litigation was viewed by Illinois National as the result of “a contract dispute between vendor and client,” which was not covered by the policy.15

Illinois National further contended that even if HUB could establish an event triggering coverage, the underlying lawsuit occurred prior to the policy’s “retroactive date” of February 6, 2015.16 In support of this alternative argument, Illinois National pointed to information purportedly adduced in discovery in the proposed class action, which indicated that the putative plaintiffs had received nonconforming receipts as far back as October 2013 and December 2014.

The court held a status conference in January 2020, at which it was decided to defer oral argument on the pending summary judgment motion and require the parties to engage in the court’s mandatory mediation process. The parties ultimately were able to settle their dispute, and the case was dismissed in June 2020—one year after the case was filed.

Commentary. Although the court did not have the opportunity to rule on HUB’s summary judgment motion, this case illustrates some of the coverage issues that may arise in the context of dedicated cybersecurity and privacy policies. Policyholders and their counsel may view the insurer’s position as stemming from an overly narrow reading of the key policy terms. The contrary view is that the insurer is merely insisting that the policy terms be accorded their plain meaning and given full force and effect. The key takeaway is, unsurprisingly, the importance for all stakeholders to review these kinds of policies and understand how certain terms, such as “security failure” and “confidential information,” are defined and interpreted.

$60 Million Consent Judgment for TCPA Violations Excluded

Underlying matter. In Horn v. Liberty Insurance Underwriters, Inc., the plaintiffs were originally the class representatives in a suit brought against iCan Benefit Group.17 Defendant iCan provided consumers with various choices of health insurance and provided guidance on health insurance options. The plaintiffs alleged that iCan (or someone acting on behalf of iCan) sent text messages, for which the receivers were charged a fee, for the purpose of selling iCan products/services, without the receivers’ prior written consent. The plaintiffs alleged these actions were in violation of the Telephone Consumer Protection Act (TCPA).18 The plaintiffs also alleged actual harm in the form of annoyance, nuisance, invasion of privacy, disturbance and loss of use and enjoyment of their telephones, wear and tear of their telephones’ hardware, and consumption of the phones’ memories, and sought statutory damages plus fees.

Following the filing of the class action, iCan provided its insurer, Liberty, with a copy of the lawsuit and requested a defense and indemnification under the policy terms. Liberty denied coverage and declined to defend the action. By March 2018, a federal district court in Florida preliminarily approved settlement of a class action lawsuit, asserting that about 2.5 million cell phones were sent text messages in violation of the law. iCan agreed to the entry of a consent judgment against it in the amount of $60,413,112. As part of these terms, iCan agreed to assign its rights against its insurer, Liberty, to the class action plaintiffs (as this reportedly was the only potential source of recovery for the plaintiffs and their attorneys).

Dispute over policy terms. Liberty issued a “Private Advantage Insurance Policy” to iCan as the named insured, with a $2 million liability limit.19 This is a private company directors and officers professional liability coverage form.

Liberty denied coverage to iCan with respect to the class action. Liberty cited an invasion of privacy exclusion and asserted that the class action alleged TCPA violations that caused harm to class members in the form of invasions of privacy, among other harms, and thus the entire lawsuit “arose out of” an invasion of privacy.

The plaintiffs argued that the exclusion was inapplicable because there were other allegations in addition to invasion of privacy. Also, the plaintiffs argued that they did not have to prove invasion of privacy in order to prevail in the class action because it was not an element of the TCPA causes of action.

Ruling. The federal court reviewed various cases involving the interpretation of TCPA violations as invasions of privacy, along with Florida state court decisions regarding the interpretation of the phrase “arising out of.”20 Based upon Florida’s “broad interpretation” of “arising out of,” the court concluded that the TCPA violations at issue arose out of an invasion of privacy and were therefore excluded under that policy provision.21

As to whether the entire action could be excluded, the court next reviewed whether “Claim” as defined in the policy meant the entire underlying civil proceeding or the “separate allegations of wrongful conduct” in the complaint.22 The court noted that regardless of this distinction, the claims all arose out of TCPA violations that invaded the class action plaintiffs’ privacy. The court commented that throughout the underlying complaint, the plaintiffs expressly alleged invasion of privacy as a basis for their lawsuit. Given this, the court stated that the “Policy’s broad exclusion barring coverage for Claims arising out of an actual or alleged invasion of privacy precludes coverage here entirely.”23

There was an alternative dispute over whether the plaintiffs failed to allocate the settlement between covered and uncovered claims as required under Florida law; the court found against the plaintiffs with respect to their failure to allocate the lump sum settlement between covered and noncovered losses.24 The court ruled that the burden was on the “insured” to allocate/apportion a settlement.

The decision has been appealed by the plaintiffs, and briefs have been filed.25

Commentary. Some commentators note that “data privacy” regulations as compared to “data security” regulations may need to be specifically vetted when policyholders view their coverage profile.26 “Privacy” regulations under statutes like the GDPR and the CCPA may not always involve data breaches, so reviewing coverages that respond beyond “breach response costs” likely will be important as well.

Email Spoofing Scheme Covered under Professional Liability Insurance

The U.S. District Court for the Southern District of New York ruled in favor of coverage for an insured’s unsuspecting role in a fraudulent email spoofing scheme in SS&C Technologies Holdings, Inc. v. AIG Specialty Insurance Co.27

Underlying email spoofing scheme. The underlying facts and lawsuit in SS&C Technologies involved an increasingly common type of social engineering cybercrime termed “spoofing,” by which a bad actor uses a seemingly legitimate email address as part of a scheme to trick an individual or entity into transferring funds to a fraudulent source.

The insured in this case, SS&C, is a financial technology company that provides business processing management services to its clients. SS&C unwittingly became an accomplice to an email spoofing scam in March 2016 after an unknown third party, falsely claiming to be acting on behalf of SS&C’s investment fund client Tillage Commodities Fund, used look-alike, or “spoofed,” email credentials to send six fund transfer requests to SS&C. Believing the requests to be valid, SS&C processed them, transferring over $5.9 million from Tillage’s accounts to the fraudsters’ bank accounts in Hong Kong.

Tillage filed suit against SS&C, alleging that SS&C was grossly negligent in managing Tillage’s funds and breached its services contracts, among other causes of action. The underlying Tillage Commodities Fund, L.P. v. SS&C Technologies, Inc. lawsuit settled for an undisclosed amount without any admission of liability or wrongdoing.28

Coverage dispute. SS&C maintained a “Risk Protector Policy” issued by AIG Specialty Insurance Company. The policy contained a “Specialty Professional Liability Insurance” section, which covered SS&C’s liability for up to $10 million for claims alleging “any negligent act, error or omissions, misstatement or misleading statement in an Insured’s performance of Professional Services for others.”29

SS&C provided timely notice of the Tillage action to AIG. While acknowledging that the Tillage action fell within the scope of coverage afforded under the insuring provisions and agreeing to cover SS&C’s defense costs relating to the Tillage action, AIG nonetheless denied indemnity coverage for the settlement amount. SS&C filed a coverage action against AIG in the Southern District of New York, asserting causes of action for breach of contract, declaratory judgment, and breach of the implied covenant of good faith and fair dealing.

AIG’s motion to dismiss based on the conduct exclusion. AIG responded to SS&C’s complaint with a motion to dismiss, arguing that the conduct exclusion in the Specialty Professional Liability Insurance section—of the type typically contained in some form in virtually all claims-made insurance coverages, including professional liability, “cyber,” and management liability insurance policies, among others—applied to bar coverage for the settlement.

The conduct exclusion at issue purported to exclude, in its first clause, coverage for losses in connection with claims “alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law.”30 The exclusion proceeded to state, in the second clause, that

provided, however, [AIG] will defend Suits that allege any of the foregoing conduct, and that are not otherwise excluded, until there is a final judgment or final adjudication against an Insured in a Suit, adverse finding of fact against an Insured in a binding arbitration proceeding or plea of guilty or no contest by an Insured as to such conduct, at which time the Insureds shall reimburse [AIG] for Defense Costs.31

AIG broadly argued that the exclusion applied to bar coverage not only to a “dishonest, fraudulent, criminal or malicious act” committed by SS&C but also to such acts committed by any third-party bad actors.

In a November 5, 2019, opinion, the district court rejected AIG’s broad interpretation of the conduct exclusion, finding that “even though reading the first clause in isolation might support AIG’s interpretation, this interpretation falters when the sentence is read in its entirety.”32

In particular, applying Connecticut law, the district court found that a close reading of the exclusionary language, including the “provided, however” verbiage in the second clause, which modifies the first clause of the exclusion relied upon by AIG, “clearly indicates” that the exclusion was intended to apply only to dishonest, fraudulent, criminal, or malicious acts committed by the insured, SS&C, and not to acts committed by third parties.33 The court found that this reading of the exclusion comports “with what the parties most likely intended when they entered into the” insurance policy, i.e., that the intent of the exclusion was to only apply to acts of the insured, not third parties. The court noted that the rationale of such exclusionary provisions is that “a tortfeasor may not protect himself from liability by seeking indemnity from his insurer for damages, punitive in nature, that were imposed on him for his own intentional or reckless wrongdoing.”34 Applying well-established tenets of insurance contract construction, the court found in the alternative that “[a]t the very least, ambiguity exists, and . . . the court must ‘construe the terms of an insurance policy in favor of insurance coverage.’”35

Significantly, the court also found that SS&C presented sufficient evidence to support its claim that AIG had denied its claim in bad faith, finding that AIG may have “engaged in allegedly pretextual reading of the Policy to deny coverage” and that such “may qualify as an act of bad faith.”36

District court’s ruling upholding coverage for the spoofing scam. On January 29, 2020, the district court held on the parties’ cross-motions for summary judgment that AIG must cover the settlement of the underlying Tillage action. The district court found that AIG had breached the policy in denying coverage for the underlying settlement.

In its ruling, the court considered another of the various exclusions relied upon by AIG, the “Modified Investment Advisor Exclusion,” which purported to exclude for losses in connection with claims made against an insured alleging, arising out of, based upon, or attributable to

the exercise of any authority or discretionary control by an Insured with respect to any client’s funds or accounts. Provided, however, that this exclusion shall not apply to any Claim arising out of your performance of Professional Services. Notwithstanding the foregoing sentence, it is expressly understood and agreed that there shall be no coverage for the monetary value of any funds lost due to the [Insured’s] exercise of such authority or discretionary control.37

The court found that the exclusion did not apply because “[u]ndisputed facts clearly establish that SS&C lacked authority or discretionary control over Tillage’s funds and accounts”; rather, SS&C was only permitted to transfer the money upon specific instructions from its client, Tillage.38 When SS&C employees signed off on the transfers, they mistakenly believed they were doing so with Tillage’s authorization. The district court concluded that the exclusion, like the other exclusions relied upon by AIG, was inapplicable and that the underlying settlement was covered.

Commentary. SS&C Technologies underscores that, even in the relatively nascent realm of insurance coverage for cybercrime, courts will apply fundamental principles of insurance contract interpretation, including the principles that ambiguities are to be construed in favor of coverage and that the insured’s reasonable expectations must be guarded and upheld.

Business Owners’ Policy Implicated in Ransomware Attack

Loss from the attack. In National Ink & Stitch, LLC v. State Auto Property & Casualty Insurance Co., policyholder National Ink’s computer server and networked computers fell victim to a ransomware attack, which prevented National Ink from accessing all of its art files and other data contained on the server, as well as most of its software.39 The attacker demanded a Bitcoin payment for the decryption key. National Ink retained a cybersecurity company to replace and reinstall its software and to install protective software on its systems. National Ink’s computers still functioned, but the company claimed there was a loss of efficiency (reportedly due to the protective measures installed). Also, National Ink was unable to access files stored on the system, which forced the company to recreate files. Experts opined that there were likely dormant remnants of the ransomware virus in the system (including a potential for reinfection). Thus, the recommendation to National Ink was that it should “wipe” the entire system and reinstall all of the software and data, or it should purchase an entirely new server and components.40

Coverage. As a result of the attack, National Ink submitted a claim to its insurer, State Auto. State Auto had provided National Ink with a “Businessowners Special Form Computer Coverage” endorsement.41 Under this endorsement, “Covered Property” included “Electronic Media and Records (Including Software).”42 The term “Electronic Media and Records” was defined to include “[e]lectronic data processing, recording or storage media such as films, tapes, discs, drums or cells,” and “[d]ata stored on such media.”43

State Auto denied coverage with respect to the cost of replacing National Ink’s computer system. The parties disputed whether National Ink experienced “direct physical loss of or damage to” these systems, which would justify replacement costs under the policy.44

Analysis of loss and terms. National Ink brought suit in the federal district court in Maryland, and the parties filed cross-motions for summary judgment based on the pleadings filed. State Auto argued that because National Ink only lost data, an intangible asset, and could still use its computer system to operate its business, it did not experience direct physical loss per the policy terms.45 National Ink argued that the policy’s language contemplated computer data and software to be property subject to “direct physical loss” and that its computer system itself sustained damage, in the form of impaired functioning.46

The court found that the policy expressly listed “data” as an example of covered property under the definition of “Electronic Media and Records (Including Software),” and specifically “data stored on such media.”47 The court noted that if the policy was intended to require physical loss or damage to media itself, as opposed to just the data, the terms could have stopped at the subsection that described covered media. Instead, as noted, the terms included “data stored on such media” as a subcategory of covered property.48 Thus, the court concluded that the plain language of the policy contemplated that “data and software are covered [property] and can experience ‘direct physical loss or damage.’”49

Without reference to any specific citations, the court commented that this interpretation “comports with [that] reached by the majority of courts interpreting similar policies.”50 In particular, the court distinguished this matter from earlier cases where policyholders sought coverage for “loss of electronically stored data, without . . . damage to the storage media or to any other property.”51 The court noted that the policyholder here also sought recovery for loss of functionality.52

The court also distinguished other matters based on the policy language in dispute in those matters.53 In support of identifying “software” as “property,” the court referenced Maryland case law that addressed the treatment of computer software as “tangible property” for tax purposes.54

Finally, the court addressed the “loss of functionality” damage question, comparing National Ink’s scenario with other earlier decisions addressing power outages and equipment failures.55 In comparison to those cases, the court found that “loss of use, loss of reliability, or impaired functionality demonstrate the required damage to a computer system, consistent with the ‘physical loss or damage to’ language in the Policy.”56 As such, the court found for plaintiff National Ink on the basis that “a computer will suffer ‘damage’ without becoming completely inoperable.”57

Commentary. Some of the cases cited by the National Ink court reflect one of the earliest battle lines over coverage for cyber-related losses or damages.58 The decision is already getting attention from commentators because the court decided to wade into the “tangible/intangible” waters.59 Furthermore, the “slowdown” versus “meltdown” issue is not a new one for entities forced to confront such disruptive attacks, and many cyber insurers have tried to offer forms to alleviate this issue as a concern for their policyholders.

Other Pending Cases

In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA), which regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.60 In light of the prolific number of cases now filed relating to alleged BIPA violations and the Illinois Supreme Court’s ruling that alleged statutory violations suffice for standing,61 it is not surprising that these cases likewise would result in defendants pursuing insurers for defense/damages coverage. The cases primarily arise out of policyholders seeking coverage under commercial general liability policies or a commercial multiple peril policy (which includes employment practices and directors/officers coverages).62

One of the matters, Zurich v. Omnicell,63 initially was stayed pending resolution of the underlying matter. The stay was lifted earlier in the year, so now the insurer’s denial, based on a “Recording and Distribution of Material in Violation of Law” exclusion, may be tested.64 That exclusion has been updated with respect to electronic data and various federal, state, and local regulations addressing the dissemination, disposal, and collection of material or information.65

These cases may be seen as testing some of the more recent variations on exclusions to general liability forms. It will also be interesting to see if the various BIPA lawsuits result in disputes over cyber-specific coverages, and the breadth and scope of those terms.


In addition to keeping a close watch on developments regarding various insurance coverages designed to address cyber-related risks, it will be imperative for practitioners to maintain vigilance on developments relating to these coverage challenges.


1. See Cyber Attacks Cost $45 Billion in 2018, Sec. Mag. (July 10, 2019), (noting that “Business Email Compromise (BEC) doubled in 2018, resulting in $1.3 billion in losses,” and “[a]n estimated two million cyber attacks in 2018 resulted in more than $45 billion in losses worldwide”); see also Claire Wilkinson, Cyber Moves to Top Risk Concern: Allianz, Bus. Ins. (Jan. 14, 2020),

2. See Ellen Sheng, Cybercrime Ramps Up amid Coronavirus Chaos, Costing Companies Billions, CNBC (July 29, 2020),; see also Cyber Insurance Market Is Booming Worldwide, Wall St. Call (Oct. 7, 2020),

3. See Andrew Granato & Andy Polacek, The Growth and Challenges of Cyber Insurance, Chi. Fed Letter No. 426 (2019),

4. See Margaret A. Reetz et al., Cyber Risks: Evolving Threats, Emerging Coverages, and Ensuing Case Law, 122 Penn St. L. Rev. (2018).

5. Complaint, HUB Parking Tech. USA, Inc. v. Ill. Nat’l Ins. Co., No. 2:19-cv-00727-MJH (W.D. Pa. June 19, 2019).

6. Brief in Support of Plaintiff’s Motion for Partial Summary Judgment at 7–9, HUB, No. 2:19-cv-00727-MJH (Oct. 29, 2019) (emphasis omitted).

7. Id. at 12.

8. Id.

9. 15 U.S.C. §§ 1681–1681x.

10. Brief in Support of Plaintiff’s Motion for Partial Summary Judgment, supra note 6, at 12.

11. Id.

12. Illinois National Insurance Company’s Response in Opposition to Plaintiff’s Motion for Partial Summary Judgment at 2, HUB, No. 2:19-cv-00727-MJH (Dec. 3, 2019) (emphasis omitted).

13. Id. at 13.

14. Id.

15. Id. at 1.

16. Id. at 3.

17. 391 F. Supp. 3d 1157 (S.D. Fla. 2019), appeal docketed, No. 19-12525 (11th Cir. July 3, 2019).

18. The TCPA requires telemarketers (1) to obtain prior express written consent from consumers before robocalling them; (2) to no longer use an “established business relationship” to avoid getting consent from consumers when calling their home phones; and (3) to provide an automated, interactive “opt-out” mechanism during each robocall so consumers can immediately tell the telemarketer to stop calling. 47 U.S.C. § 227.

19. Horn, 391 F. Supp. 3d at 1159.

20. Id. at 1161–63.

21. Id. at 1163.

22. Id. at 1164.

23. Id.

24. Id. at 1166.

25. See Horn v. Liberty Ins. Underwriters, Inc., No. 19-12525 (11th Cir. filed July 3, 2019).

26. See, e.g., Kevin LaCroix, D&O Insurance: Thinking about the Invasion of Privacy Exclusion, D&O Diary (June 20, 2019),

27. 436 F. Supp. 3d 739 (S.D.N.Y. 2020).

28. See No. 654765/2016 (N.Y. Sup. Ct. Dec. 22, 2016).

29. SS&C Techs., 436 F. Supp. 3d at 741 n.2.

30. SS&C Techs. Holdings, Inc. v. AIG Specialty Ins. Co., No. 19-cv-7859, 2019 U.S. Dist. LEXIS 194196, at *3 (S.D.N.Y. Nov. 5, 2019).

31. Id.

32. Id. at *7.

33. Id.

34. Id. at *8.

35. Id. (quoting Kelly v. Figueiredo, 610 A.2d 1296, 1299 (Conn. 1992)).

36. Id. at *12.

37. SS&C Techs. Holdings, Inc. v. AIG Specialty Ins. Co., 436 F. Supp. 3d 739, 744 (S.D.N.Y. 2020).

38. Id.

39. 435 F. Supp. 3d 679, 680 (D. Md. 2020).

40. Id. at 680–81.

41. Id. at 681.

42. Id.

43. Id.

44. Id.

45. Id. at 682.

46. Id.

47. Id.

48. Id.

49. Id.

50. Id.

51. Id. at 683 (comparing Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 7 Cal. Rptr. 3d 844 (Ct. App. 2003)).

52. Id.

53. Id. at 683–84 (comparing State Auto Prop. & Cas. Ins. Co. v. Midwest Computs. & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001) (policy language referenced “loss of use of tangible property” (emphasis added)); Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. 2003) (server that was replaced fell within the definition of “electronic media and records” and contained hard drive or “disc,” a term that was explicit in the policy); and NMS Servs., Inc. v. Hartford, 62 F. App’x 511 (4th Cir. 2003) (erasure of data as a “direct physical loss”)).

54. Id. at 684–85 (citing Comptroller v. Equitable Tr. Co., 296 Md. 459 (1983)).

55. Id. at 685–86 (citing Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185-TUC ACM, 2000 WL 726789 (D. Ariz. Apr. 18, 2000); Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., Ltd., 439 F. Supp. 2d 831 (W.D. Tenn. 2006); and Ashland Hosp. Corp. v. Affiliated FM Ins. Co., No. 11-16-DLB-EBA, 2013 WL 4400516 (E.D. Ky. Aug. 14, 2013)).

56. Id. at 686.

57. Id.

58. See Granato & Polacek, supra note 3, for a discussion of these cases and other matters where there was no coverage given an “impaired property” exclusion, or no loss/damage to tangible property.

59. See, e.g., Jeff Sistrunk, Ransomware Victims Get New Path to Coverage in Md. Ruling, Law360 (Jan. 27, 2020), (“Hunton Andrews Kurth LLP partner Walter Andrews, who represents policyholders, said . . . [the] holding ‘more closely tracks the real world of computer attacks. . . . Computer viruses—such as those caused by ransomware—can cause substantial harm to a computer system and a policyholder’s business’”; and Joshua Mooney, insurer counsel from White and Williams, commented that “the decision ‘missed the forest for the trees’ by getting stuck on the question of whether National Ink’s electronic data and software were tangible or intangible, when the State Auto property policy at issue doesn’t even contain terms limiting coverage to tangible property.”).

60. 740 Ill. Comp. Stat. 14/1.

61. Rosenbach v. Six Flags Entm’t Corp., 129 N.E.3d 1197 (Ill. 2019); see also Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) (stayed pending appeal to the U.S. Supreme Court).

62. See Peter Halprin et al., Ill. Cases May Instruct Insurance Suits over Calif. Privacy Law, Law360 (Dec. 18, 2019), (referencing U.S. Fire Ins. Co. v. Xanitos, Inc., No. 1:19-CV-02974 (N.D. Ill. 2019); Westfield Ins. Co. v. Caputo’s New Farm Produce Inc., No. 2019-CH-00232 (Ill. Cir. Ct. 2019); Everest Nat’l Ins. Co. v. Innovative Heights Fairview Heights, LLC, No. 19-900 JPG/GCS, 2019 WL 3933669 (S.D. Ill. 2019); Depositors Ins. Co. v. Joliet HI Hotels, No. 1:19-CV-07480, 2019 WL 5999576 (N.D. Ill. 2019); Church Mut. Ins. Co. v. Triad Senior Living, Inc., No. 1:19-CV-07599 (N.D. Ill. 2019); Zurich Am. Ins. Co. v. Omnicell, Inc., No. 3:18-cv-05345, 2018 WL 4198057 (N.D. Cal. 2018); and Axis Ins. Co. v. All Will Cnty. Auto Parts & Wreckers, Inc., No. 2019-CH-10756 (Ill. Cir. Ct. 2019)).

63. See Zurich, 2018 WL 4198057.

64. See Thomas J. Judge & Lewis K. Loss, All Stop: Ruling on the Applicability of Exclusion to BIPA Claims Delayed, Resources (Mar. 5, 2019),

65. See ISO General Liability Form Revisions - Effective April 1, 2013, Marsh, (last visited Jan. 19, 2021).

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Margaret A. Reetz is a partner at Mendes & Mount LLP in New York, where she focuses her practice on advising clients with respect to data security and privacy risks, consumer class action litigation, intellectual property disputes, and media/social media issues.

Joanne L. Zimolzak is a partner at Dykema Gossett PLLC in Washington, D.C., where she practices in the area of commercial litigation with a particular focus on insurance coverage and bad faith matters. She is a vice-chair of the TIPS Insurance Coverage Litigation Committee.

Roberta Anderson Sutton is a partner at Potomac Law Group PLLC in Pennsylvania, where she concentrates her practice in the areas of insurance recovery, risk management counseling, and emerging cybersecurity, privacy, and data protection-related issues.