Data Breach Liability Exclusion – It’s Not Your Father’s CGL


shutterstock_55614910No business is immune to data breach. Digital data in particular can be lost in innumerable ways, causing serious business interruptions and consumer injuries. After falling victim to a hack, virus, or cyber theft, companies often search for coverage under their commercial general liability (“CGL”) policy, but a new endorsement by Insurance Services Office, Inc. means that such searches will likely be in vain. Effective May 1, 2014, cyber liability is excluded from the CGL form. Businesses seeking protection from data loss will need cyber liability policies specific to malicious and accidental data breaches.

Insurance Services Office’s new endorsement revises Coverage A, removing coverage for bodily injury and property damage regarding “access or disclosure of confidential or personal information, and data-related liability.” An identical exclusion modifies Coverage B, removing cyber liability coverage for personal and advertising injury claims. These new exclusions may not mention the word “cyber,” but they encompass breaches resulting from all manner of cyber accident or crime.

The endorsement bars coverage for injury or damage arising from: any access to or disclosure of customer lists; credit card, health and financial information; and other types of non-public information that may include confidential business or personal information such as patents, trade secrets, and processing methods. Data-related losses include any loss of, loss of use of, damage to, corruption of, and inability to access or manipulate electronic data. “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media,” which covers most systems that businesses rely on to perform daily operations.

The endorsement also bars bodily injury claims from damages regarding access to or disclosure of confidential or personal information. It excludes coverage for the data breach, as well as responding and remediating costs. Coverage is precluded for notification costs, credit monitoring expenses, forensic expenses, public relations expenses, or any other loss, cost or expense incurred.

The costs associated with data loss and theft can be extraordinary—from protecting customers to rebuilding computer systems to defending the company’s public reputation. As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors. No longer can businesses rely on their CGL policies for cyber coverage, so they must consider seeking protection elsewhere.


Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.