Data Breach Liability Exclusion – It’s Not Your Father’s CGL


shutterstock_55614910No business is immune to data breach. Digital data in particular can be lost in innumerable ways, causing serious business interruptions and consumer injuries. After falling victim to a hack, virus, or cyber theft, companies often search for coverage under their commercial general liability (“CGL”) policy, but a new endorsement by Insurance Services Office, Inc. means that such searches will likely be in vain. Effective May 1, 2014, cyber liability is excluded from the CGL form. Businesses seeking protection from data loss will need cyber liability policies specific to malicious and accidental data breaches.

Insurance Services Office’s new endorsement revises Coverage A, removing coverage for bodily injury and property damage regarding “access or disclosure of confidential or personal information, and data-related liability.” An identical exclusion modifies Coverage B, removing cyber liability coverage for personal and advertising injury claims. These new exclusions may not mention the word “cyber,” but they encompass breaches resulting from all manner of cyber accident or crime.

The endorsement bars coverage for injury or damage arising from: any access to or disclosure of customer lists; credit card, health and financial information; and other types of non-public information that may include confidential business or personal information such as patents, trade secrets, and processing methods. Data-related losses include any loss of, loss of use of, damage to, corruption of, and inability to access or manipulate electronic data. “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media,” which covers most systems that businesses rely on to perform daily operations.

The endorsement also bars bodily injury claims from damages regarding access to or disclosure of confidential or personal information. It excludes coverage for the data breach, as well as responding and remediating costs. Coverage is precluded for notification costs, credit monitoring expenses, forensic expenses, public relations expenses, or any other loss, cost or expense incurred.

The costs associated with data loss and theft can be extraordinary—from protecting customers to rebuilding computer systems to defending the company’s public reputation. As CGL policies expire and are replaced, businesses must carefully consider how to manage their financial exposure to newly excluded data losses, including those carried by third-party vendors. No longer can businesses rely on their CGL policies for cyber coverage, so they must consider seeking protection elsewhere.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:


Cozen O'Connor on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.