...whether or not a CGL policy covers data breaches allowed by Heartbleed should turn, simply, on whether the policy covers data breach at all.
While the media is understandably paying much attention to the personal security concerns raised by the recent revelation of the Heartbleed security exploit in the TSL Heartbeat Extension of OpenSSL, in the context of insurance coverage, Heartbleed is simply just another exploit for which it is not yet entirely clear whether insurance coverage exists. Although it is a widespread exploit that has been undetected for two years, whether or not a CGL policy covers data breaches allowed by Heartbleed should turn, simply, on whether the policy covers data breach at all. Insurance policies that exclude data breaches would likely exclude data breaches caused by Heartbleed. Likewise, policies that provide coverage for data breaches, generally, would also likely cover such breaches specifically caused by Heartbleed.
Many newer CGL policies contain exclusions for data breaches. Thus, under such policies it would appear that data breaches resulting from Heartbleed would also be excluded. However, in the context of CGL policies without data breach exclusions, the recent ruling in Zurich America Insurance Co. vs. Sony Corp of Amer., et al., Index No. 651982/2011 (N.Y. Sup. Ct., N.Y. Cnty) is instructive.
In Zurich v. Sony, external hackers breached Sony’s Playstation network in 2011 and obtained personally identifiable information from over 77 million people. The Zurich v. Sony Court found that Zurich and Mitsui Sumitomo Insurance Company owed no duty to defend Sony entities under a general liability policy for the massive Playstation network data breach. Sony sought coverage under Coverage B of the Zurich policy for “oral or written publication in any manner of material that violates a person’s right of privacy.” The Court held that coverage under Coverage B did not apply to allegations that the negligence of Sony allowed third party hackers to access the data. Rather, the court reasoned that this coverage only applied if Sony, the insured, committed the “oral or written publication.” There is much current debate as to whether the Zurich v. Sony decision is correct, and it is possible that public policy considerations, instead of insurance policy application, led the Court to its ultimate conclusion.
More important, now, is the question of whether a CGL policy without a data breach exclusion covers data breaches.
Whether or not Heartbleed caused or contributed to data breach is probably not material to a coverage analysis. More important, now, is the question of whether a CGL policy without a data breach exclusion covers data breaches. While the Zurich v. Sony case is important, it is a trial court decision and one of the first decisions nationally on this issue. Only time will tell us where this trend is going, and coverage for the anticipated Heartbleed data breaches will live or die with the state of the law on coverage for data breaches in general.
[JD Supra's new First Glance series asks experts for their early response to breaking news stories. Stay tuned for additional updates in the series. Looking for insights? Send suggestions to firstname.lastname@example.org.]