Coming This Spring to an Insurance Policy Near You: Cybersecurity Data Breach Exclusions

by K&L Gates LLP
Contact

Against the backdrop of Target’s massive data breach and the recent Heartbleed headache, the insurance industry’s imminent implementation of a series of new cybersecurity data breach exclusionary endorsements, which were issued for use with standard-form liability insurance policies, should prompt organizations to carefully review their insurance policies for potential data breach coverage and consider purchasing cybersecurity insurance.

The Cost Of Data Breach
For a single data breach, the Ponemon Institute reports that the average U.S. organizational cost is $5,403,644 -- with $565,020 spent on post-breach notification alone.[1] Importantly, the numbers do not include “data breaches in excess of 100,000 [records] because they … would skew the results.”[2] Yet the incidents of large-scale breaches are on the rise -- as illustrated by the Target breach, which has precipitated over 70 putative class actions (yes, you read that right, 70), as well as shareholder derivative litigation alleging a 10%+ drop in share price, regulatory investigations, and, most recently, financial institution suits seeing reimbursement for the costs of issuing replacement cards.

There is no doubt that most organizations suffering a data breach of any consequence will incur significant costs, including for forensic investigation to figure out what happened, breach notification to potentially impacted individuals, and credit monitoring and public relations efforts, among other crisis management activities. Many organizations, like Target, will also face lawsuits, regulatory investigations other negative consequences.

Unfortunately, data breaches are not only costly -- they are inevitable. By now, every organization should appreciate that even the most robust and sophisticated network security will fail. No firewall is unbreachable, no security system is impenetrable. As FBI Director Robert Mueller has fittingly stated, “there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”[3]

The Role Of “Traditional” Liability Insurance
Insurance can play a vital role in an organization’s overall efforts to address and mitigate cyber risk. As of now, there could, and there should, be significant potential coverage for cybersecurity data breaches under a company’s commercial general liability (CGL) policies, a type of coverage that the majority of companies already have in place.

In particular, the current industry standard-form CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”[4] The key definition -- “personal and advertising injury” -- is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”[5] Considering this key definition, courts have appropriately upheld coverage for data breaches and other claims alleging violation of various privacy rights in a variety of settings.[6]

New Data Breach Exclusionary Endorsements
As courts have upheld coverage for data breaches, the insurance industry has made it abundantly clear that it seeks to eliminate data breach coverage from the standard-form CGL policy.

Last Fall, Insurance Services Office, Inc. (ISO)[7] filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These already have been approved by insurance regulators in at least 45 U.S. states and territories to become effective on or after May 1st. By way of example, one of the endorsements, entitled “Exclusion - Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited Bodily Injury Exception Not Included,” adds the following exclusion to the standard-form’s Coverage B:  

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.[8]

ISO explained in connection with its filing of the endorsements that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”[9]

Therefore, while acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”[10]

Even before the recent 2014 data breach exclusions were introduced, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, entitled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key definition (i.e., “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy”) that is the linchpin for the data breach coverage under CGL Coverage B (found at Paragraph 14.e of the Definitions section of Coverage B). The endorsement states:

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.[11]

Although this endorsement appears to have quietly flown in under the radar last Spring, it in reality is even more sweeping than the 2014 data breach exclusionary endorsements because it eliminates the key component of the coverage grant.

Although it may take some time for the new (or similar) exclusions to make their way into CGL policies, and although the full reach of the exclusions will remain unclear until judicially tested, they provide another reason for companies to carefully consider specialty cybersecurity insurance policies.

In addition, organizations should be aware that, even when these exclusions are not present, they are likely to find themselves in a fight to secure coverage under “traditional” CGL policies. By way of a high-profile example, Sony’s CGL insurers, Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co., filed a declaratory judgment action against Sony seeking to avoid coverage for Sony’s massive 2011 PlayStation data breach. On cross motions for summary judgment, a New York trial court judge recently let Sony’s insurers off the hook for the breach. With all respect to the New York trial court, this one should have been a clear Sony victory and should be overturned on appeal.[12] In the meantime, however, the Sony decision underscores the issues that insureds face in obtaining coverage under CGL policies -- even where there is a good argument in favor of coverage.

Specialized Cybersecurity Insurance
As the insurance industry has added various limitations and exclusions to “traditional” policies, the industry has developed specialized “cyber” insurance policies, which cover, among other things, liability arising out of data breaches.

Cybersecurity insurance policies do not just cover lawsuits and regulatory actions. Unlike other types of insurance, they commonly provide “first dollar” coverage for breach notification costs and other “crisis management” expenses (forensic investigation, credit monitoring, call centers, and the like) and offer pre- and post-loss risk management services, including privacy training, information portals, and cybersecurity and incident response templates. After a breach, the policies afford companies access to established industry experts, including forensics specialists, public relations consultants and attorneys well-versed in navigating data privacy laws. All of this greatly assists in mitigating ultimate exposure. And the application process itself shines a spotlight on the company’s current cybersecurity risk management practices and is likely to reveal potential cybersecurity weaknesses that should be addressed.

Given the pervasiveness of cybersecurity incidents, the ever-increasing and evolving cyber risk threat, and the insurance industry’s position on coverage under “traditional” policies, companies should consider the potential role of cybersecurity insurance as part of their overall strategy to address and mitigate cyber risk.  In addition, careful attention to insurance issues is consistent with the SEC’s Division of Corporation Finance guidance on cybersecurity disclosures under the federal securities laws, which advises that “appropriate disclosures may include,” among other things, a “[d]escription of relevant insurance coverage” for cybersecurity incidents.[13] A review of recent SEC comments reveals that SEC is requesting information regarding both whether a company has obtained relevant insurance coverage, as well as the amount of the company’s cybersecurity insurance.

Cybersecurity insurance can be extremely valuable. However, organizations are advised to keep in mind that selecting and negotiating the right cybersecurity insurance policy presents unique and significant challenges.  There is a vast array of cybersecurity products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from policy to policy. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel -- and experienced insurance coverage counsel.


[1] Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, at 5, 16 (May 2013).

[2] Id. at p.1.

[3] Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012), available here.

[4] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[5] Id. §14.e.

[6] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013) (upholding coverage in a data breach case for statutory damages of $1000 per person under the CMIA and statutory damages of up to $10,000 per person under the California Lanterman-Petris-Short Act under a policy that covered damages that the insured was “legally obligated to pay as damages because of ... electronic publication of material that violates a person’s right of privacy”).

[7] ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.

[8] CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”  Id.

[9]  ISO Commercial Lines Forms Filing CL-2013-0DBFR, at p. 8.

[10] Id. at p. 3. 

[11] See CG 24 13 04 13 (2012).

[12] See Roberta D. Anderson, Five Reasons Why The Sony Data Breach Coverage Decision Is Wrong, K&L Gates LLP Insurance Coverage Alert (Mar. 10, 2014), available here.

[13] SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011).

 

Written by:

K&L Gates LLP
Contact
more
less

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!