Data Breach: The Aftermath - Insurance Coverage Under CGL Policies for Cyber Security Breaches, Hacks, and Malware Attacks

October is National Cyber Security Awareness Month, which is an annual campaign led by the Department of Homeland Security, in order to raise awareness about cybersecurity. You may think that you and your business are fully aware of cybersecurity threats, and take adequate precautions to prevent hacks, phishing schemes, malware and ransomware attacks, and other cyber-attacks; but what if, against all preventative measures, you've been hacked? What if your company has suffered a data breach, and your data, or that of your clients or customers, has been compromised – stolen? The consequences of such a breach range from statutory penalties, to credit monitoring, to class action lawsuits, to business interruption losses, and all of this adds up. What is a company to do when it is facing such a loss? It files an insurance claim, and then waits for an investigation, and hopefully payment on the claim. But what if, during the process of the investigation, the insurance company determines that there is no coverage for the damages suffered from the data breach? This is what some companies have been told, and they have turned to the courts to resolve these insurance coverage disputes.

While there are quite a few insurance companies offering cyber liability policies, many businesses and companies have not purchased these, and instead turn to their commercial general liability policies ("CGL"). This update will explore how various courts have ruled on whether CGL policies cover the losses claimed from cyber-attacks.

Traditional Business Insurance Coverage

What does the traditional insurance policy cover when it comes to cyber breaches, i.e., is loss of data covered? Courts have been inconsistent in their rulings on this subject, and it often comes down to the applicable policy language.[1] For example, a traditional business insurance policy will cover property damage; however, some courts have found that loss of data will most likely not be considered property damage and, therefore, not be covered. In Cincinnati Ins. Co. v. Prof'l Data Services, Inc., the court held that a CGL policy did not cover "loss of use of...the lost or corrupted patient account data" as "property damage" because neither "has any physical substance and neither is perceptible to the senses."[2] A Virginia court made a similar ruling in holding that a CGL policy covering "physical damage to tangible property" did not cover AOL's damage to customer's software because software and data were not "capable of being touched or perceptible to the senses."[3] A federal judge in Oklahoma ruled that an insurer owed no duty to defend against claims alleging its insured caused computer data loss because "computer data...is not tangible property."[4]

Yet other courts have found claims for the loss of data or loss of use are covered by traditional property damage clauses. For example, the Eighth Circuit ruled that a CGL policy defining "property damage" as "physical injury to tangible property, including resulting loss of use of that property" covered a claim asserted by a third party for damages resulting from a spyware infection caused by the insured's website.[5] The Fourth Circuit held that the erasure of "vital computer files and databases" was covered under the policy as a "direct physical loss."[6]

Personal and Advertising Injury Coverage

CGL policies also typically cover third party losses for "personal and advertising injury."[7] This may include "oral or written publication of material" by the insured "that slanders, libels, disparages, or invades the right of privacy" or infringement on "another's copyright."[8] Courts have analyzed whether "publication" covers a hacker's release of information with mixed results. By way of example, in Zurich Am. Ins. Co. v. Sony Corp. of Am., Sony purchased a policy from Zurich. Sony suffered a data breach and submitted a claim to Zurich. Zurich denied the claim and Sony brought suit seeking coverage of the claim. A New York state trial court held that hackers, and not Sony, "published" the information; thus, Sony was not covered by Zurich's personal and advertising injury policy.[9]

Another question courts have addressed with mixed results is whether the definition of "publication" requires stolen information to actually be accessed by a third-party. Courts are again split on this issue, with some holding that there was no "publication" of missing data because "[r]egardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information."[10] Whereas other courts have held that an insurer was required to indemnify its insured for claims arising from the insured's inadvertent disclosure of private information on public search engines even though "no third party is alleged to have viewed the information" because "the definition of 'publication' does not hinge on third-party access."[11]

Courts have also grappled with the issue of whether coverage applies even if there is a policy exclusion for violation of federal and state statutes. West Coast courts have weighed in on this issue, with varying results. A Washington federal court held that an insurer was not obligated to defend suits alleging statutory privacy violations when the applicable CGL policy excluded coverage for "any loss [or] suit arising out of . . . any act that violates any statute, ordinance or regulation of any federal, state or local government."[12] On the other hand, a California federal court held the opposite, ruling that an insurer must cover these claims. The court held that even though the CGL policy excluded coverage for "personal and advertising injury...arising out of the violation of a person's right to privacy created by any state or federal act," the policy still covered statutory claims because statutes at issue codified existing privacy rights under the California constitution and common law.[13]

What about other types of traditional coverage? What have the courts said with respect to the following losses, after a data breach?

Business Interruption:

This issue remains unclear; however, it appears that Business Interruption policies may not cover loss of electronically stored data because it does not result from direct physical loss or damage. However, an Arizona federal district court held the insured's computer network was physically damaged when a power outage caused loss of all programming information and custom configurations.[14]

Directors and Officers Coverage:

These policies may be used for coverage relating to a Director/Officer's failure to implement adequate cyber security measures, but this theory has not yet been tested and remains open-ended.

Fidelity/Crime Policies:

These policies provide coverage for theft of money, securities or property, but often exclude theft of proprietary information, trade secrets, and other confidential information. Some of the areas of dispute include: (1) If there is a hack, does the policy language cover claims by credit card processors, customers and regulators against the insured that result directly from the cyber breach and (2) what is the scope of the exclusion for confidential information? The Sixth Circuit held in favor of the insured on both issues in Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821, 834 (6th Cir. 2012).

The Eighth Circuit recently granted summary judgment in favor of a bank that was seeking coverage for two fraudulent wire transfers under a financial institution bond, which totaled $485,000.[15] The insurance company argued that the loss was not covered because of “employee-caused loss exclusions” contained in the applicable policy.[16] The court held that the "overriding cause" of the loss was "criminal activity," rather than the employees' violations of policies and procedures.[17] Using Minnesota's "concurrent-causation" doctrine, the bank was entitled to payment for the loss, despite its employees' negligent acts, because "an illegal wire transfer is not a 'foreseeable and natural consequence' of the employees' failure to follow proper computer security policies, procedures and protocols."[18]

Conclusion

Your company's cyber security policies may come to light and cause issues when applying for coverage and when attempting to recover under a policy. Insurers may inquire as to whether prospective applicants follow specific standards of data protection. The insurer will then require its insureds to uphold any disclosed standards throughout the policy's term.[19] Should a breach occur, an insurer may challenge the accuracy of the insured's application and its ongoing adherence to the disclosed cyber security protocol, as occurred in a 2015 lawsuit.[20]

The attorneys of Kane Russell Coleman & Logan have developed a Data Privacy Practice Group to advise on data privacy and cyber security issues. We provide consultations on cyber security policies and procedures, analyze insurance policies for coverage in the event of a data breach (pre- and post-breach), and respond in the event of a hack, phishing scheme, malware and ransomware attack, and any other cyber-attacks that may occur. Please contact one of the members of our Data Privacy Practice Group should you wish to have more information.

[1] Jim Vorhis, Joan Cotkin, How Courts Decided Coverage Issues in Cyber Insurance Cases, L.A. Law 37 (2015)("[C]ourt opinions have been highly inconsistent, offering little comfort one way or the other about coverage [for cybersecurity-related losses] under these traditional policies.").

[2] Cincinnati Ins. Co. v. Prof'l Data Services, Inc., CIV. A. 01-2610-CM, 2003 WL 22102138, at *7 (D. Kan. July 18, 2003).

[3] America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F.Supp.2d 459 (E.D. Va. 2002).

[4] State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F.Supp.2d 1113, 1116 (W.D. Okla. 2001).

[5] Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8^th Cir. 2010).

[6] NMS Services, Inc. v. Hartford, 62 Fed. Appx. 511, 512 (4^th Cir. 2003).

[7] Gregory D. Podolak, Insurance for Cyber Risks: A Comprehensive Analysis of the Evolving Exposure, Today's Litigation, and Tomorrow's Challenges, 33 Quinnipiac L. Rev. 369, 382 (2015).

[8] Id.

[9] Zurich Am. Ins. Co. v. Sony Corp. of Am., NY Supreme Ct., NY Cty., No. 651982-2011.

[10] Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 83 A.3d 664, 672-73 (Conn. App. 2014).

[11] Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 35 F.Supp.3d 765, 770-71 (E.D. Va. 2014) aff'd 2016 WL 1399517 (4^thCir. Apr. 11, 2016).

[12] Nat'l Union Fire Ins. Co. of Pittsburgh, Pa. v. Coinstar, Inc., No. C13-1014-JCC, 2014 WL 3891275, at *7 (W.D. Wa. Aug. 7, 2014).

[13] Hartford Cas. Ins. Co. v. Corcino & Assocs., No. CV 13-3728 GAF (JCx), 2013 WL 5687527, at *4-6 (C.D. Cal. Oct. 7, 2013).

[14] Am. Guar. & Liability Ins. Co. v. Ingram Micro, Inc., 2000 WL 726789, at *2 (D. Arizona Apr. 18, 2000)("The Court finds that 'physical damage' is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.").

[15] State Bank of Bellingham v. BancInsure, Inc., 2016 WL 2943161 (8^th Cir. May 20, 2016).

[16] Id.

[17] Id.

[18] Id.

[19] Scott Godes, Managing Cybersecurity Risks in the Ever-Changing Cyber Insurance Law Environment, Aspartore, 2015 WL 5565352, at *2 (August 2015)("Areas of concern have arisen in a handful of coverage provisions under cyber insurance policies. The first is the meaning of exclusions purportedly related to the policyholder's maintenance of cybersecurity certifications."); Gregory D. Podolak, Insurance for Cyber Risks: A Comprehensive Analysis of the Evolving Exposure, Today's Litigation and Tomorrow's Challenges, 33 Quinnipiac L. Rev. 369, 400-02 (2015)("It comes as no surprise then that insurers concentrate on the implementation and maintenance of appropriate security and IT protocols as the foundation of coverage. The concept is featured prominently in the technical examination required in most policy applications (representations that are often incorporated directly into the policy itself), as well as a variety of exclusions. Policy holders must examine these procedures and their significance to the policy, or they may face an unanticipated forfeiture of coverage.").

[20] See Columbia Casualty Company v. Cottage Health System, Complaint for Declaratory Judgment and Reimbursement of Defense and Settlement Payments, 2015 WL 2393298 (C.D. Cal. May 7, 2015).