This post is the third in a series about the growing need for law firms to invest in cyber liability insurance coverage. Click here for Part I, here for Part II, and here for Part IV (the conclusion).
Will Your Commercial General Liability Policy Cover a Cyber Attack?
In determining the risks involved in a cyber attack, firms may look to their general liability policy for coverage. This is probably a mistake. Unfortunately, there is no definitive answer to this question. Court rulings have either been arguably inconsistent or can depend on different factual situations and/or differing CGL policy provisions and exclusions.
The correct answer, like many in the legal field, is that it depends. Richard Milone and Genna Steinberg of Kelley Drye & Warren LLP are of the opinion that commercial general liability policies can be a reliable source of coverage for a cyber attack. On the other hand, attorneys at Latham & Watkins opine that traditional commercial general liability policies are unlikely to cover the cost of a breach. In light of the Insurance Services Office, Inc. (“ISO”), change to its standard insurance forms, which excludes cyber breaches from its commercial general liability policy, it seems that a commercial general liability policy is insufficient to provide coverage for the costs involved in a cyber breach.
The first issue to consider is the type of property covered by a commercial general liability policy. In claims alleging lost or damaged electronic data, software, computers, or computer
systems, the key issue will be whether the claim falls under the policy’s definition of “property damage.” Some commercial general liability policies only cover “physical injury or damage” to “tangible” property. If a court finds that software and data are covered under “tangible” property, a general liability policy may be sufficient, depending on the other provisions in the policy. However, with the costs incurred by a cyber breach, that is not a risk worth taking.
AOL experienced first-hand the problems of having a policy that just covered “tangible” property. AOL’s commercial general liability policy did not define “tangible.” When AOL suffered a data breach, it sought coverage under its commercial general liability policy. The court held that the damage caused by the cyber breach was not covered under the term “tangible” and ruled in favor of the insurance carrier. On the other hand, the Court of Appeals of Minnesota found that a commercial general liability policy was ambiguous as to whether “tangible” property included coverage for a computer tape containing data belonging to a third party and ruled in favor of coverage.
Whether a court will consider electronic data “tangible” property is just one of many issues that can arise when relying on a commercial general liability policy. Another issue to consider is a claim for defense and indemnification.
In 2011, Sony Corp. of America and Sony Computer Entertainment America suffered a breach where more than 77 million user accounts were hacked, costing Sony approximately $2 billion. The insurance company denied Sony’s defense and indemnification claim and filed suit seeking a ruling that it did not have to defend Sony against any data breach claims. In 2014, the New York Supreme Court determined that the insurance company had no duty to defend. Specifically, the court found that the policy covered material published directly by Sony and not the third party who stole the data. The Sony case recently settled. One blogger calls the case a “Super Bowl ad for cyber liability insurance” and remarks that “Sony showed that companies cannot look to general liability policies to cover data breaches. They need to get cyber insurance.”
In May 2014, the ISO endorsed several exclusions relating to disclosure of personal information in its commercial general policies. One of those exclusions states:
“CG 21 06 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Bodily Injury Exception) — excludes coverage, under Coverages A and B, for injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”
The endorsement also provides that the exclusion will apply even if damages are claimed for notification costs, credit monitor expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by the named insured or others with respect to that which is subject to the exclusion. This endorsement also includes a limited bodily injury exception arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
This exclusion, and the other exclusions endorsed by the ISO, makes it less likely that a general liability policy would provide coverage. In addition, the ISO has developed separate policies for data breach and other cyber-related exposures. While some have opined that the fact that ISO has published exclusions to their commercial general liability policy indicates that the previous commercial general liability policy covers cyber breaches, that is probably not an argument worth risking in court. The best choice is to procure cyber liability insurance that specifically covers the damage incurred in a cyber attack.
This post, as well as the others in this series, was excerpted from our “Cyber Liability Insurance: Is Your Firm Covered?” article in the spring issue of the Alabama Defense Lawyers Association Journal magazine. Click here for the full article.