1. Cybersecurity Data Breach Risks
Modern businesses face increasing exposure to risks from data and electronically stored
information. The ability to compile and store such information cheaply in a way that allows easy access and manipulation has helped companies reach unprecedented levels of service to their customers and given companies access to a considerable amount of information about those customers. Nevertheless, this data also makes the company vulnerable to losses, whether by corruption of data or direct attack from malicious individuals or software. Such risks are not faced only by high-tech companies, database providers, or cloud-computing hosts; they are faced by any company. For example, companies that store credit-card numbers, Social Security numbers,
medical information, or third parties’ corporate secrets all are at risk.
With this amount of data available in such small electronic repositories, the number of data breaches has skyrocketed. Similarly, companies who have suffered data breaches now face
potentially significant liabilities, such as myriad reporting obligations that vary by state and federal law; potential civil lawsuits by customers, banks, and clients whose data was exposed; and investigations and lawsuits from state attorneys general, the Federal Trade Commission, and the Department of Health and Human Services and the Office for Civil Rights. In addition to federal laws with reporting requirements, nearly every state has a requirement to report data breaches and state attorneys general have established departments for the specific purpose of data privacy.415 One court has noted that data breaches:
“appear to provide the basis for a new breed of lawsuits, especially class action lawsuits, in which plaintiffs allege that the database handlers’ negligence in developing and maintaining security measures have resulted in otherwise personal and confidential information being compromised, thereby increasing the risk of identity theft for those individuals whose information was compromised.”416
Companies can find protection against these risks in both traditional forms of insurance and new forms of so-called "cyberinsurance."
Those companies that are publicly reporting should be cognizant of the SEC's Corporation Finance’s Disclosure Guidance regarding cybersecurity. That guidance, released on October 13, 2011, states that “appropriate disclosures may include: . . . Description of relevant insurance coverage.”417 Insureds would be advised to discuss the scope of their insurance coverage (whether it be under cyberinsurance policies or others, for cybersecurity risks, and cyber incidents) with insurance coverage counsel experienced in analyzing coverage for such events and risks.
Companies facing cybersecurity and data privacy risks should consider the following tips.
1. Determine what the company’s risks are in relation to cybersecurity and data privacy.
Understanding the risks will allow the company to procure an insurance program that is best suited to the company’s particular risks.
2. Consider investing in a “cyberinsurance” policy that is marketed as protecting against first- and third-party risks related to a broad range of cybersecurity and data-privacy risks.
3. Review the company’s entire portfolio of insurance to determine any overlapping coverage for cybersecurity and data-privacy risks. Recent cases have demonstrated that certain policies can and do provide coverage for cybersecurity and data-privacy risks.
2. Insurance Coverage for Cybersecurity Losses and Liabilities Under First-Party Property Policies and CGL Policies
Insureds should review their insurance policies (to which they are named insureds or additional insureds) closely to determine whether there may be coverage for cybersecurity losses. These include first-party property and CGL insurance policies.
a. Defining Coverage for “Property Damage”
A key point to keep in mind when seeking insurance coverage for a data breach or other cyber incident under a non-cyberinsurance policy is whether the incident caused “property damage.”
Under both first-party property insurance and third-party CGL policies, several of the coverage grants are dependent on whether there is “property damage” as that term is used and defined within the insurance policies. (CGL policies also provide, among other coverages, personal and advertising injury coverage that is not dependent on a finding of property damage, the application of which to cybersecurity claims is discussed in this section.)
First-party property policies may define “property damage,” or may promise to pay for direct physical loss of, damage to, or loss of use of covered property. Standard form CGL policies typically define property damage; ISO’s 2013 CGL form defines “property damage,” in part, as meaning “[p]hysical injury to tangible property” and resulting “loss of use of the property,” or
“loss of use of tangible property not physically injured.”418 The definition states that “electronic data is not tangible property.”419
Several issues critical to coverage arise in light of these definitions. Policyholders should work closely with information technology and forensics experts after a data breach or cybersecurity incident to determine whether there has been any property damage. Most persuasive to insurance companies that sold CGL or first-party property insurance policies will be evidence of physical damage to hardware. Loss of use of hardware also should be persuasive. Loss of or damage to software, data, and other electronically stored information should be considered “property damage” as well, but insurance companies rarely will agree to such an interpretation without significant effort or litigation.
Courts have been willing to find that computer hardware itself is tangible property, and that damage to hardware constitutes property damage. In addition to direct physical damage, both first-party and third-party insurance policies may provide coverage for occurrences that result in a
“loss of use” of tangible property. Because of such coverage, even if lost or damaged data is considered intangible, there is still a possibility that data-related losses will be covered.
Considering the “loss of use of tangible property” definition of “property damage,” a leading appellate decision has found that the inability to use computers as intended, after a cyber incident, was “property damage.”420 Loss of function of a computer, such as by corruption of data or virus, may be significant enough to extend coverage to the loss of data as well.421 Policyholders should determine whether the facts support an argument that the data was stored on media or affects property in a way such that the property is unavailable for use as a result of corresponding data damage, and that there was “property damage” as a result.422
b. Loss of or Damage to Data as Injury to “Tangible Property”
Whether data, computer software, or other cybersecurity-related materials are considered physical, tangible property is less clear, with a split in authority.423 Notwithstanding favorable case law, policyholders should be aware that many CGL insurance policies sold after 2000 contain an exclusion stating that electronic data is not tangible property.424 Not every insurer’s CGL policy contains this language, and brokers may be able to persuade underwriters to change that language for particular policyholders.425
For those insurance policies that do not define data to be tangible property, or for which there are endorsements that eliminate any such exclusion, policyholders should be aware of a split in
authority on the question of whether software and data constitute tangible property. Specific to the insurance coverage context, certain courts have interpreted CGL insurance policies and first-party property insurance policies, and have determined that damage to or complete loss of data,
software, or computer settings constitutes physical damage to tangible property.426 Other courts addressing this issue have found that data and computer software do not constitute tangible property.427 These courts assert that computer data is not “tangible” on the grounds that “[a]lone, computer data cannot be touched, held, or sensed by the human mind. . . .”428 Other cases have recognized that data and computer software should be considered tangible property that can be physically damaged.429 If data is not considered tangible property, then it is unlikely that claims based on the loss of or damage to data alone, without loss of use of, or other physical damage to tangible property, meet the requirements of “property damage” under a policy.430
c. Relevant Coverage Provisions Under CGL Policies
Basic CGL policy terms may provide coverage for data breaches and cyber risks through two coverage provisions: (1) protection from liability to third parties resulting from bodily injury or property damage and (2) protection from liability to third parties resulting from personal or
advertising injury. As the result of ever-increasing cyber risks, however, insurance companies have begun including exclusions specifically related to cybersecurity issues in CGL policies.431
Nonetheless, the CGL policy provides robust protection and may provide an opportunity for coverage against cyber risks.
Beyond the property damage coverage discussed above, CGL policies also provide coverage for personal and advertising injury claims. For cybersecurity purposes, the key provisions of personal and advertising injury are those providing coverage for alleged publication of material that
invades another’s privacy. Personal and advertising injury coverage is not yet well-defined in the cybersecurity context, but emerging law suggests that personal and advertising injury is
appropriate for cybersecurity claims.432 In addition, decisions interpreting personal and
advertising injury in the context of coverage for alleged violations of the Telephone Consumer Protection Act (“TCPA”) and the Fair Credit Reporting Act (“FCRA”) claims are analogous to many of the issues that arise in the cybersecurity context. Those decisions also favor the
application of personal and advertising injury for cybersecurity claims, because they hold that the viewing of confidential or private information is publication for purposes of personal and
advertising injury; such decisions cut in favor of finding that a data breach, hacking, or phishing incident constitutes publication for purposes of coverage.433
Insureds should pay close attention to recent policy endorsements and the language contained within the body of the ISO 2013 CGL policy form that contain exclusions styled “Recording and Distribution of Material and Information in Violation of Law.” That exclusion often relates to certain statutorily based claims, such as the TCPA, and other laws, statutes, regulations, that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating, or distribution of material or information.434 To the extent that cybersecurity claims against the insured allege such violations, insureds should be aware that their insurance companies will seek to deny coverage, in whole or in part, because of that exclusion.
Nonetheless, such exclusions should not apply to common-law claims.
d. First-Party Policy Coverages for Cybersecurity Losses
The first-party property policies noted above provide coverages in addition to insurance for damage to or loss of use of insured properties. First-party property insurance policies often also
protect a company’s income from insured risk, as well as covering extra expenses resulting from covered losses. Cybersecurity losses may cause covered BIs, extra expense, or CBI losses.435 First-party property insurance policies also may provide coverage for lost or deleted data.436
3. Other Policy Coverages Available for Cybersecurity Losses
After analyzing the company’s CGL and first-party policies, it is worthwhile to analyze any remaining policies. Coverage from other policies may be available, depending on the facts of the cybersecurity incident. For example, a policyholder’s crime policy may provide coverage for hacking, data breaches, and the theft of consumer data. Crime policies may also contain
endorsements for computer fraud, computer theft, or other data extraction which may cover data breaches and other cybersecurity losses.437
E&O insurance may provide coverage for alleged errors and omissions that result in a
cybersecurity loss.438 An E&O policy is intended to insure against liability arising out of an act, error, or omission of the named policyholder in rendering or failing to render services, and may cover cybersecurity or computer-related claims.439
D&O insurance policies typically provide coverage for losses suffered by directors or officers and by the company for certain claims. In the context of cybersecurity losses, policyholders should consider carefully the resulting potential liability, and the definitions of “Wrongful Act” in their D&O policies.440 Moreover, private company D&O insurance policies often contain broad coverage for “entity claims,” and privately-held insureds should consider whether such coverage could apply to claims based on alleged data privacy violations.
Insureds facing certain cybersecurity claims may consider whether kidnap, ransom, and extortion (“KR&E”) policies could provide coverage for their claims. In the area of cybersecurity, a growing number of threats of extortion have been made relating to data that was obtained by hacking, a data breach, or other type of cybersecurity incident441. KR&E coverage, which often includes coverage for extortion, including threats of abduction or damage to or loss of covered property, might apply in such an incident, depending on the terms used in the form purchased.
4. Specialized Insurance Policies for Cybersecurity Liabilities
Insurance companies continue to introduce new specialized products for cybersecurity risks, marketing the new policies as including data compromise, cyber liability, network risk, or computer data coverage. Cybersecurity and data breach policies are ever-changing. An
experienced broker may be able to advise what coverages are available, as well as the potential strengths and weaknesses of the various policies offered.
When purchasing cyberinsurance policies, insureds should keep the following points in mind.
■ What is the scope of the insured’s business risks? That is, what types of information does the insured have or hold (e.g., directly, or through vendors or the cloud). To what degree would the insured suffer if it, its customers, or its business partners could not access the insured’s network or website?
■ What is the scope of insurance coverage being offered by the cyberinsurance policy overall? Often, cyberinsurance policies are offered “cafeteria style,” where the insured can choose which coverages to purchase or not purchase. Insureds should consider whether to purchase coverage for BI, extra expense, and other time element losses.
Consider other factors, such as:
• Public-relations costs after an event;
• Losses due to reputational harm;
• Loss of and loss of use of data, networks, and the cloud; liability-based losses;
• Investigation and mitigation cost coverage; costs to evaluate state and federal law regarding notification after a data breach;
• Costs of notification after a data breach and the cost of “voluntary” notification after a data breach that exposed information but did not require notification under state or federal law;
• Data breach-based class actions; business partners alleging breach of contract, negligence, or other causes of action, or demanding contractual defense and indemnity;
• Professional negligence; demands from card brands, banks, and card processors;
and coverage for exposure or theft of intellectual property, trade secrets, or other proprietary information.
■ What sublimits or exclusions will seek to impose? For example, certain cyberinsurance policies contain sublimits for costs related to regulatory investigations or risks related to the cloud.