Insurance Coverage
Law Report
From the Editor
Our Industry News, and Why It Matters By Steven A. Meyerowitz
Feature Articles
Data Breaches and the General Liability Policy in a Cyber-World By Seema A. Misra and Lauren V. DiLeonardo
Hurricane Season is Here–Is Your Insurance Program Ready for the Next Storm? By James P. Bobotek
Case Law Developments
Homeowner’s Insurance Directors & Officers
Excess Commercial Property
Health Insurance Subrogation
Commercial General Liability Trial Practice
Life Insurance Professional Liability Insurance
Worker’s Compensation Umbrella
Legislative/Regulatory Developments
Alternative Risk and Captives Worker’s Compensation
In the States Terrorism Risk Insurance
Reinsurance Farm Focus On:
When Health and Auto Insurance Collide: Michigan Supreme Court Limits Insured’s Right to “Double Recovery” Industry News
People News
Thought Leaders New Products Awards & Honors Calendar
5081 Olympic Blvd. Erlanger, KY 41018 1.800.543.0874
Data Breaches and the General Liability
Policy in a Cyber-World
By Seema A. Misra and Lauren V. DiLeonardo
The authors explain the foundations for a claim under a commercial general liability insurance policy for data breach and provide a sampling of the types of laws and regulations addressing data breaches.
H
eadlines announcing cyber-attacks that have resulted in data breaches are commonplace. No organization, whether large or small, is immune to the risk that its confidential information will be damaged, inadvertently disclosed or even stolen. Companies that have suffered a data breach confront the costs associated with both remedying the breach and defending the litigation that often arises from such a breach. Moreover, public concern over cyber-attacks has resulted in increasing regulation at both the federal and state level.Although cyber liability insurance is increasingly available, many companies have not purchased such policies, and data breaches are likely to result in a claim under their commercial general liability (“CGL”) policies. This article explains the foundations for a claim under a CGL policy for data breach and also provides a sampling of the types of laws and regulations addressing data breaches.
The Foundation for COVERAGE OF CYBER attacks UNDER commercial GENERAL LIABILITY POLICIES
A data breach can result in a myriad of lawsuits, with claims ranging from breach of privacy, defamation, and injury to property. When an insured seeks defense or indemnity for such claims under a CGL policy, the threshold issue is whether a cyber-attack has resulted in either “personal and advertising injury” or “property damage” as required by the standard CGL policy.
“Personal and advertising injuries”
CGL policies provide coverage for damages relating to “personal and advertising injury,” a term which is generally defined as an injury arising out of a list of enumerated “offenses.” Defense and/or indemnity is often sought for data breach claims on the basis that the breach has resulted in injury arising out of the offense of an “oral or written publication, in any manner, of material that violates a person’s right of privacy.”1 The issue that
then arises is whether there has been a “publication” and, if so, the connection to a violation of a “right of privacy.” In Netscape Communications Corp. v. Federal Insurance Co,2 Netscape and its parent company, AOL, sought
coverage for multiple lawsuits commenced by users of Netscape’s SmartDownload software, who alleged that their right to privacy had been violated because the software had provided Netscape with “information about users’ internet activities,” which Netscape and AOL used for targeted advertising.3 In the coverage action,
the insurer, argued that the underlying claims did not involve an “oral or written publication … of material that violates a person’s right of privacy” because AOL and Netscape were related entities who had shared consumer information only with each other.4
The District Court for the Northern District of California held that a “personal injury offense” had been alleged because Netscape had “made known” the consumers’ private information to employees of AOL and Netscape and also because files were circulated among employees of the insureds, and “any person” meant “any person,” regardless of whether that person was a related entity. Significantly, although an insured may be able to satisfy the threshold issue of a publication, an exclusion may nonetheless preclude coverage. A standard provision in many CGL policies, including Netscape’s policy, is an exclusion for online activities.5
Seema A. Misra is a litigation partner with Stroock & Stroock & Lavan LLP who represents clients in a wide variety of business disputes, before state and federal courts, as well as arbitral tribunals. Lauren V. DiLeonardo is an associate at the firm. The authors can be reached at smisra@ stroock.com and ldileonardo@stroock.com, respectively.
The issue of publication will soon be addressed again in the well-publicized case of Zurich American Insurance Co., et al. v. Sony Corp. of America, et al., pending in
New York state court. In April 2011, computer hackers gained access to the personal identification and financial information of thousands of customers using the Sony Online Entertainment Network and the Sony PlayStation Network, forcing those networks to go offline for a period of time while the breach was corrected.6 Sony’s customers
filed dozens of putative class actions, alleging that Sony had violated privacy rights and negligently failed to protect their personal information.7
After Sony requested defense and indemnification, the insurers sought a declaration that they had neither a duty to defend nor indemnify Sony. Although the insurers alleged that Sony had established neither “property damage” nor “personal and advertising injury,”8 Sony’s
recent motion for partial summary judgment focuses on whether there had been a “personal and advertising injury.”9 In that motion, Sony argues that the class
actions allege that consumers lost sensitive personal and financial information, and that their information was “published” because it was placed “in the hands of cyber criminals” who could “use the information to commit credit fraud,” which could result in an obligation to pay damages.10 Zurich has yet to file a response. However,
possible arguments that may be raised include whether customer information obtained by a hacker can be said to have been “published” and whether customers who put their information online have a right to privacy.
Property Damage
Attacks on electronically stored data also often result in claims that the data breach resulted in the damage to hardware and software. CGL policies provide coverage if there has been “property damage,” which is often defined as either “physical injury to tangible property” or the “loss of use of tangible property that is not physically injured.”11 The question of whether losses stemming
from damage to a computer network, electronic data and/or software are covered often turns on whether the damage is held to be “physical” and “tangible.”
For example, in America Online, Inc. v. St. Paul Mercury Ins. Co.,12 America Online (“AOL”) was faced
with numerous class actions alleging that its AOL 5.0 software caused damage to, and loss of use of, customers’ “computers, computer data, software and systems.”13
AOL’s claim under its CGL policy was denied, with the insurer arguing that it had no duty to defend because the underlying lawsuits did not allege either “physical damage to tangible property” or “loss of use of tangible
property.”14 In the subsequent coverage action, the
District Court for the District of Virginia held that “computer data, software and systems” are not “tangible property” and the underlying claims went “to the ‘brains’ of the computer, not its physical make-up….”15 However,
the court also held that there had been alleged “loss of use of tangible property” because computers themselves constitute “tangible property.”16 The Fourth Circuit
affirmed both these holdings, finding (i) damage to computer software is not to “tangible property” because “tangible” means “capable of being touched”17 and (ii)
the “loss of use” of computers constituted “loss of use of tangible property....”18
Significantly, some courts have come out the other way, finding that damage to software or data was covered by a CGL policy because it was physical, tangible property.19
In short, each policy must be examined individually, and exclusions may come into play even if the definition of property damage is satisfied. For example, many CGL policies written in the last decade contain an exclusion for damages arising out of the loss of use of use or damage to electronic data.
INCREASING REGULATION OF THE CYBER WORLD
Although there may have been a time when certain data breaches went unreported, due to both federal and state regulations, companies are increasingly obligated to report data breaches. The following is an analysis of some of these statutes and regulations, which are indicative of the wide range of entities that are impacted by such laws.
The Health Insurance Portability and Accountability Act of 1996
The privacy and security of patient health care information is protected by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which regulates health care providers, health insurers and contractors and subcontractors that receive patient information.20 HIPAA authorizes the Department of
Health and Human Services (“HHS”) to promulgate privacy standards for patients’ health care data. To that end, HSS promulgated (i) the HIPAA Privacy Rule,21 which protects the privacy of “individually
identifiable health information” (ii) the HIPAA Security Rule,22 which sets national standards for the security of
“electronic protected health information”; and (iii) the HIPAA Breach Notification Interim Final Rule,23 which
requires entities to provide notification following a breach of “unsecured protected health information.” As recently as January 2013, HHS modified the HIPAA Privacy Rule
and HIPAA Security Rule to “strengthen the privacy and security protection for individuals’ health information” and modified the Breach Notification Interim Final Rule.24
As amended, the HIPAA Rules together require not only “covered entities” but also their “business associates” to notify patients of the “impermissible use or disclosure” of their “protected health information” unless it is demonstrated that there is a “low probability that the protected health information has been compromised.”25
In evaluating whether notification is required, “covered entities” and “business associates” should consider the following factors: “(1) [t]he nature and extent of the protected health information involved … (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed and (4) the extent to which the risk to the protected health information has been mitigated.”26
If notification is required under the rules, patients must be notified “without unreasonable delay but in no case later than 60 calendar days from the discovery of the breach....”27 The notification must include a brief
description of what happened, the types of patient data that was lost, steps that patients should take to protect their identity, a description of “what the covered entity involved is doing to investigate the breach” and protect against further harm, and contact information patients can use to learn more.28 Applicable civil penalties are
based on the organization’s degree of negligence, with a maximum penalty of $1.5 million.29
The Gramm-Leach-Bliley Act / FTC Rules
Section 504 of the Gramm–Leach–Bliley Act (the “GLB Act”) required the Federal Trade Commission (“FTC”) and other federal regulatory agencies to issue regulations “implementing notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers to nonaffiliated third parties.”30 In accordance with the
GLB Act, the FTC promulgated the Safeguard Rule and the Privacy Rule.
The Privacy Rule requires financial institutions to give their customers a “clear and conspicuous” written notice describing how they collect, disclose and protect “nonpublic personal information” about customers. Unless certain exceptions apply, financial institutions must also give consumers notice of their right to “opt-out” in the event that those institutions share customers’ “nonpublic personal information” with non-affiliated third parties.31
Under the Safeguard Rule, financial institutions must implement measures to keep customer information secure.32 Specifically, institutions must develop a
written “information security plan” that identifies and evaluates risks to customer information and “design[s] and implement[s] a safeguards program, and regularly monitor[s] and test[s] it.”33
FISMA
The Federal Information Security Management Act of 2002 (“FISMA”) protects the security of information maintained by U.S. federal government agencies (in the executive or legislative branches), or by contractors or other organizations acting on their behalf. Under FISMA, the National Institute of Standards and Technology (“NIST”) creates security standards and guidelines that each agency must implement.34 In addition, FISMA
establishes a central federal information security incident center to, among other things, “provide timely technical assistance to operators of agency information systems,” “compile and analyze information about incidents that threaten information security” and consult with the NIST.35
Under FISMA, agencies are required to develop “procedures for detecting, reporting and responding to security incidents....”36 Agencies must have a plan to
minimize the damage when a breach occurs,37 and to
notify the federal information security incident center after an incident occurs.38 Agencies must also develop a
plan to notify law enforcement agencies, the Office of the Inspector General and other agencies that the President directs to oversee security breaches.39
The Cybersecurity Act of 2012 and Executive Order 13,636
Although the Cybersecurity Act of 2012 (“Cybersecurity Act”) was not passed, the bill reflects the increasing public interest in establishing a nationwide cybersecurity framework. The Cybersecurity Act would have created a comprehensive security framework for entities considered to provide critical infrastructure, such as power plants and financial institutions.40 The
Cybersecurity Act also would have established the National Cybersecurity Council, which would perform risk assessments, including determining which private entities were considered critical to infrastructure, and developing a voluntary cybersecurity program for owners of such critical infrastructure.41 To encourage
participation from private owners, participating entities would have been “entitled to benefits such as liability
protection from any punitive damages arising from an incident related to a cybersecurity risk where the owner is in substantial compliance with the cybersecurity practices at the time of the incident.”42 In conjunction with
industry groups, the Council also would have developed cybersecurity “best practices.”43
In February 2013, President Obama issued Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity.44 Like the Cybersecurity Act,
Executive Order 13,636 endeavors to create a public-private program to encourage adoption of improved cybersecurity practices.45 The Executive Order mandates
creation of incentives for owners of critical industry and other interested entities to join a Voluntary Critical Infrastructure Cybersecurity Program.46 These incentives
are not specified in the executive order, however, so it is unclear whether the new liability protection incentives will be similar to those provided for in the Cybersecurity Act.
State Regulations
At the state level, all but four states have passed data breach notification laws, which require private, and, in some instances, public entities47 to report the
theft or unintentional disclosure of private information, such as social security numbers and credit card numbers.48 Although there are variations among these
laws, most states require notice of a data breach to be issued promptly, either electronically or in writing, to those whose information has been compromised by the breach, and provide alternatives if the breach affects more than 500,000 people or notice would cost more than $250,000.49 Most states also require that notice be given
to either the state Attorney General or credit reporting agencies if the breach involves a certain number of data records.50 It is also common for state data breach laws
to impose daily fines on any entity that fails to provide the requisite notice.51 Significantly, state laws vary with
respect to whether they create a private right of action for victims of a data breach.52
Conclusion
In an electronic age, no company is immune from cyber risk. Companies considering whether to purchase cyber liability insurance should consider that there may not be coverage under their CGL policies for the losses imposed by a data breach. In assessing the risk of a cyber attack, both insurers and insureds should consider the obligations imposed by the wide variety of federal and state regulations applicable in the event of a data breach.
1. Section V(14)(e), Commercial General Liability Coverage Form, ISO Properties, Inc.
2. Netscape Communications Corp. v. Federal Ins. Co., 2007
WL 2972924 (N.D. Ca. Oct. 10, 2007), aff’d in part, rev’d in part, 343 Fed.Appx. 271 (9th Cir. 2009).
3. Id. at *1.
4. Id. at *5.
5. Id. at *6. The district court found that the insurer had no
duty to defend because the policy had an exclusion for “online activities.” The Ninth Circuit affirmed the holding that the underlying claimants had alleged a “personal injury offense. However, the Ninth Circuit reversed the district court based on its finding that the “online activity” exclusion did not preclude coverage because AOL did not use the SmartDownload software to provide internet access to third parties.
6. Complaint for Declaratory Judgment ¶¶ 24-26, Zurich Am. Ins. Co., et al. v. Sony Corp. of America, et al., No.
651982/2011 (Sup Ct N.Y. County July 20, 2011). 7. Sony’s Memorandum of Law in Support of Motion for
Partial Summary Judgment Declaring that Zurich and Mitsui Have Duty to Defend, dated May 10, 2013, (“Sony’s SJ Brief”), at 5-7.
8. Id., ¶ 76.
9. Sony’s SJ Brief at 4. 10. Sony’s SJ Brief at 16-17. 11. Cite.
12. America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F.
Supp. 2d 459 (E.D. Va. 2002) aff’d, 347 F.3d 89 (4th Cir.
2003). 13. Id. at 461.
14. Id. at 464.
15. Id. at 469.
16. Id. at 470. Although the definition of “property damage”
was satisfied, the court found there was no coverage based on the “impaired property exclusion”, which excluded coverage where there is injury to a third party resulting from the incorporation of the insured’s faulty product. 17. America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d
89, 94-95 (4th Cir. 2003).
18. Id. at 98. Like the district court, the Fourth Circuit found
that the impaired property exclusion barred coverage for claimants’ “loss of use” of the computers because the exclusion precluded coverage for “loss of use” claims made by plaintiffs whose property was “not physically damaged by the insured’s defective product.”
19. Landmark American Ins. Co. v. Gulf Coast Analytical Labs, Inc., 2012 U.S. Dist. LEXIS 45184 (M.D. La. March
30, 2012) (finding that loss of electronic data constituted “physical loss or damage” because “tangibility is not a defining quality of physicality”); American Guaranty & Liability Ins. Co. v. Ingram Micro, Inc., 2000 WL 726789
at *2 (D. Ariz. Apr. 18, 2000) (finding that “‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.”).
20. See Press Release, U.S. Department of Health & Human
Services, New Rule Protects Patient Privacy, Secures Health Information (January 17, 2013), available at http:// www.hhs.gov/news/press/2013pres/01/20130117b.html.
21. The HIPAA Privacy Rule is located at 45 CFR Part 160 and Subparts (A) and (E) of Part 164.
22. The HIPAA Security Rule is located at 45 CFR Part 160 and Subparts (A) and (C) of Part 164.
23. The HIPAA Breach Notification Interim Final Rule is located at 74 Fed. Reg. 42740. It was issued in August 2009 with a request for public comment and implemented provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which was passed as part of the American Recovery and Reinvestment Act of 2009. Id.
24. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566-01 (Jan. 15, 2013). 25. Id. at 5641-5642. 26. Id. 27. 45 C.F.R. § 164.404(b). 28. 45 C.F.R. § 164.404(c). 29. 78 Fed. Reg. 5566-01; 45 C.F.R. § 160.404.
30. 16 C.F.R. Part 313. The GLB Act defines “financial institutions” to be all institutions covered by Rule 4(k) of the Bank Holding Company Act, including anyone “significantly engaged” in lending or exchanging money or securities, loan brokers and servicers, debt collectors and others. See How To Comply with the Privacy of Consumer
Financial Information Rule of the Gramm-Leach-Bliley Act, Federal Trade Commission, available at http://
business.ftc.gov/documents/bus67-how-comply-privacy- consumer-financial-information-rule-gramm-leach-bliley-act. 31. Id. 32. Id. 33. Id.
34. FISMA FAQs, naTional insTiTuTeoF sTandardsand
TeChnology, http://csrc.nist.gov/groups/SMA/fisma/ faqs.html. 35. 44 U.S.C. § 3546(a)(1)–(2). 36. 44 U.S.C. § 3541(b)(7). 37. 44 U.S.C. § 3541(b)(7)(A). 38. 44 U.S.C. § 3541(b)(7)(B). 39. 44 U.S.C. § 3541(b)(7)(C).
40. Summary, The Revised Cybersecurity Act Of 2012 S. 3414, senaTe.gov, http://www.hsgac.senate.gov/download/
summary-of-revised-cybersecurity-act-of-2012-s-3414. 41. Id.
42. Id. at 2.
43. Id.
44. Exec. Order 13,636, available at http://www.gpo.gov/ fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf. 45. Exec. Order 13,636 at Sec. 8.
46. Exec. Order 13,636 at Sec. 8(d).
47. For example, New York General Business Law § 899-aa applies to businesses, and New York State Technology Law § 208 regulates state entities.
48. Only Alabama, Kentucky, New Mexico and South Dakota lack data breach notification laws. State Security Breach Notification Laws, The naT’l ConF. oF sTaTe
legislaTures (Aug. 20, 2012), http://www.ncsl.org/
issues-research/telecom/security-breach-notification-laws.aspx.
49. See e.g., N.Y. Gen Bus. Law § 899-aa 2 and 5; Cal. Civ.
Code § 1798.29(a), (d) and (j)(1)–(3); Tex. Bus. & Com. Code § 521.053(h), (e) and (f); Fl. Stat. Tit. XLVI, Ch. 817, § 5681(6). It should be noted that Texas’s data breach notification law only requires notification of (i) victims who are Texas residents and (ii) victims who are residents of states that do not have their own data breach notification laws. Tex. Bus. & Com. Code § 521.053(b-1).
50. N.Y. Gen Bus. Law § 899-aa 8; Cal. Civ. Code § 1798.29(e); Tex. Bus. & Com. Code § 521.053(h); Fl. Stat. Tit. XLVI, Ch. 817, § 5681(12).
51. N.Y. Gen Bus. Law § 899-aa 6; Tex. Bus. & Com. Code § 521.151(a); Fl. Stat. Tit. XLVI, Ch. 817, § 5681(1)(b)(1), (10)(b).
52. In New York and Texas, data breach laws do not create a private right of action, but the state Attorney General may bring suit on behalf of victims of a data breach. N.Y. Gen Bus. Law § 899-aa 6(a); Tex. Bus. & Com. Code § 521.151(a). In Florida, the law does not create a private right of action, but the Department of Legal Affairs is authorized to assess and collect fines. Fl. Stat. Tit. XLVI, Ch. 817, § 5681(11). California law creates a private right of action for victims. Cal. Civ. Code § 1798.84(b).
