Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe


Vol. 2, Iss. 22
November 27, 2013

 

CGL Coverage For Cyber
And Data Breach Claims

Recent Decision And Article Are Worthy Of Note


The insurance industry is abuzz these days over protection against the risks of cyber liability – especially data breaches. Think of a computer network that has been hacked or somehow failed, with the result being customers’ personal information, which should have been confidential (credit card, medical, social security, etc.), now being revealed in some manner.

The internet is overflowing with reports and articles, from insurers and brokers, that describe various examples of data breaches, loss of personal identification information and many other types of cyber risks that businesses face, as well as what their financial consequences could be. There is a trove of information out there. And not all of it is consistent.

Insurance Services Office, Inc. does not believe that such cyber claims should be covered under a commercial general liability policy. It is for this reason that ISO recently filed data breach exclusions for certain of its policies.

But it can’t be ignored that, under a CGL policy, coverage is provided for personal and advertising injury, which is defined, in part, as the offense of an oral or written publication, in any manner, of material that violates a person’s right of privacy. Data breach + personal information being revealed = no surprise that attempts have been made, and will continue to be made, to obtain coverage, for such losses, under a provision that addresses violation of the right of privacy. So until specialty cyber policies or ISO’s data breach exclusions are widespread, efforts will be made by companies to find coverage for cyber losses under the policies that they do have at their disposal, namely, commercial general liability.

For an excellent article, recently published, addressing policyholders’ pursuit of coverage for data breaches under non-cyber policies, check out Roberta Anderson’s (K&L Gates, LLP) November 19th piece on Law360 – “Some Traditional Insurance Policies May Cover Data Breach.” Ms. Anderson sums it up like this: “While some companies carry specialty ‘cyber’ insurance policies that are specifically designed to afford coverage for data breaches and other cyber risks, most companies have various forms of ‘traditional’ insurance policies that may cover various types of cyber risks, including CGL, D&O, E&O, property and crime policies, among others. Insureds that refuse to take no for an answer may be able to secure valuable coverage if they effectively pursue their claim for coverage.”

Given the inevitability that cyber and data breach claims will be made under CGL policies, and even if these are square peg and round hole follies, attention should be paid to all decisions these days that address CGL coverage (“personal and advertising injury”) for oral or written publication of material that violates a person’s right of privacy. These are the decisions that are going to be looked at when companies are pursuing coverage for data breach under CGL policies.

Clearly some of these decisions will have more potential relevance to cyber claims than others. A recent one, that may have relevance, is Maxum Indemnity Company v. Eclipse Manufacturing Co., No. 06 C 4946 (N.D. Ill. Nov. 12, 2013). Eclipse is a TCPA [Telephone Consumer Protection Act] (junk fax) coverage case and has nothing at all to do with cyber or data breach. [It occurred to me that these days I see more junk fax coverage cases than I receive actual legitimate faxes.]

Eclipse addressed several legal and practical issues surrounding coverage for a significant TCPA settlement. Of potential relevance to the cyber or data breach world is the court’s conclusion that the TCPA, in addition to individuals, protects a corporation’s or other business entity’s interest in seclusion. It reached this conclusion on the basis that the TCPA makes no distinction among individuals, corporations or other business entities.

If there is a data breach it is very likely that private information of individuals will be compromised more than that of corporations. But corporate information is also surely unlikely to be immune from disclosure. The Eclipse court’s decision, that corporations or other business entities can sustain a privacy-related injury, makes it the type of case that could prove relevant, at some point, in the context of CGL coverage for a data breach claim. It also may amount to nothing. But the point is that, going forward, all CGL privacy coverage cases should be looked at with an eye toward their potential relevance to cyber and data breach claims.

 
 
 
Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved