The following article is from National Underwriter’s latest online resource,
FC&S Legal: The Insurance Coverage Law Information Center.
The Insurance Coverage Law Information Center
HOW TO SECURE DATA BREACH COVERAGE
November 26, 2013 Roberta D. Anderson
Roberta D. Anderson, a partner in the Pittsburgh office of K&L Gates LLP, concentrates her practice in insurance coverage
litigation and counseling. She has represented policyholders in connection with a wide range of insurance issues and
disputes arising under almost every kind of insurance coverage, including general liability, commercial property and
business interruption, “cyber”-liability, directors and officers, errors and omissions (“E&O”), technology E&O, professional
liability, employment practices liability, political risk, environmental, fidelity, fiduciary, crime, terrorism, residual value,
nuclear, and other insurance coverages, and in broker liability disputes. She can be reached at roberta.anderson@klgates.
com.
***
“Security experts like to say that there are now only two types of companies left in the United States: those that have been
hacked and those that don’t know they’ve been hacked.”[1] Hardly difficult to believe given the daily reports of serious
data breaches and other types of cyber incidents – perhaps most recently the Adobe data breach that reportedly affected
at least 38 million users[2] and already has already precipitated a putative class action.[3]
Verizon’s recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large
scale and diverse nature of data breaches and other network attacks took center stage.”[4] And as the number of
breaches and other cyber incidents increase, the costs are also increasing. In a very recent 2013 Cost of Cyber Crime
Study, published October 2013, the Ponemon Institute reported that the mean annualized cost of cyber crime per U.S.
organization “is $11.6 million per year, with a range from $1.3 million to $58 million each year per company” – this
represents a whopping 26% increase from last year.[5] For a single data breach, Ponemon reports that the average U.S.
organizational cost is $5,403,644 – with $565,020 spent on post-breach notification alone.[6] Importantly, the numbers do
not include “data breaches in excess of 100,000 [records] because they … would skew the results.”[7] Yet the incidents of
large-scale breaches are on the rise – as illustrated by the recent Adobe breach.
There is, however, a positive facet in the face of daunting facts: organizations facing a data breach (or other cyber
incident) may have valuable insurance coverage. The following five tips will help organizations to secure that coverage.
#1. Look to “Cyber”/Privacy Insurance
More and more organizations are purchasing so-called “cyber” insurance.[8] For those organizations that have purchased
“cyber” insurance, the data breach/privacy coverage aspect of cyber insurance has been driving the market and should
respond to cover organizations for their exposure relating to a spectrum of issues typically confronting organizations in
the wake of a data breach incident. Many policies, for example, provide defense and indemnity coverage for lawsuits
arising out of a data breach.
By way of example, the AIG Specialty Risk Protector® specimen policy[9] states that the insurer will “pay … all Loss” that
the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.”[10] “Privacy Event” includes,
among other things, “any failure to protect Confidential Information (whether by ‘phishing,’ other social engineering
technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation
of the identity of an individual or corporation ….”[11] “Confidential Information” is defined to include, among other
things, “information from which an individual may be uniquely and reliably identified or contacted, including, without
limitation, an individual’s name, address, telephone number, social security number, account relationships, account
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
©2013. All Rights Reserved.
numbers, account balances, account histories and passwords” and information protected by Gramm-Leach Bliley and the
Health Insurance Portability and Accountability Act.[12]
In addition to providing defense and indemnity coverage in connection with lawsuits arising out of a data breach, many
“cyber” policies respond to regulatory investigations. By way of example, the AIG Specialty Risk Protector® specimen
policy defines a “Claim” that triggers coverage to include “a Regulatory Action,” which in turn is defined as “a request for
information, civil investigative demand or civil proceeding brought by or on behalf of a governmental agency….[13]
Importantly, “cyber” policies also typically provide coverage for costs and expenses associated with “crisis” or “event”
management in the wake of a data breach incident, including, for example, breach notification, credit monitoring and
counseling services, public relations efforts and forensics to determine cause and scope of a breach. By way of example,
the AIG Specialty Risk Protector® specimen policy covers “all Loss … that an Insured incurs solely as a result of an alleged
… Privacy Event”[14] and defines “Loss” to include the following “reasonable and necessary expenses”:
(1) to conduct an investigation (including a forensic investigation) to determine the cause of the Security Failure or Privacy
Event;
(2) for a public relations firm, crisis management firm or law firm agreed to by the Insurer to advise an Insured on minimizing the harm to such Insured, including, without limitation, maintaining and restoring public confidence in such Insured;
(3) to notify those whose Confidential Information is the subject of the Security Failure or Privacy Event and advise of any
available remedy in connection with the Security Failure or Privacy Event, including, without limitation, those expenses
and costs for printing, advertising and mailing of materials;
(4) for identity theft education and assistance and credit file or identity monitoring;
(5) for any other services approved by the Insurer at the Insurer’s sole and absolute discretion;
(6) to restore, recreate or recollect Electronic Data; or
(7) to determine whether Electronic Data can or cannot be restored, recollected or recreated.[15]
There are numerous specialty “cyber” products on the market, sold by over thirty insurers, that provide coverage for data
breaches and other types of “cyber” risks, including liability and exposure arising out of the transmission of malicious
code, denial of third-party access to the insured’s network, media liability (for claims for alleging, for example,
infringement of copyright and other intellectual property rights and misappropriation of ideas or media content),
first-party asset management coverage (covering, for example, damage to, loss or use of, or theft of the insured’s own
computer systems and data), network/supply chain interruption (covering business interruption and extra expense caused
by network security incidents) and cyber extortion.
#2. Think Through General Liability Coverage
While some companies carry specialty “cyber” insurance policies that are specifically designed to afford coverage for
cyber risk, most companies have various forms of “traditional” or “legacy” insurance policies that may cover cyber risks,
including Insurance Services Office, Inc. (“ISO”)[16] standard-form commercial general liability (“CGL”) policies. There
may be significant coverage under CGL policies, including for data breaches that result in the disclosure of personally
identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy.
For example, there is significant potential coverage under the “Personal And Advertising Injury Liability” coverage section
(Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
©2013. All Rights Reserved.
insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”[17] “Personal and
advertising injury” is defined to include a list of specifically enumerated offenses, which include the “offense” of “[o]ral
or written publication, in any manner, of material that violates a person’s right of privacy.”[18] Coverage disputes
generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy” – both terms are
left undefined in standard-form ISO policies and courts generally have construed the language favorably to insureds and
have found coverage for a wide variety of claims alleging breach of privacy laws and regulations.[19]
There may also be coverage under the “Bodily Injury And Property Damage” section of the standard CGL form
(Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as
damages because of ‘bodily injury’” that “occurs during the policy period.”[20] Although there is little, if any, case law to
date addressing whether claims arising from data breaches allege “bodily injury,” this potential source of coverage should
not be ignored, as case law and/or the specific policy language may support an argument that “bodily injury” includes
emotional harm resulting from, for example, concerns over identity theft.
#3. Consider Other Insurance, Including D&O, E&O & Crime Policies
It is important not to overlook other types of “traditional” or “legacy” insurance policies that may respond to cyber risks.
For example, there may be coverage under directors’ and officers’ (“D&O”) policies if, for example, a data security breach
impacts upon a company’s stock price and thereby precipitates shareholder litigation. Coverage also may be available
under professional liability or errors and omissions (“E&O”) policies, which generally cover “wrongful acts” committed in
the insured’s performance of “professional services” as defined in the policy. In addition, many companies have various
types of crime coverage, including fidelity insurance, which may cover cyber risks and losses. Such policies often expressly
include computer fraud, such as the transfer of money or securities to an outside location. Addressing the question of
coverage under a crime policy, the Sixth Circuit recently confirmed that an insured retailer was covered under the
computer fraud rider of its blanket crime policy for more than $6.8 million in stipulated losses associated with a data
breach that compromised customer credit card and checking account information.[21]
In the event of a data breach, companies are advised to provide prompt notice under all potentially implicated policies,
excepting in particular circumstances that may justify refraining to do so.
#4. Don’t Take “No” For An Answer
Unfortunately, even where there is a good claim for coverage under the policy language and applicable law, insurers can
be expected to argue that data breaches and other “cyber” risks are not covered under CGL or other “traditional” or
“legacy” insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure
coverage if they effectively pursue their claim for coverage.
Some recent decisions underscore this reality, including a very recent data breach decision, in which a California federal
court upheld coverage under a CGL policy for a hospital data breach that compromised the confidential medical
records of nearly 20,000 patients. In that case, Hartford Casualty Insurance Company v. Corcino & Associates et al.,[22]
the plaintiffs in two underlying class action lawsuits sought, among other relief, statutory damages of $1000 per person
under the California Confidentiality of Medical Information Act and statutory damages of up to $10,000 per person under
the California Lanterman Petris Short Act. Notwithstanding an express exclusion for “Personal And Advertising Injury ….
[a]rising out of the violation of a person’s right to privacy created by any state or federal act,”[23] the court upheld coverage, including for the statutory damages, noting that “medical records have been considered private and confidential
for well over 100 years at common law”[24] and finding that “[t]he statutes … permit an injured individual to recover
damages for breach of an established privacy right, and as such, fall squarely within the Policy’s coverage.”[25]
The Corcino decision underscores that, notwithstanding a growing prevalence of exclusions purporting to limit
coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage
under “traditional” or “legacy” policies that should not be overlooked.
#5. Be Proactive
The time to think about potential data breach coverage – and coverage for myriad other “cyber” risks – is before a hack,
a breach, or other cyber incident is discovered. In thinking about potential coverage, it is important to note that, in
response to decisions upholding coverage for data breach, privacy, network security and other “cyber” risks, the
insurance industry has added various limitations and exclusions purporting to cut off the “traditional” or “legacy” lines
of coverage.[26]
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
©2013. All Rights Reserved.
Most recently, ISO filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess
and umbrella CGL policies. These are to become effective in May 2014.
By way of example, one of the endorsements, entitled “Exclusion - Access Or Disclosure Of Confidential Or Personal
Information” adds the following exclusion to Coverage B:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal Information
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential
or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit
card information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses,
public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.[27]
There are similar exclusions applicable to Coverage A. Although the full reach of the new exclusions ultimately will be
determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL
policies, the exclusions provide another reason for companies to carefully consider specialty “cyber” insurance products.
And, as noted, even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that
cyber risks are not covered under traditional policies.
Organizations are advised to take a proactive approach and review “traditional” or “legacy” policies, including CGL,
D&O, E&O, crime and commercial property policies, to identify what coverage the organization may currently have for
data breach liability and other “cyber” risks. Once an organization understands its current insurance program, it will be
well positioned to approach the “cyber” insurance market to fill potential gaps in coverage.
It is important, however, that organizations embrace a team approach when purchasing “cyber” insurance. Because of
the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and
input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house
legal counsel and IT professionals, resources, treasury and compliance personnel – and experienced insurance coverage
counsel.
Cyber insurance coverages can be extremely valuable, but the terms and conditions must be analyzed carefully to ensure
that the coverage provided meets the organization’s potential exposures and to ensure that important facets of coverage
are not vitiated.
[1]Nicole Perlroth, The Year in Hacking, by the Numbers, BITS blog, The New York Times (Apr. 22, 2013), available at
http://bits.blogs.nytimes.com/2013/04/22/the-year-in-hacking-by-the-numbers/.
[2]Gareth Halfacree, Adobe data breach far worse than first claimed (Nov. 5, 2013), available at http://www.bit-tech.net/
news/bits/2013/11/05/adobe-breach-2/1.
[3] See Halpain et al. v. Adobe Systems, Inc., No. 5:13-cv-05226 (N.D.C. filed Nov. 11, 2013).
[4] Verizon, 2013 Data Breach Investigations Report, at 1 (2013).
[5] Ponemon Institute, 2013 Cost of Cyber Crime Study: United States, at 5 (Oct. 2013).
[6] Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, at 5, 16 (May 2013).
[7] Id. at 1.
[8] See Marsh, Benchmarking Trends: More Companies Purchasing Cyber Insurance (Mar. 14, 2013).
[9] See AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage Section.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
©2013. All Rights Reserved.
[10] Id. Section 1.
[11] Id. Section 2.(j)(1).
[12] Id. Section 2.(d).
[13]Id. Section 2.(b, l).
[14] Id., Event Management Coverage Section, Section 1.
[15] Id. Section 2.(h).
[16]ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those
forms approved by state insurance commissioners.
[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.
[18] Id. §14.e.
[19]
See, e.g., Netscape Commc’ns Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th Cir. 2009), aff’g 2007 WL 1288192
(N.D. Cal. Apr. 27, 2007) (upholding coverage for claims alleging that the insured’s “SmartDownload” software
violated the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act by, among other things,
“collecting, storing, and disclosing … claimants’ Internet usage,” which was “used … to create opportunities for
targeted advertising”).
[20] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §§1.a., 1.b.(2).
[21]
Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (predicting Ohio
law).
[22]No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013); see also Roberta D.
Anderson, Recent California Decision Holds That Privacy / Data Breach Liability Covered Under “Traditional”
Insurance Policy, K&L Gates LLP Insurance Coverage Alert (Oct. 18, 2013), available at http://www.klgates.com/
recent-california-decision-holds-that-privacy--data-breach-liability-covered-under-traditional-insurance-policy10-18-2013/.
[23] Hartford’s First Amended Complaint For Declaratory Relief, filed on June 18, 2012, at ¶ 20.
[24] Corcino, No. CV 13-3728 GAF (JCx), at 6-7.
[25] Id. at 7.
[26]
See Roberta D. Anderson, ISO’s Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “
Cyber” Insurance, Law360 (Sept. 23, 2013), available at http://www.law360.com/articles/473886/yet-another-reasonto-consider-cyber-insurance.
[27] CG 21 08 05 14 (2013).
ABOUT THE AUTHOR
Roberta D. Anderson is a partner in the Pittsburgh office of K&L Gates LLP, a law firm that regularly represents policyholders in insurance coverage disputes. The opinions expressed in this article are those of the author, and should not be construed as necessarily reflecting the views of her law firm, or the firm’s clients, or as an endorsement by the law firm or the
law firm’s clients of any legal position described herein. Ms. Anderson can be reached at Roberta.Anderson@klgates.com
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
©2013. All Rights Reserved.
For more information, or to begin your free trial:
• Call: 1-800-543-0874
• Email: customerservice@SummitProNets.com
• Online: www.fcandslegal.com
FC&S Legal guarantees you instant access to the most authoritative and comprehensive
insurance coverage law information available today.
This powerful, up-to-the-minute online resource enables you to stay apprised
of the latest developments through your desktop, laptop, tablet, or smart phone
—whenever and wherever you need it.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
©2013. All Rights Reserved.