VIRUSES, TROJANS, AND SPYWARE, OH MY!
THE YELLOW BRICK ROAD TO COVERAGE
IN THE LAND OF INTERNET OZ
Roberta D. Anderson
I. We’re Not in E-Kansas Anymore.............................................
A. Cyber Criminals Seize the Day—and the Data .................
B. Cyber Attack Costs Are on the Rise ...................................
II. The Yellow Brick Road to Coverage........................................
A. Yellow Bricks and Mortar: Traditional Insurance
Coverages..............................................................................
1. Potential Coverage Under Commercial General
Liability Policies..............................................................
a. Data Breach Claims and Other Claims Alleging
Privacy Violations .....................................................
i. Coverage B “Publication” That Violates a
“Right of Privacy” ...............................................
ii. Potential Coverage Under Coverage A for
“Bodily Injury” ....................................................
iii. Recent Data Breach Decisions ...........................
(a) Corcino ............................................................
(b) Recall Total .....................................................
(c) Sony ................................................................
iv. ISO’s New Data Breach Exclusions...................
531
535
539
542
542
543
543
545
555
557
557
560
562
564
Roberta D. Anderson (roberta.anderson@klgates.com) is a partner in the Pittsburgh office of K&L Gates LLP. The opinions expressed in this article are those of the author and
should not be construed as necessarily reflecting the views of her law firm or its clients, or as
an endorsement by the firm or its clients of any legal position described herein. Neither the
author, the Tort Trial & Insurance Practice Section, nor the American Bar Association
endorses any particular form policy language cited to in this article. This article is a substantially updated version of an article of the same title previously published in FC&S
Legal, The Insurance Coverage Law Report.
529
530
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
b. Claims Alleging DDoS Attacks, Malware
Transmission and Other Claims Alleging Damage
to, or Loss of Use of, Third-Party Data, Computers,
or Computer Systems ...............................................
c. “Cyber”-Related Infringement Claims.....................
2. Potential Coverage Under Property Policies ................
a. Injury to Computers, Data, Networks, and
Components ..............................................................
b. Business Interruption and Extra Expense ................
c. Contingent Business Interruption and Service
Interruption...................................................................
3. Potential Coverage Under Other “Traditional” Policies ...
B. Filling Potential Gaps in the Road: Specialty “Cyber”
Policies..................................................................................
1. Third-Party “Cyber” Coverages.....................................
a. Privacy and Network Security..................................
b. Media Liability ..........................................................
c. Regulatory Liability ..................................................
2. First-Party “Cyber” Coverage ........................................
a. Remediation/Crisis Management .............................
i. Notification and Credit Monitoring ..................
ii. Forensic Investigation .........................................
iii. Crisis Management .............................................
iv. Public Relations...................................................
b. Information Asset Coverage .....................................
c. Network Interruption and Extra Expense ...............
d. Extortion....................................................................
3. Beware the Fine Print .....................................................
III. Conclusion..................................................................................
567
575
578
578
580
584
589
591
594
594
600
602
603
603
603
604
604
605
605
606
607
608
610
abstract
Every company is at cyber risk. The headlines confirm the reality: cyber
attacks are on the rise with unprecedented frequency, sophistication, and
scale. And they are pervasive across industries and geographical boundaries. As serious cyber threats are making daily headlines, regulations
surrounding data privacy and security are proliferating. With data security breaches, denial of service, and other attacks and loss of data on the
rise, addressing and mitigating cyber risk is a top priority among companies across the globe. It is abundantly clear that network security alone
cannot entirely address the issue of cyber risk; no firewall is unbreachable,
no security system impenetrable.
Viruses, Trojans, and Spyware
531
Insurance can play a vital role in a company’s overall strategy to address, mitigate, and maximize protection against cyber risk. This fact has
the attention of the Securities and Exchange Commission. In the wake of
“more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the
federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to
cybersecurity risks and cyber incidents” and that “appropriate disclosures
may include” a “[d]escription of relevant insurance coverage.” The SEC’s
guidance provides another compelling reason for companies to carefully
evaluate their insurance programs, evaluate what coverage already may
be available under so-called traditional policies, and consider how gaps
in coverage can be filled through cyber insurance products.
i. we’re not in e-kansas anymore
There’s no denying that present-day Internet Oz, while extraordinary, is
increasingly scary. Cyber attacks of various types continue to escalate across
the globe. As FBI Director Robert Mueller has aptly stated, “there are only
two types of companies: those that have been hacked and those that will be.
And even they are converging into one category: companies that have been
hacked and will be hacked again.”1
Recent headlines are filled with reports of some of the largest data
breaches in history, which have affected the world’s most sophisticated
corporate giants, including Target, Michael’s, Snapchat, Facebook, Twitter, Adobe, to name just a few.2 Cybersecurity breaches are ubiquitous. In
addition to data breaches, the headlines are filled with stories of increasingly sophisticated distributed denial-of-service (DDoS) attacks, such as
those launched against the largest U.S. banks in early 2013.3 They report
billions in intellectual property loss via cyber espionage.4 The director of
1. Robert S. Mueller, III, Director, Federal Bureau of Investigation, RSA Cyber Security
Conference in San Francisco (Mar. 1, 2012), available at http://www.fbi.gov/news/speeches/
combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies (last visited
Mar. 15, 2014).
2. See Michael P. Voelker, After “Year of the Data Breach,” Carriers Increase Capacity, Competition for Cyber Risks, PROP. CASUALTY 360 (Feb. 2, 2012), available at http://www.property
casualty360.com/2012/02/02/after-year-of-the-data-breach-carriers-increase-ca (last visited
Mar. 15, 2014).
3. See Robert Vamosi, Twenty-Six Banks Identified in Latest Malware Threat, MOCANA
(Oct. 18, 2012), available at https://mocana.com/blog/2012/10/18/twenty-six-banks-identi
fied-in-latest-malware-threat/ (last visited Mar. 15, 2014).
4. James Holley and Jeff Spivey, Prevention Is Over: Assume Your Intellectual Property Is
Under Attack, WALL ST. J. (May 27, 2013), available at http://blogs.wsj.com/cio/2013/05/27/
prevention-is-over-assume-your-intellectual-property-is-under-attack/ (last visited Mar. 15,
2014).
532
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
the National Security Agency has stated that “[t]he ongoing cyber-thefts
from the networks of public and private organizations, including Fortune
500 companies, represent the greatest transfer of wealth in human history.”5
The headlines confirm the reality: cyber attacks are on the rise with unprecedented frequency, sophistication, and scale. They are pervasive across
industries and geographical boundaries and present “an ever-increasing
threat.”6
Even though no organization is immune from cyber risk,7 companies
still may not be sufficiently aware of the escalating onslaught.8 Even companies that are sufficiently aware of the problem might not be sufficiently
prepared. It is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable. As noted by one observer: “[t]here is no fail-safe technology
that is immune to hacking. Online security will evolve as hackers and security experts work continuously to outwit each other.”9 A survey conducted by global consulting firm Towers Watson notes “the growing
awareness that the increasingly sophisticated cyber-attack capabilities of
hackers could require a more comprehensive protective net than a reliance
on even the most capable IT staff.”10
Insurance can play a vital role; yet some companies may not be adequately considering the important role of insurance as part of their overall
strategy to mitigate cyber risk. Although the demand for cyber insurance
5. An Introduction by General Alexander, 19:4 NEXT WAVE (2012), available at http://www.
nsa.gov/research/tnw/tnw194/article2.shtml (last visited Mar. 15, 2014).
6. PwC State of Cybercrime Survey, at 1 ( June 2013), available at http://www.pwc.com/
us/en/increasing-it-effectiveness/publications/us-state-of-cybercrime.jhtml (last visited Mar. 15,
2014) (hereinafter “State of Cybercrime Survey”).
7. See Here a Hack, There a Hack, Everywhere a Cyber Attack, ALL THINGS D (Feb. 4, 2013),
available at http://allthingsd.com/20130204/here-a-hack-there-a-hack-everywhere-a-cyberattack/ (last visited Mar. 15, 2014) (“It’s quickly becoming clear—and the recent batch of attacks has only reinforced it—that pretty much every company under the sun is at risk.”);
Richard S. Betterley, Cyber/Privacy Insurance Market Survey, BETTERLEY REP., at 7–8 ( June
2013), available at http://www.irmi.com/products/store/betterley-report.aspx (last visited
Mar. 15, 2014) (“there are organizations that have breaches and know it and there are organizations that have breaches and don’t know it—yet”).
8. See The Cloud Darkens, N.Y. TIMES ( June 29, 2011), available at www.nytimes.com/
2011/06/30/opinion/30thu1.html (last visited Mar. 15, 2014) (opining that “[c]ompanies
and the government are unprepared”).
9. Id.; see also Darren Caesar, Cyber liability insurance: Don’t run a business without it, NETWORK WORLD ( July 2, 2010), available at http://www.networkworld.com/news/tech/2010/
070210-tech-update-1.html?page=3 (last visited Mar. 15, 2014) (“Providing adequate protection against not only rapidly evolving criminal strategies, but also human error or omission is
virtually impossible.”).
10. 2013 Towers Watson Risk and Finance Manager Survey, at 2 (Apr. 2013), available at
http://www.towerswatson.com/en/Insights/IC-Types/Survey-Research-Results/2013/04/2013Risk-and-Finance-Manager-Survey (last visited Mar. 15, 2014) (hereinafter “Risk and Finance
Manager Survey”).
Viruses, Trojans, and Spyware
533
is increasing,11 the Towers Watson survey notes “the sizable number of
companies that do not have a liability policy in place,” which “speaks
to the need for more education and a better understanding of the longlasting financial and reputational costs that companies face if they don’t
develop comprehensive risk strategies to thwart cyber-attacks.”12
A recent study reported by the Wall Street Journal found that only
31 percent of companies have cybersecurity insurance policies,13 and at
least one commentator has opined that it may be much less.14 On the
other hand, risk managers and in-house counsel may not be aware if, and
to what extent, the company already has coverage for cyber risks under its
existing “traditional” insurance policies, many of which cover some form
of cyber risk.
11. See Ponemon Institute, Managing Cyber Security as a Business Risk: Cyber Insurance in the
Digital Age, at 4 (Aug. 2013), available at http://www.ponemon.org/blog/managing-cybersecurity-as-a-business-risk-cyber-insurance-in-the-digital-age (last visited Mar. 15, 2014)
(hereinafter “Cyber Insurance in the Digital Age”) (“Currently, less than one-third of respondents (31 percent) in this study say their organization has a cyber security insurance policy. However, among those companies that do not have a policy 57 percent of respondents
say they plan to purchase one in the future.”); Benchmarking Trends: More Companies Purchasing Cyber Insurance, MARSH (Mar. 14, 2013), available at http://usa.marsh.com/NewsInsights/
MarshRiskManagementResearch/ID/29870/Benchmarking-Trends-More-CompaniesPurchasing-Cyber-Insurance.aspx (last visited Mar. 15, 2014) (“The number of clients of
Marsh’s FINPRO Practice purchasing cyber insurance increased 33% from 2011 to
2012”).
12. Risk and Finance Manager Survey, supra note 10, at 3; see also Ty Sagalow, A Case For
Cyber Insurance, INS. THOUGHT LEADERSHIP (Sept. 22, 2013), available at http://www.insurance
thoughtleadership.com/articles/a-case-for-cyberinsurance?axzz2fdtcMcFChttp://www.insur
ancethoughtleadership.com/articles/a-case-for-cyber-insurance?axzz2wpA29V3t (last visited
Mar. 15, 2014) (“Despite the increased attention to cyber incidents, most reports indicate
only a minority of companies currently purchase cyber-insurance. According to the
‘Chubb 2012 Public Company Risk Survey: Cyber,’ 65% of public companies surveyed do
not purchase cyber insurance, yet 63% of decision-makers are concerned about cyber risk.
In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought
cyber insurance despite the fact that 76% of companies surveyed expressed concern about
their information security and privacy.”).
13. Christopher. M. Matthews, Cybersecurity Insurance Picks Up Steam, Study Finds (Aug. 7,
2013), available at http://blogs.wsj.com/riskandcompliance/2013/08/07/cybersecurity-insur
ance-picks-up-steam-study-finds/ (last visited Mar. 15, 2014); see also Harvard Business Review Analytic Services, Meeting the Cyber Risk Challenge, at 8 (2013), available at http://www.
computerweekly.com/blogs public-sector/Meeting%20the%20Cyber%20Risk%20Challenge
%20-%20Harvard%20Business%20Review%20-%20Zurich%20Insurance%20group.pdf
(last visited Mar. 15, 2014) (“few organizations—less than 20 percent, according to survey
respondents—have purchased security and privacy insurance specifically designed to cover
exposures associated with information security and privacy-related issues”) (hereinafter
“Meeting the Cyber Risk Challenge”).
14. See Randy J. Maniloff, Just How Many Cyber Policies Are Floating Around Out There?
(Not Nearly As Many As You Are Being Told), INS. COVERAGE ALERT (Feb. 25, 2014), available
at http://www.whiteandwilliams.com/resources-alerts-Just-How-Many-Cyber-Policies-AreFloating-Around-Out-There-Not-Nearly-As-Many-As-You-Are-Being-Told.html (last visited Mar. 15, 2014).
534
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
A complete understanding of the company’s insurance program is key
to maximizing protection against cyber risk. This fact has the attention of
the Securities and Exchange Commission. In the wake of “more frequent
and severe cyber incidents,” the SEC’s Division of Corporation Finance
has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks
and cyber incidents” and that “appropriate disclosures may include,” among
other things, a “[d]escription of relevant insurance coverage.”15 Recent SEC
comments have requested information regarding both whether the company has obtained relevant insurance coverage, as well as the amount of
the company’s cyber liability insurance.16 Since failure to make these disclosures may subject a company to enforcement actions and shareholder suits,
the SEC’s guidance provides yet another compelling reason for companies
to carefully evaluate their insurance programs, evaluate what coverage already may be available, and consider how gaps in coverage can be filled
through specialty “cyber” risk policies.
Also highlighting the U.S. government’s appreciation of the importance of insurance, on August 6, 2013, the White House previewed a
list of possible incentives to be offered to organizations that adopt the recent National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, which includes cybersecurity insurance at the top of the list.17
15. SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance:
Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/
cfguidance-topic2.htm (last visited Mar. 15, 2014). What the SEC offers as “guidance”
now might soon become law. Activists and public officials are pressing the SEC to elevate
its guidance to companies on the disclosure of actual breaches. In an April 9, 2013, letter
to the SEC Chairman, Senate Committee on Commerce, Science, & Transportation Chairman Jay Rockefeller urged the SEC to step-up the requirements on its guidance for companies to disclose information about their ability to defend against attacks on their networks.
The letter states in part:
Investors deserve to know whether companies are effectively addressing their cyber security risks—just as investors should know whether companies are managing their financial and operational risks. . . . Formal guidance from the SEC on this issue will be a
strong signal to the market that companies need to take their cyber security efforts
seriously.
See http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd8d64-8c15ba0e4e51 (last visited Mar. 15, 2014).
16. See Roberta D. Anderson & Katherine J. Blair, Five Tips to Consider When Any Public
Company Might be The Next Target, Cybersecurity Risk Factors Alert (Feb. 11, 2014), available
at http://www.klgates.com/five-tips-to-consider-when-any-public-company-might-be-thenext-target-02-11-2014/ (last visited Mar. 15, 2014).
17. See Roberta D. Anderson, NIST Unveils Cybersecurity Framework, Cybersecurity and
Insurance Coverage Alert (Feb. 17, 2014), available at http://www.klgates.com/nist-unveilscybersecurity-framework-02-17-2014/ (last visited Mar. 15, 2014).
Viruses, Trojans, and Spyware
535
A. Cyber Criminals Seize the Day—and the Data
Over the last two years, some of the world’s most sophisticated corporate
giants have fallen victim to some of the largest data breaches in history.18
These breaches have affected the financial services sector, online gaming
providers, the health care industry, marketing services firms, retailers, insurers, defense contractors, social networking sites, cloud storage providers, credit card processors—and even sophisticated security firms.19 Verizon’s most recent 2013 Data Breach Investigations Report remarks that
“[p]erhaps more so than any other year, the large scale and diverse nature
of data breaches and other network attacks took center stage” in the past
year.20 Virtually no major industry is immune from attack.21
The Identity Theft Resource Center (ITRC) reports that, as of
March 4, 2014, some 624,493,173 records have been breached in 4,366
data breaches made public since 2005.22 The organization further notes
that “many breaches go unreported, and [ITRC is] certain that [its] ITRC
Breach List underreports the problem.”23
The escalating cyber attacks are not limited to data breaches, of course;
they also include expensive DDoS attacks,24 such as the attacks that have
targeted the financial services sector, and myriad other types of cyber
threats, including attacks principally designed to destroy or corrupt data,
18. The Identity Theft Resource Center® defines a data breach as “an event in which an
individual name plus Social Security Number (SSN), driver’s license number, medical record
or a financial record/credit/debit card is potentially put at risk–either in electronic or paper
format.” See http://www.idtheftcenter.org/id-theft/data-breaches.html (last visited Mar. 15,
2014).
19. See Ellen Messmer, The Worst Data Breaches of 2013 (So Far), CIO (Apr. 9, 2013),
available at http://www.cio.com/slideshow/detail/94870 (last visited Mar. 15, 2014); Zack
Whittaker, 2012: Looking back at the major hacks, leaks and data breaches, ZDNET (Dec. 17,
2012), available at http://www.zdnet.com/2012-looking-back-at-the-major-hacks-leaks-anddata-breaches_p3-7000008854/ (last visited Mar. 15, 2014); Shara Tibken, SecurID Clients
Get Jitters, WALL ST. J. ( June 8, 2011), available at http://online.wsj.com/news/articles/
SB10001424052702304906004576371952388757620 (last visited Mar. 15, 2014); Todd
McLees, 2012 Deemed the Year of the Data Breach, PKWARE (Dec. 6, 2012), available at
http://www.pkware.com/Blog/2012-deemed-the-year-of-the-data-breach (last visited Mar. 15,
2014).
20. Verizon, 2013 Data Breach Investigations Report, at 1 (2013), available at http://www.
verizonenterprise.com/DBIR/2013/ (last visited Sept. 17, 2013).
21. See Cass W. Christenson, Insurance Coverage Regarding Data Privacy, Cloud Computing,
and Other Emerging Cyber Risks, at 1, available at 2011 WL 601376, at *1 (Feb. 2011) (“virtually every major industry is affected by data breaches”).
22. http://www.idtheftcenter.org/id-theft/data-breaches.html (last visited Mar. 15, 2014).
23. Id.; see also Don Jergler, Secret Service Agent Says Many Cyber Breaches Go Unreported,
INS. J. (Mar. 7, 2014), available at http://www.insurancejournal.com/news/west/2014/03/
07/322748.htm (last visited Mar. 15, 2014).
24. As with the case with data breaches, DDoS attacks occur off the front page “on a daily
basis.” Jelena Mirkovic et al., Understanding Denial of Service, in INTERNET DENIAL OF SERVICE:
ATTACK AND DEFENSE MEACHANISMS (Aug. 12, 2005), available at http://www.informit.com/
articles/article.aspx?p=386163&seqNum=5 (last visited Mar. 15, 2014).
536
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
cyber extortion, and cyber espionage. One independent research study
notes that “[c]yber risk comes in a bewildering variety of forms” including
“malware and other viruses, administrative errors, incidents caused by data
providers, malicious employee activity, attacks on Web applications, theft
or loss of mobile devices, and internal hackers.”25
The Ponemon Institute’s26 2012 Cost of Cyber Crime Study concludes
that “companies expend considerable time and resources responding to
a plethora of different types of attacks.”27 According to the recent
study, “[c]yber attacks have become common occurrences” with the 56 organizations involved in its survey experiencing “102 [overall] successful attacks per week and 1.8 successful attacks per company per week.”28 The
study notes that this represents an increase of 42 percent over the “successful attack experience” reflected in its prior study.29 The disturbing
rise of cyber attacks over the past couple of years may be just the tip of
the iceberg. In June 2013, the U.S. Department of the Treasury’s Office
of the Comptroller of the Currency hosted a call with more than 1,000
community bankers and warned, as reported in the Wall Street Journal,
that “cyber attacks overall, including on banks, increased 42% in 2012,
ranging from malicious software or phishing attacks, to well-publicized
denial-of-service attacks.”30
The problem of cyber risks is exacerbated—not only by increasingly
sophisticated cyber criminals, malicious code, and other types of malware,31 which in the case of recent DDoS attacks were described as
25. Meeting the Cyber Risk Challenge, supra note 13, at 1.
26. The Ponemon Institute is a prominent research institute. As described on its website,
the “Ponemon Institute conducts independent research on privacy, data protection and information security policy.” http://www.ponemon.org/ (last visited Mar. 15, 2014).
27. Ponemon Institute, 2012 Cost of Cyber Crime Study: United States, at 28 (Oct. 2012),
available at http://www.ponemon.org/news-2/44 (last visited Mar. 15, 2014) (hereinafter
“2012 Cost of Cyber Crime Study”).
28. Id. at 1.
29. Id.; see also Ponemon Institute, Second Annual Cost of Cyber Crime Study, at 1 (Aug.
2011) (the company experienced “72 successful attacks per week and more than one successful attack per company per week”), available at http://www.arcsight.com/collateral/white
papers/2011_Cost_of_Cyber_Crime_Study_August.pdf (last visited Mar. 15, 2014) (hereinafter “Second Annual Cost of Cyber Crime Study”).
30. Michael R. Crittenden, A Call to Arms for Banks, Regulators Intensify Push for Firms to
Better Protect Against Cyberattacks, WALL ST. J. ( June 14, 2013), available at http://online.wsj.
com/article/SB10001424127887324049504578545701557015878.html?mod=ITP_business
andfinance_0 (last visited Mar. 15, 2014).
31. Malware has been defined as:
Programming (code, scripts, active content, and other software) designed to disrupt or
deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior. Examples include
various forms of adware, dialers, hijackware, slag code (logic bombs), spyware, Trojan
horses, viruses, web bugs, and worms.
Viruses, Trojans, and Spyware
537
“10 times as potent as the types of denial-of-service attacks hackers have
mounted in the past”32—but by the trend in outsourcing of data handling,
processing and/or storage to third-party vendors, including “cloud” providers. The Ponemon Institute 2011 Cost of Data Breach Study, published
in March 2012, found that over 41 percent of U.S. data breaches are
caused by third-party errors, including “when protected data is in the
hands of outsourcers, cloud providers and business partners.”33 Its recent
2013 Cost of Data Breach Study, published in May 2013, indicate that thirdparty errors also increase the average cost of a breach “by as much as
$43 per record” according to the new 2013 study.34 This is very significant considering that the average cost is $188 per record.35
The problem also is exacerbated by the reality of the modern business
world, which is full of portable devices such as cell phones, laptops, iPads,
USB drives, jump drives, media cards, tablets, and other devices that facilitate the loss of sensitive information.36 The Ponemon Institute’s recent
2013 State of the Endpoint study notes that “[o]ne of the top concerns is the
proliferation of personally owned mobile devices in the workplace such as
smart phones and iPads” and that “data-bearing devices pose a significant
US-CERT’s Control System Security Center, An Undirected Attack Against Critical Infrastructure, Case Study Series: Vol 1.2 (Sept. 2005), available at http://ics-cert.us-cert.gov/sites/
default/files/recommended_practices/CaseStudy-002.pdf (last visited Mar. 15, 2014).
32. Siobhan Gorman, Iran Renews Internet Attacks on U.S. Banks, WALL ST. J. (Oct. 17,
2012) (“These latest attacks, which investigators say are at least 10 times as potent as the
types of denial-of-service attacks hackers have mounted in the past, have disrupted service
at even the largest U.S. banks. The highly sophisticated computer attack is using a new cyberweapon called ‘itsoknoproblembro[.]’ ”), available at http://online.wsj.com/news/articles/
SB10000872396390444592704578063063201649282 (last visited Mar. 15, 2014).
33. See Ponemon Institute, 2011 Global Cost of Data Breach Study, at 6 (Mar. 2012), available at http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-costof-data-breach-global.en-us.pdf (last visited Aug. 29, 2013) (hereinafter “2011 Global Cost
of Data Breach Study”); see also State of Cybercrime Survey, supra note 6, at 5 (“Not all companies recognize that supply chain vendors and business partners such as joint ventures, strategic partnerships, and franchisees can have lower—even nonexistent—cybersecurity policies
and practices, a situation that can increase cybercrime risks across any entity that partner or
supplier touches.”).
34. Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, at 12 (May 2013),
available at https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf (last visited Mar. 15, 2014) (hereinafter “2013 Cost of Data Breach Study”).
35. Id.
36. See Kevin P. Kalinich, AON Network Risk Insurance 2012 Update, Privacy and Security Exposures and Solutions, at 4 (“The dramatic increase in use of mobile devices by company
employees presents new security threats to corporate networks. Data breaches caused by
smartphones are becoming more common than lost or stolen laptops. Though companies
have learned to protect their employees’ laptops through the use of full-disk encryption, mobile devices are softer targets because they are smaller, making them more vulnerable to loss
or theft. And because they are generally turned ‘on,’ they are constantly vulnerable.”), available at http://www.aon.com/attachments/risk-services/Network-Security-Privacy-Risk-Insur
ance-2012-Update.pdf (last visited Mar. 15, 2014).
538
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
security risk to their organization’s networks or enterprise systems because they are not secure.”37 Not only are these devices less secure (and
often unencrypted), but they are often lost or left unattended in unsecured
locations. A Ponemon Institute study reports that business travelers lose
more than 12,000 laptops per week in U.S. airports alone.38 Another independent study emphasizes “[t]he sheer number of ways in which data
can be lost, stolen, or misappropriated.”39
Perhaps surprisingly, negligence, including employee and third-party
negligence, is about as likely to result in a data breach as a malicious attack
(e.g., misplacing a laptop or tablet or opening email attachments or clicking on links from an unknown source). In its most recent 2013 Cost of Data
Breach Study, the Ponemon Institute reports that 33 percent of the “root
cause” of a data breach for United States companies is “human errors.”40
Importantly, however, malicious attacks, which are the “most costly,”41 are
increasing.
37. Ponemon Institute, 2013 State of the Endpoint, at 1 (Dec. 2012); available at http://
www.ponemon.org/blog/2013-state-of-the-endpoint (last visited Mar. 15, 2014); see also Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic
Secrets in Cyberspace, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, at 6 (Oct. 2011), available at http://www.ncix.gov/publications/reports/
fecie_all/Foreign_Economic_Collection_2011.pdf (last visited Mar. 15, 2014) (hereinafter
“ONCIX Report to Congress”) (“[T]he number of devices such as smartphones and laptops
in operation worldwide that can connect to the Internet and other networks is expected to
increase from about 12.5 billion in 2010 to 25 billion in 2015. This will cause a proliferation
in the number of operating systems and endpoints that malicious actors such as foreign intelligence services or corrupt insiders can exploit to obtain sensitive information.”).
38. See Airport Insecurity: The Case of Missing & Lost Laptops, Ponemon Institute LLC, at 3
( June 2008), available at http://www.dell.com/downloads/global/services/dell_lost_laptop_
study.pdf (last visited Mar. 15, 2014).
39. Meeting the Cyber Risk Challenge, supra note 13, at 4.
40. 2013 Cost of Data Breach Study, supra note 34, at 12; see also Richard S. Betterley,
Cyber Insurance 3.0: Risks, Rewards and Future Outlook, at 2 (2013), available at http://www.
experian.com/innovation/business-resources/cyber-insurance-report-risks-rewards-and-futureoutlook.jsp (last visited Mar. 15, 2014) (hereinafter “Cyber Insurance 3.0”) (“Data loss can
occur because of hackers, but many losses are a result of human error—such as posting or forwarding the wrong file, improperly disposing of private information, or clicking on a link.”);
Cyber Insurance in the Digital Age, supra note 11, at 3 (“the most common data breaches are
due to negligence or mistakes that resulted in the loss of business confidential information”);
Ponemon Institute, Third Annual Benchmark Study on Patient Privacy & Data Security, at 2
(Dec. 2012), available at http://www.ponemon.org/library/third-annual-patient-privacy-datasecurity-study (last visited Mar. 15, 2014) (“[t]he primary cause of breaches in th[e] study is
a lost or stolen computing device . . . followed by employee mistakes or unintentional actions . . .
and third-party snafus.”).
In its 2011 Cost of Data Breach Study published in March 2012, the Ponemon Institute
reported that employee negligence was the root cause of 39 percent of breaches involving
U.S. companies, while malicious attacks accounted for 37 percent of breaches. See 2011
Global Cost of Data Breach Study, supra note 33, at 6.
41. Malicious attacks are increasing as the root cause of most breaches. In its 2013 Cost of
Data Breach Study, a reported 41 percent of breaches involving U.S. companies are caused
by malicious attack, while 33 percent are caused by negligence and 26 percent by “system
Viruses, Trojans, and Spyware
539
B. Cyber Attack Costs Are on the Rise
As the incidence of cyber attacks escalates, the cost associated with attacks
is also increasing. In data breach cases, for example, companies may incur
substantial expenses relating to federal,42 state,43 and international notification requirements alone.44 In its most recent 2013 Cost of Data Breach
Study, the Ponemon Institute reports that U.S. organizations spend on
average $565,020 on post-breach notification.45
Companies may face lawsuits seeking damages for invasion of privacy;46 lost, corrupted, or stolen data; loss of use of computers or systems;
misappropriation of intellectual property or confidential business information; and other claims. Even if not ultimately successful, such lawsuits
can be extremely costly to defend. Companies may also face governmental
and regulatory investigations, fines and penalties, damage to brand and
reputation, and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Secur-
glitch.” See 2013 Cost of Data Breach Study, supra note 34, at 7. This is up from 37 percent
reported in the prior study. See 2011 Global Cost of Data Breach Study, supra note 33, at 6.
42. There is not, as yet, any comprehensive federal data breach notification law, although
certain sector specific breach notification laws are in place. For example, the Health Information Technology for Economic and Clinical Health (HITECH) Act includes a national
breach notification requirement and extends the Health Insurance Portability and Accountability Act (HIPAA) to business associates. In addition to current laws, additional legislation
has been introduced, including the Personal Data Privacy and Security Act of 2014 (S. 1897),
the Data Security Act of 2014 (S. 1927), and the Data Breach Notification Act of 2013
(S. 1193).
43. In addition to federal statutes and regulations, forty-six states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. See National Conference of State
Legislatures, “State Security Breach Notification Laws” (updated Jan. 21, 2014), available
at http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx (last
visited Mar. 15, 2014).
At least nineteen states have introduced or are considering security breach legislation in
2014. Most of the bills would amend existing security breach laws. Kentucky’s legislation,
however, would create requirements for notification of breaches in that state. Only four
states—Alabama, Kentucky, New Mexico and South Dakota—do not currently have a law
requiring notification of security breaches involving personal information. See http://www.
ncsl.org/research/telecommunications-and-information-technology/2014-security-breachlegislation.aspx (last visited Mar. 15, 2014).
44. For an excellent discussion regarding federal, state, private, and international laws and
regulations, see Peter R. Taffae & M. Damien Magnuson, What Every Insurance Professional
Should Know about Network Security and Privacy Liability, IRMI White Paper (2012), available
at https://www.irmi.com/forms/ssl/contactus.aspx?action=privacy (last visited Mar. 15,
2014).
45. 2013 Cost of Data Breach Study, supra note 34, at 16.
46. Although the United States does not have a universal privacy law, a number of different laws respond to different situations and types of data, such as healthcare data (HIPAA),
financial data (Gramm-Leach-Bliley Act), credit information (Fair Credit Reporting Act),
and unauthorized access (Computer Fraud and Abuse Act).
540
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
ity Standards.47 In addition, companies may incur significant expenses associated with retaining forensics experts; assuaging and attempting to maintain customers; and curtailing damage to reputation, including by providing
credit monitoring services to affected individuals and retaining public relations consultants.
The 2013 Target breach is a tale unto its own. Since the breach, over
seventy putative class actions have been filed against Target.48 Its directors and officers face shareholder derivative litigation alleging a 10 percent or more drop in share price.49 Its executives testified on February 4,
2014, before the Senate Judiciary Committee.50 Financial institutions are
now pursuing Target for reimbursement of their costs for issuing replacement credit and debit cards and compensating customers whose accounts
were used fraudulently.51
The Ponemon Institute’s 2013 Cost of Data Breach Study reports that
U.S. organizations spend on average $1,412,548 overall in post-breach response costs.52 The study also found that the average organizational cost
of a data breach in 2012 was $188 per record for U.S. companies ($277 in
the case of malicious attacks) and the average number of breached records
was 28,765.53 The average total organizational cost of a data breach is
$5,403,644.54 It is important to note that the study does “not include organizations that had data breaches in excess of 100,000 [records] because
they are not representative of most data breaches and to include them
47. Current standards can be viewed at https://www.pcisecuritystandards.org/security_
standards/pci_dss_download.html. (last visited Mar. 15, 2014).
48. See Randy J. Maniloff, Measuring The Bull’s-Eye On Target’s Back: Lessons From The T.J.
Maxx Data Breach Class Actions, COVERAGE OPINIONS ( Jan. 15, 2014), available at http://www.
whiteandwilliams.com/resources-alerts-The-Bull-s-Eye-On-Targets-Back-Lessons-FromThe-TJ-Maxx-Data-Breach-Class-Actions.html (last visited Mar. 15, 2014).
49. See Kevin LaCroix, Target Directors and Officers Hit with Derivative Suits Based on Data
Breach, D&O DIARY (Feb. 3, 2014), available at http://www.dandodiary.com/2014/02/articles/
cyber-liability/target-directors-and-officers-hit-with-derivative-suits-based-on-data-breach/
(last visited Mar. 15, 2014).
50. See Summary: Target Testifies on Massive Data Breach, WALL ST. J. (Feb. 4, 2014), available at http://blogs.wsj.com/corporate-intelligence/2014/02/04/live-target-testifies-on-massivedata-breach/ (last visited Mar. 15, 2014).
51. See John Hawes, Financial sector hit hard by data breach cleanup costs (Feb. 21, 2014),
available at http://nakedsecurity.sophos.com/2014/02/21/financial-sector-hit-hard-by-databreach-cleanup-costs/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed
%3A+nakedsecurity+%28Naked+Security+-+Sophos%29 (last visited Mar. 15, 2014).
52. 2013 Cost of Data Breach Study, supra note 34, at 16–17.
53. Id. at 1–2. This is slightly down from $194 per record in 2011 (and $214 per record in
2010). See 2011 Global Cost of Data Breach Study, supra note 33, at 2. The average number
of breached records likewise has decreased slightly from 28,349 for U.S. companies. See id.
at 5.
54. 2013 Cost of Data Breach Study, supra note 34, at 5. Other studies indicate that this
number is considerably higher. See, e.g., Cyber Insurance in the Digital Age, supra note 11,
at 4 (“The average financial impact of these security exploits and data breaches experienced
by companies represented in this research is $9.4 million.”).
Viruses, Trojans, and Spyware
541
in the study would skew the results.”55 Yet the incidents of large-scale
breaches are on the rise. The 2011 high-profile attack on the Sony PlayStation Network alone was estimated to cost some $170 million.56 This
does not include potential compensation to claimants. Some experts say
that the final tally could exceed $2 billion.57 The recent Target data
breach is projected to potentially exceed $1 billion.58
Putting aside liability arising from potentially compromised personally
identifiable information (PII), many companies have care, custody, or
control of third-party company-confidential information, such as a third
party’s intellectual property, trade secrets, business plans, customer lists,
market information, and any other items of information not available to
the general public. A data breach that compromises such information
can subject a company to liability.
Even in cyber attack cases in which sensitive information is not actually
or potentially compromised, a company may face liability to third parties
if its network becomes unavailable to users or serves as a conduit for
the transmission of malware. In addition, a company can face significant
media-related and other exposure because of employee use of Facebook
and similar social sites and feeds (Twitter, LinkedIn, MySpace, etc),
posts to blogs, and personal emails.59 Companies that provide services
that support e-commerce, such as the services provided by Internet service providers and software developers, may face liability arising out of,
for example, the creation and implementation of software and the provision of services.
A company also may experience substantial business interruption and
related losses if online systems or websites are disabled by, or disabled
in order to address, a cyber attack. These losses may be in addition to
those incurred to repair damage to or replace a company’s computers,
55. 2013 Cost of Data Breach Study, supra note 34, at 1.
56. See Paul Tassi, Sony Pegs PSN Attack Costs at $170 Million, $3.1B Total Loss for 2011,
FORBES–BUSINESS (May 23, 2011), available at http://blogs.forbes.com/insertcoin/2011/05/
23/sony-pegs-psn-attack-costs-at-170-million/ (last visited Mar. 15, 2014).
57. Liana B. Baker & Jim Finkle, Sony’s insurers to help foot bill for data breach: Experts say the
final tally could exceed $2 billion, REUTERS, available at http://www.msnbc.msn.com/id/
42923992/ns/technology_and_science-games/ (last visited Mar. 15, 2014).
58. Tom Webb, Analyst sees Target data breach costs topping $1 billion ( Jan. 1, 2014), available
at http://www.twincities.com/business/ci_25029900/analyst-sees-target-data-breach-coststopping-1 (last visited Mar. 15, 2014).
59. See Advisen Special Report, Online Social Networking: A Brave New World of Liability,
at 1 (Mar. 2010), available at https://www.advisen.com/downloads/SocialNetworking.pdf
(last visited Mar. 15, 2014) (“Millions of people across the world now participate on social
network websites such as Facebook, LinkedIn and Twitter. But social network sites also
can be liability minefields, exposing companies to risks as diverse as copyright infringement,
consumer fraud and discrimination. Employers also can be held liable for the unsupervised
activities of their employees on social network sites.”).
542
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
networks, and data, as well as the costs to update and fix any flaws in its
security systems.60
In addition, cyber industrial espionage, including through advanced persistent threats (APTs), costs U.S. companies billions.61 These examples of
cyber threats are far from exhaustive. The Ponemon Institute’s 2012 Cyber
Crime Study found that “the average annualized cost of cyber crime for
56 organizations in [its] study is $8.9 million per year, with a range of
$1.4 million to $46 million.”62 This number is up from the $8.4 million
average annualized cost reflected in the 2011 survey.63
ii. the yellow brick road to coverage
A. Yellow Bricks and Mortar: Traditional Insurance Coverages
Although some companies carry specialty insurance policies that are specifically designed to afford coverage for cyber risks, most companies have
various forms of traditional insurance policies that may cover cyber risks,
including commercial general liability (CGL), commercial property/
business interruption, directors and officers (D&O), errors and omissions
(E&O), professional liability, fiduciary, crime, and other policies.
Although insurers typically argue that cyber risks are not intended to
be covered under CGL policies or other traditional types of insurance
60. The Ponemon Institute has identified the following “four general cost activities” associated with “external consequences or costs associated with the aftermath of successful
[cyber] attacks,” including costs associated with lost information, business interruption, damage to equipment, and loss of customers:
• Cost of information loss or theft: Loss or theft of sensitive and confidential information as a result of a cyber attack. Such information includes trade secrets, intellectual
properties (including source code), customer information, and employee records.
This cost category also includes the cost of data breach notification in the event that
personal information is wrongfully acquired.
• Cost of business disruption: The economic impact of downtime or unplanned outages
that prevent the organization from meeting its data processing requirements.
• Cost of equipment damage: The cost to remediate equipment and other IT assets as a
result of cyber attacks to information resources and critical infrastructure.
• Lost revenue: The loss of customers (churn) and other stakeholders because of system
delays or shutdowns as a result of a cyber attack[.]
2012 Cost of Cyber Crime Study, supra note 27, at 24. These are in addition to “five internal
cost activity centers,” which include costs associated with detecting, investigating and mitigating attacks, and repairing system damage in the wake of an attack. See id. at 23–24.
61. See McAfee Report, The Economic Impact of Cybercrime and Cyber Espionage,
Center for Strategic and International Studies, at 3 ( July 2013) (“the cost of cybercrime
and cyber espionage to the global economy is probably measured in the hundreds of billions
of dollars”); ONCIX Report to Congress, supra note 37, at 24 (losses to U.S. organizations
resulting from economic espionage range between $2 - $400 billion per year). Prior ONCIX
reports are available at http://www.ncix.gov/publications/reports/fecie_all/ (last visited
Mar. 15, 2014).
62. 2012 Cost of Cyber Crime Study, supra note 27, at 1.
63. Second Annual Cost of Cyber Crime Study, supra note 29, at 4.
Viruses, Trojans, and Spyware
543
coverages, insureds pursuing coverage under CGL policies have met with
some, albeit not universal, success in obtaining coverage for certain types
of cyber risks. Coverage in a particular case necessarily will depend on the
specific facts of each case; the terms, conditions, and exclusions of each
individual policy; and the applicable law.
A brewing legal dispute between Sony and its insurers concerning the
PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from
cyber risks under CGL policies. In Zurich American Insurance Co. v. Sony
Corp. of America,64 which is discussed in greater detail below, Sony’s insurer
is seeking a declaration that there is no coverage under the CGL policies at
issue on the basis that the underlying lawsuits arising from hacker attacks
that resulted in unauthorized access and theft of personal identification
and financial information “do not assert claims for ‘bodily injury,’ ‘property
damage’ or ‘personal and advertising injury.’ ”65
The Sony coverage case may provide additional guidance on the scope
of coverage for data breaches and other cyber risks under traditional CGL
policies. In the meantime, the current case law is instructive.
1. Potential Coverage Under Commercial General Liability Policies
a. Data Breach Claims and Other Claims Alleging Privacy Violations—The
Coverage B “Personal And Advertising Injury Liability” coverage section
of the current standard form Insurance Services Office, Inc. (ISO)66 CGL
policy67 states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and adver64. No. 651982/2011 (N.Y. Sup. Ct. New York Cty.) (filed July 20, 2011).
65. Complaint ¶ 71. As alleged in the coverage complaint, the underlying lawsuits against
Sony “do not assert claims for ‘bodily injury,’ ‘property damage’ or ‘personal and advertising
injury’ so as to entitle [the insured] to defense and/or indemnity” under the insurance policy.” Id. The complaint further alleges that [“[e]ven if claims for ‘bodily injury,’ ‘property
damage,’ and/or ‘personal and advertising injury’ were alleged . . . the [policy] includes certain exclusions that apply to exclude coverage for the claims asserted in the [underlying]
Complaints.” Id. ¶ 72.
In another recently filed suit, Nationwide Mutual Fire Insurance Co. v. First Citizens Bank and
Trust Co. Inc., No. 4:13cv598 (D.S.C.) (filed Mar. 6, 2013), the insurer alleges that it has no
duty to defend or indemnify its insureds against claims that a janitor was allowed to access
bank customers’ confidential information, which was kept in the same closet where janitorial
supplies were stored. Among other things, Nationwide’s complaint states that “[t]he alleged
damages are not ‘bodily injury’ or ‘property damage’ arising from an ‘occurrence’ ” or “ ‘personal injury and advertising injury’ as defined in the policy.” Complaint ¶¶ 40, 43. This case
highlights the point that data breaches need not involve “cyber” threat.
66. ISO is an insurance industry organization whose role is to develop standard insurance
policy forms and to have those forms approved by state insurance commissioners.
67. Pre-1998, the ISO standard forms separated “personal injury” and “advertising injury,” while the more current forms combine “personal and advertising injury.” Prior to
1986, this coverage was available through a “Broad Form Endorsement” to the standard
ISO policy.
544
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
tising injury,’68 which is caused by an offense arising out of [the insured’s]
business.”69 “Personal and advertising injury” is defined in the ISO standard form policy to include a list of specifically enumerated offenses,70
which include the “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”71 Similar to Coverage A, the policy further states that the insurer “will have the right and
duty to defend the insured against any ‘suit.’ ”72 The CGL Coverage B
can indemnify and provide a defense against a wide variety of claims, including claims alleging violation of privacy rights, including data breach
cases.
For example, in Tamm v. Hartford Fire Insurance Co.,73 the Superior
Court of Massachusetts confirmed that the insurer had a duty to defend
a lawsuit alleging, inter alia, that the insured had “access[ed] and distribut[ed] information obtained in private email accounts” and “threatened
to contact a list of specific e-mail addresses for individuals. . . .”74 The underlying lawsuit set out ten counts against the insured, including “viola68. ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, § 1.a.
69. Id. § 1.b.
70. The 2013 CGL policy form defines “personal and advertising injury” as:
14. “Personal and advertising injury” means injury, including consequential “bodily injury,” arising out of one or more of the following offenses:
a. False arrest, detention or imprisonment;
b. Malicious prosecution;
c. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies, committed by or on behalf of its owner, landlord or lessor;
d. Oral or written publication, in any manner, of material that slanders or libels a
person or organization or disparages a person’s or organization’s goods, products or services;
e. Oral or written publication, in any manner, of material that violates a person’s
right of privacy;
f. The use of another’s advertising idea in your “advertisement”; or
g. Infringing upon another’s copyright, trade dress or slogan in your
“advertisement”.
Id. Section V, § 14. “Advertisement” includes:
1. “Advertisement” means a notice that is broadcast or published to the general public
or specific market segments about your goods, products or services for the purpose of
attracting customers or supporters. For the purposes of this definition:
a. Notices that are published include material placed on the Internet or on similar
electronic means of communication; and
b. Regarding websites, only that part of a website that is about your goods, products
or services for the purposes of attracting customers or supporters is considered an
advertisement.
Id. § 1.
71. Id. § 14.e.
72. Id. Section I, Coverage B, § 1.a.
73. 2003 WL 21960374 (Mass. Super. Ct. 2003).
74. Id. at *2.
Viruses, Trojans, and Spyware
545
tions of RICO, misappropriation of trade secrets, and violations of Federal wiretapping laws” and requested that “the court restrain [the insured]
from ‘disclosing to any person or entity, or using in any other manner,
any confidential or proprietary information or materials belonging to or
wrongfully acquired from [the plaintiff ] or its officers, directors, employees, attorneys, or agents.’ ”75
Based on the complaint, the court easily concluded that the insurer had
a duty to defend under the standard insurance policy language at issue:
In order to trigger the duty to defend under the invasion of privacy language
of the policy, an underlying complaint must allege two things: (1) an “oral or
written publication” of (2) “materials that violate person’s rights of privacy.”
The [underlying] complaint alleges that [the insured] accessed the private
e-mail accounts of [the plaintiff ] and its executives and sent these private
communications and materials to several outside counsel for [the plaintiff ].
The allegations of sending these private communications via e-mail to outside attorneys seemingly satisfies both prongs under the invasion of privacy
clause of the policy.76
i. Coverage B “Publication” That Violates a “Right of Privacy”—Potential issues arising under Coverage B include whether there
has been a “publication” that violates the claimant’s “right of privacy”—
both terms are left undefined in standard-form ISO policies. These requirements have been addressed in a number of decisions considering underlying claims alleging improper use of credit reports in violation of the
Fair Credit Reporting Act (FCRA). Many of these decisions have construed these terms in favor of the insured. For example, Pietras v. Sentry
Insurance Co.77 is instructive. In Pietras, the class plaintiff alleged that
the insured had “accessed [hers] and other class members’ credit information without authorization or a permissible purpose under the FCRA”78
by mailing her a solicitation stating that she had been “pre-approved
for an auto loan,” but without making a “firm offer of credit.”79
The court rejected the insurer’s claim that the insured’s “alleged acts
did not involve [plaintiff ’s] private information or ‘publication’ of such information.”80 Considering first the “right of privacy” requirement, the
75. Id. at *3.
76. Id. The policy language at issue stated that the insurer “will pay those suits that the
insured becomes legally obligated to pay as damages because of . . . ‘personal injury’ ” and
defined “personal injury” as “[o]ral or written publication of material that violates a person’s
rights of privacy.” Id. at *1.
77. 2007 WL 715759 (N.D. Ill. Mar. 6, 2007) (Illinois law).
78. Id. at *1.
79. Id. at *2.
80. Id. The insurance policy covered damages sustained due to “personal and advertising
injury caused by an offense arising out of your business” and defined “personal and advertis-
546
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
Northern District of Illinois found that this requirement was satisfied
under controlling precedent in Valley Forge Insurance Co. v. Swiderski Electronics, Inc.:81
Based on the FCRA (upon which the class action complaint is based) and the
allegations in the class action complaint, it is difficult to see how the complaint does not allege invasions of privacy that triggered the insurer’s duty
to defend [the insured]
....
The Valley Forge court concluded, based on standard dictionary definitions,
that the plain meaning of “right of privacy” connotes both an interest in seclusion and an interest in secrecy of personal information. Therefore, even if
the [alleged] solicitations did not contain personal credit information, they
still implicated the consumers’ right to privacy protected by the FCRA-the
right not to receive credit solicitations sent without a permissible purpose.82
Turning to the “publication” requirement, the court found that this requirement was satisfied by publication to only one person:
The “advertising injury” provision of the Sentry policy also requires “oral or
written publication” before coverage is triggered. . . . Valley Forge expressly
holds that “publication” in a policy providing coverage for “advertising injury” includes communication to as few as one person, thereby resulting in
coverage for violations of a statute invoking privacy interests, such as the
FCRA.83
The court concluded that “the FCRA allegations in the underlying
complaint fall within the ‘advertising injury’ provision in the [insurance]
policy and, therefore, [the insurer] had a duty to provide [the insured] a
defense.”84
To the same effect is Zurich American Insurance Co. v. Fieldstone Mortgage Co.85 The class plaintiff in Fieldstone Mortgage alleged that the insured
had “improperly accessed and used his and others’ credit information, violating FCRA’s requirement that access be either consented to or for a
permissible purpose” by sending “ ‘prescreened’ offers from [the insured,
ing injury” as “oral or written publication of material that violates a person’s right of privacy.” Id.
81. 860 N.E.2d 307 (Ill. 2006) (holding that the insurer had a duty to defend “junk fax”
lawsuits brought under the TCPA).
82. Pietras, 2007 WL 715759, at *2–3 (court’s emphasis).
83. Id. at *3.
84. Id. at *4; see also Am. Family Mut. Ins. Co. v. C.M.A. Mortg., Inc., 2008 WL 906230,
at *5 (S.D. Ind. Mar. 31, 2008) (Indiana law) (“We share the view explicated by the court in
Pietras . . . that the common law principles covering the tort of invasion of privacy have
no relevance to insurance contract interpretations”), rescinded on other grounds, 2008 WL
5069825 (S.D. Ind. Nov. 21, 2008).
85. 2007 WL 3268460 (D. Md. Oct. 26, 2007) (Maryland law).
Viruses, Trojans, and Spyware
547
Fieldstone] to refinance his mortgage.”86 The plaintiff alleged that the
“ ‘prescreening’ was based on information contained in his consumer
credit report, which was accessed without his consent and without a permissible purpose under FCRA (such as the extension of a firm offer of
credit).”87
The court first rejected the insurer’s argument that “FCRA does not
establish a ‘right of privacy’ recognized by the policies.”88 The court also
rejected the argument that “in order to constitute a publication, the information that violates the right to privacy must be divulged to a third
party.”89 The court noted that “[o]f the circuits to examine ‘publication’
in the context of an ‘advertising injury’ provision, the majority have found
that the publication need not be to a third party.”90
The “right of privacy” and “publication” requirements also have been
considered in connection with underlying claims alleging violations of the
Telephone Consumer Protection Act (TCPA), which bans unsolicited fax
advertisements. The Tenth Circuit’s decision in Park University Enterprises, Inc. v. American Casualty Co. of Reading, PA91 is instructive. In that
case, the class plaintiff alleged that the insured “violated the TCPA when
it sent an advertisement to [its] telephone fax machine in Illinois ‘without
prior express invitation or permission.’ ”92 The Tenth Circuit rejected
the insurer’s attempt to ascribe narrow meaning to the undefined terms
“privacy” and “publication”:
As noted above, the court correctly determined that in layman’s terms, “[t]he
plain and ordinary meaning of privacy includes the right to be left alone.”
Certainly, the insurer could impose a more restrictive, technical and legal
definition to the term “privacy” following that of the classic tort of invasion
of secrecy interests or defamation.
....
We likewise agree with the district court’s broad construction of the term
“publication” in favor of [the insured]. . . . Reading the terms in the policy
from the vantage point of the insured, rather than an insurer or lawyer it
is entirely reasonable to define publication as making something generally
known. By faxing advertisements to the class of plaintiffs as alleged in the un-
86. Id. at *1.
87. Id.
88. Id. at *4. The court distinguished Resource Bankshares Corp. v. St. Paul Mercury Insurance Co., 407 F.3d 631 (4th Cir. 2005) on the basis that it was “not solely the manner of the
solicitation that form[ed] the crux of [the claimant]’s complaint; it [wa]s the action that undergirds the message’s content: the unauthorized accessing of his credit records.” Id.
89. Id. at *5.
90. Id.
91. 442 F.3d 1239 (10th Cir. 2006) (Kansas law).
92. Id. at 1242.
548
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
derlying state court complaint, [the insured] effectively published material in
this broader sense, i.e., communicated information generally, which undermined the recipients’ rights to be left alone.93
The court concluded that the insurer had a duty to defend the insured
in the TCPA action.94
To the same effect is Penzer v. Transportation Insurance Co.,95 in which
the Supreme Court of Florida answered the following question certified
by the Eleventh Circuit:
Does a Commercial Liability Policy Which Provides Coverage for “Advertising Injury,” Defined as “Injury Arising out of . . . Oral or Written Publication of Material That Violates a Person’s Right of Privacy,” Such as the
Policy Described Here, Provide Coverage for Damages for Violation of a
Law Prohibiting Using Any Telephone Facsimile Machine to Send Unsolicited Advertisement to a Telephone Facsimile Machine When No Private Information is Revealed in the Facsimile?96
Penzer involved a class action suit alleging that the class claimants received unsolicited facsimile commercial advertisements in violation of the
TCPA.97 The insurer denied coverage on the basis that “ ‘oral or written
publication of material that violates a person’s right of privacy’ . . . provides coverage only for injuries to privacy rights caused by the content
of the material” and “coverage exists only when private matters about
one person are communicated to another person.”98
The court first found the “right of privacy” requirement satisfied by the
TCPA, “which provides the privacy right to seclusion,” and the class
allegations:
In this case, the source of the right of privacy is the TCPA, which provides
the privacy right to seclusion. . . . The facts of the instant case demonstrate
93. Id. at 1250 (citations omitted).
94. Id. at 1251. Significantly, the court also held that the insurer had a duty to defend
under Coverage A because an “unsolicited fax can result in ‘loss of use of tangible property.’ ”
Id. at 1244; see also Columbia Cas. Co. v. HIAR Holding, L.L.C., 2013 WL 4080770, at *7–8
(Mo. Aug. 13, 2013) (affirming the trial court’s decision that TCPA allegations triggered
Coverage A because there were allegations of lost ink toner, paper, and loss of use of recipients’ fax machines). Compare Am. States Ins. Co. v. Capital Assocs. of Jackson Cnty., Inc.,
392 F.3d 939, 943 (7th Cir. 2004) (“[T]he property-damage clause in the policy is no
more useful to Capital Associates; junk faxes use up the recipients’ ink and paper, but senders
anticipate that consequence. Senders may be uncertain whether particular faxes violate
§ 227(b)(1)(C) but all senders know exactly how faxes deplete recipients’ consumables. That
activates the policy’s intentional-tort exception (which applies to the property-damage coverage though not the advertising-injury coverage): it forecloses coverage when the recipient’s loss
is ‘expected or intended from the standpoint of the insured.’ Because every junk fax invades the
recipient’s property interest in consumables, this normal outcome is not covered.”).
95. 29 So. 3d 1000 (Fla. 2010).
96. Id. at 1002 (quoting Penzer v. Transp. Ins. Co., 545 F.3d 1303, 1312 (11th Cir. 2008)).
97. Id. at 1003.
98. Id.
Viruses, Trojans, and Spyware
549
that there was a written dissemination of 24,000 facsimiles that violated the
TCPA. Comparing the policy’s language to [the facts of this case]: there was
a written publication [dissemination] of material [of 24,000 facsimiles] that
violated a person’s right of privacy [that violated the TCPA]. Therefore, applying our plain meaning analysis, we hold that Transportation’s insurance
policy provides coverage for sending unsolicited fax advertisements in violation of the TCPA.99
The court then found the “publication” requirement satisfied, rejecting
the insurer’s argument that “the violation [of the right to privacy] must
arise from the content of the material in order to trigger coverage”:
[W]e find that the clause “that violates a person’s right of privacy” is applicable as much to “publication” as to “material;” therefore, the clause should
be read as applicable to all. Accordingly, we reject Transportation’s assertion
that the violation must arise from the content of the material in order to trigger coverage. Furthermore, even if the phrase “that violates a person’s right
of privacy” only modifies the term “material,” it does not follow that only the
secrecy right to privacy is implicated because “material” could also invade
one’s seclusion.100
Based on its findings, the Supreme Court of Florida answered the certified question in the affirmative:
Based upon our plain meaning analysis, we hold that an advertising injury
provision in a commercial liability policy that provides coverage for an “oral
or written publication of material that violates a person’s right of privacy” provides coverage for blast-faxing in violation of the TCPA. We therefore answer
the certified question in the affirmative.101
In a recent August 2013 decision, the Supreme Court of Missouri likewise upheld coverage for violations of the TCPA in Columbia Casualty Co. v.
HIAR Holding, L.L.C.102 In that case, the insurer refused to defend or indemnify an action alleging that its insured, a hotel proprietor, violated
the TCPA by “send[ing] approximately 12,500 unsolicited advertising facsimiles—‘junk faxes’—to recipients in the 314 and 636 area codes in October 2001.”103 The insured defended the suit at its own expense and, after
the insurer rejected an offer to settle within the $1 million per “occurrence”
99. Id. at 1006–07 (citations omitted). The Supreme Court of Florida in Penzer collected
cases “holding that similar policy provisions provide coverage for TCPA violations” and
cases “holding that similar policy provisions do not provide coverage.” Penzer, 29 So. 3d
at 1005 n.5. The court was “more persuaded by the reasoning in those cases that found coverage by applying a plain meaning analysis.” Id.
100. Id. at 1007 (citations omitted).
101. Id. at 1008.
102. 411 S.W.3d 258 (Mo. 2013).
103. Id. at 261–62.
550
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
insurance limits, ultimately agreed to a class-wide settlement for $5 million
in January 2007.104 Insurance coverage litigation ensued and the trial
court entered judgment against the insurer for the full settlement plus
interest.105
In addition to rejecting the insurer’s argument that TCPA damages
are not covered because they are penal in nature,106 the court rejected
the insurer’s argument that the advertising injury coverage is “limited
to privacy violation claims that allege violations arising out of the content of the advertising material itself ” and that the “privacy language in
its policy is not a reference to protecting seclusion rights guarded by the
TCPA”:
These privacy rights arguments are not persuasive in establishing that the
trial court erred in determining that “advertising injury” coverage was invoked in this case. The class’s claims alleged privacy rights violations pursuant to the TCPA, which has been recognized as providing privacy protections. . . . [A] reasonable interpretation of HIAR’s policy can include that
coverage is available for the privacy rights claims of the class.107
The court also rejected the insurer’s claim that there was no coverage
because “coverage is intended for a private person and not for an incorporeal interest,” finding that “the TCPA includes privacy rights for businesses and persons.”108 The court concluded that “the trial court did
not err in determining that ‘property damage’ and ‘advertising injury’
coverage was invoked and triggered Columbia’s duty to defend [the
insured].”109
104. See id. at 262.
105. See id. at 263.
106. See id. at 268 (“statutory damages of $500 per occurrence are not damages in the nature of fines or penalties”); see also Standard Mut. Ins. Co. v. Lay, 989 N.E.2d 591, 600 (Ill.
2013) (“We disagree with decisions concluding that the TCPA-prescribed damages of $500
per violation constitute penal or punitive damages.”).
107. HIAR Holding, 411 S.W.3d at 269–70. But see Telecomm’ncs Network Design v.
Brethren Mut. Ins. Co., 5 A.3d 331, 336 (Pa. Super. Ct. 2010) (“A number of courts have
held that because the TCPA protects some form of privacy interests, TCPA violations are
covered under the “advertising injury” provisions. However, while we agree with this reading
of Congressional intent, Congress’s intent in enacting the TCPA does not control the issue
of what the parties agreed to in entering into the insurance contracts.”) (citations omitted);
State Farm Gen. Ins. Co. v. JT’s Frames, Inc., 104 Cal. Rptr. 3d 573, 586 (2010) (“Applying
th[e last antecedent] rule, the phrase ‘that violates a person’s right to privacy’ must be construed to modify the word ‘material.’ In other words, to come within the policies’ definition
of advertising injury, the material at issue must ‘violate[ ] a person’s right to privacy,’ which
would be the case only if the material contained confidential information and violated the
victim’s right to secrecy.”) (emphasis in original).
108. HIAR Holding, 411 S.W.3d at 270.
109. Id. at *11.
Viruses, Trojans, and Spyware
551
Courts have upheld coverage for privacy-related claims in a variety of
other settings,110 although the decisions are not uniform.111
110. See, e.g., Encore Receivable Mgmt., Inc. v. Ace Prop. & Cas. Ins. Co., 2013 WL
3354571, at *8 (S.D. Ohio July 3, 2013) (Ohio law) (holding that the “publication” requirement was satisfied in connection with lawsuits alleging that the defendants recorded various
telephone conversations without consent, finding that “the initial dissemination of the conversation constitutes a publication at the very moment that the conversation is disseminated
or transmitted to the recording device” and, therefore, the court did not need to “find that
the recordings were disseminated to the public in order to find publication”); Nat’l Fire Ins.
Co. of Hartford v. NWM-Oklahoma, LLC, 546 F. Supp. 2d 1238, 1241, 1248 (W.D. Okla.
2008) (Oklahoma law) (holding that the insurer had a duty to defend a suit alleging that the
insured “ ‘listen[ed] in’ on conversations between [the claimant] and customers for training purposes,” finding that the “publication” requirement was satisfied because “the [recording] system
would function in a way that anyone in the offices of [the supervisor] or other employees, or
anyone near the [recording] . . . would have had the ability to listen in on the employee and
customer conversations”); Bowyer v. Hi-Lad, Inc., 609 S.E.2d 895, 902, 912 (W.Va. 2004) (upholding coverage for allegations that a hotel employee “had been subjected to ‘illegal oral surveillance by electronic surveillance apparatus owned and operated by the [appellant]’ in violation of the West Virginia Wiretapping and Electronic Surveillance Act,” finding nothing in the
policy language “indicating that the word publication necessarily means transmitting the intercepted communications to a third party”); Norfolk & Dedham Mut. Fire Ins. Co. v. Cleary
Consultants, Inc., 958 N.E.2d 853, 860 (Mass. App. Ct. 2011) (“The amended complaint explicitly alleges that Adelman ‘invaded [Towers’s] right to privacy and slandered [her] reputation
by circulating his humiliating, vulgar, false, and demeaning statements among co-workers.’ ”).
111. See, e.g., Creative Hospitality Ventures, Inc. v. U.S. Liab. Ins. Co., 444 Fed. App’x
370, 370–71, 376 (11th Cir. 2011) (Florida law) (CGL insurer had no duty to defend a
class action alleging that the insured violated the he Fair and Accurate Credit Transactions
Act (FACTA) “by issuing receipts revealing more than five digits of the consumer’s credit
card number or the card’s expiration date” because issuance of a credit card receipt does
not constitute a “publication,” but rather “is a contemporaneous record of a private transaction
between [the insured] and the customer” that was “neither broadcasted nor disseminated . . . to
the general public”) (applying Penzer Transp. Ins. Co., 29 So. 3d 1000, 1005 (Fla. 2010)); Capital
Assocs., 392 F.3d at 943 (“we hold that an advertising-injury clause of the kind in American
States’ policy does not cover the normal consequences of junk advertising faxes”); Whole Enchilada, Inc. v. Travelers Prop. Cas. Co. of America, 581 F. Supp. 2d 677, 683, 697 (W.D. Pa.
2008) (Pennsylvania law) (insurer had no duty to defend a class action alleging that the insured
violated FACTA by providing “an electronically printed receipt which included the expiration
date of [the claimant]’s credit or debit card” because the complaint “allege[d] only that the information printed on the receipt was handed to the class member at the point of sale and [did]
not allege that the cardholder’s information was in any way made generally known, announced
publicly, disseminated to the public, or released for distribution” and, therefore, there was no
“publication of material that appropriates a person’s likeness . . . or gives unreasonable publicity to a person’s private life” as required by the policy language at issue); Recall Total Info.
Mgmt., Inc. v. Federal Ins. Co., 2012 WL 469988, at *6 (Conn. Super. Ct. Jan. 17, 2012)
(no coverage for $2,467,245 for notification, call centers, and credit monitoring services
after “approximately 130 computer data tapes, containing personal information for more
than 500,000 IBM employees, were then removed by an unknown person and never recovered”
because “there [wa]s no evidence of communication to a third party”); see also Nationwide Ins.
Co. v. Cent. Laborers’ Pension Fund, 704 F.3d 522, 524–25 (7th Cir. 2013) (Illinois law)
(holding that a homeowner’s policy exclusion for “property . . . in the care of the ‘insured’ ”
and separate “business” exclusion each barred defense and indemnity coverage for claims seeking “nearly $200,000 in credit monitoring and insurance expenses” after a laptop containing a
compact disc “containing confidential and protected information, including the names, birth
dates, and Social Security numbers of approximately 30,000 individual[s]” was stolen from
an employee’s car).
552
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
It is important to note that policy language may vary, and the policy
language at issue will control, together with the specific facts of the case
and applicable law. In the cyber software context, the Ninth Circuit upheld
coverage in Netscape Communications Corp. v. Federal Insurance Co. under language different from the current standard form Coverage B language.112 In
that case, the underlying claimants alleged that the insured’s “SmartDownload [software] violated the claimants’ privacy by, among other things, collecting, storing, and disclosing to Plaintiffs and their engineers claimants’
Internet usage.”113 The insured “used this information to create profiles
of its users, both to help with technical support, and additionally, to create
opportunities for targeted advertising.”114 The claimants alleged that the
use of the feature violated the Electronic Communications Privacy Act and
the Computer Fraud and Abuse Act.115
The insurance policy obligated the insurer to “pay amounts [the insured] is legally required to pay as damages for covered personal injury
that . . . is caused by a personal injury offense,” which was defined to include the offense of “[m]aking known to any person or organization written
or spoken material that violates a person’s right to privacy.”116 The district
court held that the insurer had a duty to defend, reasoning that “when [the
insured] received information from SmartDownload, it was making it
known to AOL by transmitting it to its parent company. Similarly, individual [insured] employees made the information known to each other by
circulating files among themselves with the information gained from
SmartDownload.”117 The Ninth Circuit affirmed that “the district court
correctly determined that the claims against [the insured] were ‘personal injury offenses’ and within the policy’s coverage.”118 The Ninth Circuit dismissed as dicta cases stating that “coverage is triggered by a disclosure to a
third party.”119
112. 343 Fed. App’x 271 (9th Cir. 2009).
113. Netscape, 2007 WL 1288192, at *1 (N.D. Cal. Apr. 27, 2007).
114. Id.
115. Id.
116. Id. at *6 (citations omitted). The phrase “making known to any person or organization” took the place of the phrase “oral or written publication, in any manner” found in the
ISO form.
117. See id.
118. Netscape, 343 Fed. App’x at 272. See generally Jean-Paul Jaillet, Insurance Coverage for
Cyber-Risky Business, LAW360 (Feb. 21, 2012), available at http://www.law360.com/articles/
.311174/insurance-coverage-for-cyber-risky-business (last visited Dec. 27, 2012) (discussing
recent cases).
119. Netscape, 343 Fed. App’x at 272. The court in Netscape also found that “[a]lthough the
district court correctly determined that the claims were ‘personal injury offenses,’ it erred in
how it interpreted the policy exclusion for ‘providing Internet access to 3rd parties.’ ” Id. The
policy stated that “[f ]or the purposes of advertising injury and personal injury, all Online Activities are excluded from these coverages,” Netscape, 2007 WL 1288192, at *2, and defined
“Online Activities” as “providing e-mail services, instant messaging services, 3rd party adver-
Viruses, Trojans, and Spyware
553
The “publication” and “right of privacy” requirements may soon be addressed in connection with the Sony PlayStation insurance coverage litigation. One of the issues in that case involves whether Coverage B is triggered. In its recent motion for partial summary judgment, Sony argues
that the claims alleged fall within the scope of coverage afforded under
the “personal and advertising injury” coverage:
The MDL Amended Complaint, which is currently the operative complaint
in the underlying litigation, alleges that plaintiffs suffered the “loss of privacy” as the result of the improper disclosure of their “Personal Information”—defined as “sensitive personal and financial information” that includes
“customer names, mailing addresses, email addresses, and birth dates, as well
as credit and debit card numbers, expiration dates, and security codes, online
network passwords, login credentials, answers to security questions, and
other personal information.” This kind of information has been held to constitute “material that violates a person’s right of privacy.”
....
For purposes of triggering Personal Injury Coverage, disclosure to a small
group of people or a single person is sufficient. In addition, courts have recognized that “publication” can occur when someone gains unauthorized access to information, even in the absence of an overt act of disclosure. . . .
Here, the Data Privacy Litigation includes allegations that the plaintiffs’
“sensitive personal and financial information” was “placed . . . in the hands
of cyber criminals.”120
In addition to satisfying the coverage grant requirements of “publication” that violates a “right of privacy,” there are potential exclusionary
coverage hurdles under Coverage B. ISO standard form policies written
or effective on or after December 1, 2001, for example, contain several exclusions relating to Internet-related activities.121
tising, supplying 3rd party content and providing Internet access to 3rd parties. . . .” Id. at *3.
In particular, the Ninth Circuit found that the “ ‘ Internet access” is commonly equated with
a working Internet connection,” and “[t]he SmartDownload utility does not provide an Internet connection, and, in fact, is useless without one.” Netscape, 343 Fed. App’x at 272.
120. Memorandum of Law in Support of the Motion of Sony Corporation of America and
Sony Computer Entertainment America LLC for Partial Summary Judgment Declaring
That Zurich and Mitshui Have a Duty to Defend, at 14, 16 (filed May 10, 2013) (hereinafter
“Sony Summary Judgment Motion”).
121. The ISO standard form 2001 and later policies contain three exclusions expressly relating to Internet activities: (the first of which is an expanded version of the prior language
that simply excluded injury committed “by an insured whose business is advertising, broadcasting, publishing or telecasting . . .”). The standard form states that “[t]his insurance does
not apply to”:
j. Insureds In Media And Internet Type Businesses
“Personal and advertising injury” committed by an insured whose business is:
(1) Advertising, broadcasting, publishing or telecasting;
(2) Designing or determining content of web sites for others; or
(3) An Internet search, access, content or service provider.
554
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
In addition, as noted above, the 2007 and later ISO forms contain an
exclusion for privacy-related laws, including the TCPA, which is applicable to Coverage B.122 The current 2013 industry form also includes violations of the FCRA and “[a]ny federal, state or local statute, ordinance or
regulation . . . that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”123 The current form states
that “[t]his insurance does not apply to”:
p. Recording And Distribution Of Material Or Information In Violation Of Law
“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
(2) The CAN-SPAM Act of 2003, including any amendment of or addition
to such law;
(3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions
Act (FACTA); or
However, this exclusion does not apply to Paragraphs 14.a., b. and c. of “personal and
advertising injury” under the Definitions section.
For the purposes of this exclusion, the placing of frames, borders or links, or advertising,
for you or others anywhere on the Internet, is not by itself, considered the business of
advertising, broadcasting, publishing or telecasting.
k. Electronic Chatrooms Or Bulletin Boards
“Personal and advertising injury” arising out of an electronic chatroom or bulletin board
the insured hosts, owns, or over which the insured exercises control.
l. Unauthorized Use Of Another’s Name Or Product
“Personal and advertising injury” arising out of the unauthorized use of another’s name
or product in your e-mail address, domain name or metatag, or any other similar tactics
to mislead another’s potential customers.
ISO Form CG 00 01 10 01 (2000), Section I, Coverage B, §§ 2.j., 2.k., 2.l.
122. The 2007 standard form states that “[t]his insurance does not apply to”:
p. Distribution Of Material In Violation Of Statutes
“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or
addition to such law; or
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of
2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.
Id. Section I, Coverage B, § 2.p.
123. ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, § 2.p.
Viruses, Trojans, and Spyware
555
(4) Any federal, state or local statute, ordinance or regulation, other than the
TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and
additions, that addresses, prohibits, or limits the printing, dissemination,
disposal, collecting, recording, sending, transmitting, communicating or
distribution of material or information.124
Insurers have raised this exclusion in recent privacy breach cases.125 In
addition the exclusion pertaining to insureds “whose business is . . . “[a]n
Internet search, access, content or service provider”126 is currently at issue
in the Sony PlayStation data breach coverage litigation.127
ii. Potential Coverage Under Coverage A for “Bodily Injury”—
Coverage A of the current standard form ISO CGL policy form states
that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’ ”128 that “occurs during
the policy period.”129 There is little if any case law to date that addresses
whether claims arising from data breaches or other cyber risks allege
“bodily injury,” which is defined in the current ISO CGL policy as “bodily
injury, sickness or disease sustained by a person, including death resulting
from any of these at any time.”130 This potential source of coverage for data
breach claims should not be overlooked, however, as case law may support an argument that “bodily injury” as defined in the policy includes
emotional harm. In addition, the specific policy at issue may contain a
124. Id.
125. For example, Nationwide Mutual Fire Insurance Company raised this exclusion in
connection with claims alleging that its insured, First Citizens Bank, allowed a janitor to access bank customers’ confidential information by keeping file cabinets containing the information in the same closet where it stored janitorial supplies. See Nationwide Mut. Fire Ins.
Co. v. First Citizens Bank & Trust Co. Inc., No. 4:13cv598 (D.S.C. 2013), Complaint ¶¶ 23,
55 (filed Mar. 6, 2013). In addition, Hartford Fire Insurance Company raised this exclusion
in connection with class action litigation alleging that its insured, Crate & Barrel, violated
the California Song-Beverly Act by intentionally requesting and recording customers’ zip
code information during credit card transactions. See Hartford Fire Ins. Co. v. Euromarket
Designs, Inc., No. 1:11-cv-03008 (N.D. Ill.), Complaint ¶¶ 9, 35 (filed May 5, 2011) (“To
the extent that the Campbell, Salmonson, Heon, and Dardarian complaints allege claims for
‘personal and advertising injury,’ the complaints claim relief based on violations of the SongBeverly Act, a statute that prohibits and/or limits the recording, transmission, communication and/or distribution of personal information. Accordingly, the complaints fall within the
Violation of Statutes Exclusion.”). Hartford also raised an exclusion for “[p]ersonal and advertising injury” arising out of the violation of a person’s right of privacy created by any state
or federal act.” Id. ¶ 8. The last docket entry indicates that the parties reached a global settlement and the case is dismissed. Docket Minute Entry No. 57 ( July 17, 2012).
126. See note 121, supra.
127. Sony Summary Judgment Motion, supra note 12, at 14, 19 (“In prior proceedings before this court, Zurich and Mitsui have argued that coverage for the Data Privacy Litigation
is barred by the Internet Business Exclusion. This provision excludes coverage for ‘an insured whose business is [among other things] . . . (3) An Internet search, access, content
or service provider.’ ”).
128. ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, § 1.a.
129. Id. § 1.b.(2).
130. ISO Form CG 00 01 04 13 (2012), Section V, § 3.
556
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
broadened definition of “bodily injury” that expressly extends to emotional harm.131
Depending on the policy language and applicable law, there may be
coverage for data breach cases. For example, one of the class action complaints filed against Sony arising out of the 2011 high-profile attack on the
Sony PlayStation Network alleges the following injuries:
Defendant has failed to provide regular credit reports and credit monitoring
at their own expense to those whose private data was exposed and left vulnerable. This has caused, and continues to cause, millions of consumers fear,
apprehension, and damages including extra time. effort, and costs for credit
monitoring, and extra time, effort, and costs associated with replacing cards
and account numbers, and burden, and is harming both consumers’ and merchants’ ability to protect themselves from such fraud. This lawsuit seeks to
remedy this reprehensible situation.132
It warrants mention that, as part of its April 2013 revisions to the CGL
policy forms, including the main forms and the ISO “Electronic Data
Liability Endorsement,” ISO has clarified that the “electronic data” exclusion “does not apply to liability for damages because of ‘bodily injury.’ ”133 ISO has characterized this as a “broadening of coverage”134
and has stated that its intention with this change is to confirm that there
should be coverage if the loss of use of data or the inability to access it
leads to bodily injury.
However, companies should keep in mind that the 2007 and later ISO
forms contain an exclusion for certain privacy-related laws, which is applicable to Coverage A.135 The current standard form, which became effec131. See generally Richard Clarke, Where to Find the Best Possible Cyber Coverage, INS. J.
(Feb. 19, 2013), available at http://www.insurancejournal.com/news/national/2013/02/19/
281713.htm (last visited May 13, 2013) (hereinafter “Where to Find the Best Possible
Cyber Coverage”) (“Any good insurance broker would go to extreme lengths to try to find coverage based upon the claim situation at hand. An example might be lawsuit allegations to the
effect of ‘invasion of privacy/confidentiality.’ Certainly, cyber insurance policies—and perhaps
certain technology errors and omissions liability policies, and even some professional liability
policies—may provide this coverage. But it’s also true that many commercial general liability
(CGL) policy forms, under the definition of ‘Personal Injury,’ will likely provide some form of
cyber coverage, as well.”).
132. Johns v. Sony Computer Entm’t Am. LLC, 3:11-cvN263-EDL, ¶ 3 (N.D. Cal.
Apr. 27, 2011). An argument can be made that credit monitoring is analogous to medical
monitoring.
133. See, e.g., CG 00 01 04 13 (2012), Section I, Coverage A, § 2.p.
134. 2012 General Liability Multistate Forms Revision to Policyholders (CG P 015 04 13).
135. The standard form added in 2007 states that “[t]his insurance does not apply to”:
q. Distribution Of Material in Violation of Statutes
“Bodily injury” or “property damage” arising directly or indirectly out of any action or
omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or
addition to such law; or
Viruses, Trojans, and Spyware
557
tive in most states in April 2013, contains an updated version of this exclusion, which states that
[t]his insurance does not apply to . . . “[b]odily injury” or “property damage”
arising directly or indirectly out of any action or omission that violates or is
alleged to violate . . . [a]ny federal, state or local statute, ordinance or regulation. . . . [t]hat addresses, prohibits, or limits the printing, dissemination,
disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.136
This is a common type of exclusion that first appeared in 2005 as a
stand-alone exclusionary endorsement to the standard industry CGL
form137 and is incorporated into the body standard industry CGL form
as of 2007. The exclusion was introduced in response to a number of
cases upholding insurance coverage for alleged violations of the TCPA,
among other statutes. Depending on the variation of the exclusion, insureds
may have a very good argument that it extends, at most, only to laws that
seek to protect the right of “seclusion” privacy, such as the TCPA, and does
not apply to laws that seek to protect the right of “secrecy” privacy, such as
data breach-related laws.138
iii. Recent Data Breach Decisions—
(a) Corcino—On October 7, 2013, the U.S. District Court for the Central District of California upheld coverage under a commercial general
liability policy for a hospital data breach that compromised the records of
nearly 20,000 patients in Hartford Casualty Insurance Company v. Corcino &
Associates.139
The two underlying class action lawsuits in Corcino alleged that Stanford Hospital and Clinics and the insured, medical consulting firm Corcino & Associates, violated the privacy rights of numerous patients by
providing confidential personally identifiable medical information to an
individual who posted the information on a public website. In particular,
the claimants alleged that “the private, confidential, and sensitive medical
and/or psychiatric information of almost 20,000 patients of Stanford’s
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of
2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.
ISO Form CG 00 01 12 07 (2007), Section I, Coverage A, § 2.q.
136. See CG 21 07 05 14 (2013).
137. See CG 00 67 03 05 (2004).
138. As explained by one court recently in the TCPA insurance coverage context, “[p]rivacy law distinguishes between (1) secrecy based torts that punish disclosure of private information about someone other than the recipient, and (2) seclusion based torts that involve intruding on another’s solitude.” Owners Ins. Co. v. European Auto Works, Inc., 695 F.3d
814, 818 (8th Cir. 2012).
139. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).
558
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
Emergency Department appeared on a public website and remained publicly available online for almost one full year.”140 The underlying complaints contained causes of action for violations of the claimants’ constitutional right of privacy, common law privacy rights, the California
Confidentiality of Medical Information Act (CMIA),141 and California’s
Lanterman Petris Short (LPS) Act.142 The suits sought, among other
things, statutory damages of $1000 per person under CMIA and statutory
damages of up to $10,000 per person under LPS.
The insured sought a defense and indemnity under its CGL insurance
policy. The “personal and advertising injury” insuring clause of policy
stated that the insurer, Hartford Casualty Insurance Company, would
“pay those sums that the insured becomes legally obligated to pay as damages because of . . . ‘personal and advertising injury.’ ”143 The term “personal and advertising injury” was defined in the Policy as follows:
“Personal and advertising injury” means injury, including consequential
“bodily injury”, arising out of one or more of the following offenses:
....
e. Oral, written or electronic publication of material that violates a person’s
right of privacy;
....
As used in this definition, oral, written or electronic publication includes
publication of material by someone not authorized to access or distribute
the material[.]144
Hartford accepted the defense of the claims, but reserved its right to deny
coverage and initiated coverage litigation seeking a declaration that the
statutory relief sought by the claimants is excluded from coverage under
the following exclusion pertaining to violations of statutorily created rights:
This insurance does not apply to:
...
p. Personal And Advertising Injury
(11) Arising out of the violation of a person’s right to privacy created by any
state or federal act.
However, this exclusion does not apply to liability for damages that the insured would have in absence of such state or federal act.145
140. Id. at *1 (quoting the Second Amended Class Action Complaint in Springer v. Stanford Hosp. & Clinics, No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)).
141. CAL. CIV. CODE §§ 56–56.37.
142. CAL. WELF. & INST. CODE §§ 5328–30.
143. Hartford’s First Amended Complaint for Declaratory Relief, filed on June 18, 2012,
¶ 18.
144. Id. ¶ 19.
145. Id. ¶ 20.
Viruses, Trojans, and Spyware
559
Citing to this exclusionary language, Harford contended that
the Policy provides no coverage for any statutory relief (including, but not
necessarily limited to, statutory damages) awarded against [the insureds] because such relief would arise out of the violation of a person’s right to privacy
created by a state act(s) for which [the insureds] would have no such liability
in the absence of such state act(s).146
Stanford moved to dismiss the Hartford’s complaint for failure to state
a claim. In particular, Stanford contended that the exclusion did not apply, and therefore Hartford’s complaint failed to state a claim upon
which relief can be granted, because the statutes did not “create” privacy
rights, but rather provided remedies for breach of “existing constitutional
and common law right.”147 As Stanford argued in its briefing:
Hartford’s exclusion does not apply because the plaintiffs in the underlying
cases seek statutory remedies for breaches of privacy rights that were not
themselves “created by any state or federal act,” but which exist under common law and the California Constitution—and which existed for decades
before the Legislature made the current statutory remedies available for
them.148
In considering Stanford’s motion to dismiss, the court noted that “insurance coverage is interpreted broadly so as to afford the greatest possible protection to the insured, [whereas] . . . exclusionary clauses are
interpreted narrowly against the insurer.”149 Therefore, “[i]f any reasonable interpretation of the policy would result in coverage, a court must
find coverage even if other reasonable interpretations would preclude
coverage.”150
Applying these well established rules of insurance policy construction,
the court concluded that Stanford’s interpretation of the policy was reasonable.151 In reaching this conclusion, the court noted that “medical records have been considered private and confidential for well over 100 years
at common law.”152 The court also found that “[t]he legislative history of
the LPS and CMIA, under which the plaintiffs seek relief against [the insured], demonstrates that these statutes were intended not to create new
privacy rights, but rather to codify existing rights and create effective rem-
146. Id. ¶ 21.
147. Corcino, 2013 WL 5687527, at *4.
148. Defendant Stanford Hospital & Clinics’ [Corrected] Notice of Motion to Dismiss
Complaint, at 1 (filed Aug. 19, 2013) (original emphasis).
149. Corcino, 2013 WL 5687527, at *4.
150. Id. (quoting Bodell v. Walbrook Ins. Co., 119 F.3d 1411, 1413 (9th Cir. 1997)).
151. See id.
152. Id. at *5
560
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
edies that would encourage affected individuals to enforce them.”153 The
court reasoned that
because the LPS and CMIA do not create new privacy rights and because the
Policy exclusion by its terms ‘does not apply to liability for damages that the
insured would have in absence of such state or federal act,’ the relief sought
under these statutes can reasonably be interpreted to fall outside of Hartford’s Policy exclusion.154
The court also rejected Hartford’s argument that statutory penalties are
not covered “damages” because of “personal and advertising injury,” finding that “[t]he statutes . . . permit an injured individual to recover damages
for breach of an established privacy right, and as such, fall squarely within
the Policy’s coverage.”155
The court concluded that the hospital’s “interpretation of the Policy
exclusion’s scope based on the language and plain meaning of the exclusion is reasonable” and, therefore, “any relief awarded under the LPS and
CMIA would be covered, rather than excluded, under Hartford’s Policy.”156 The court granted Stanford’s motion to dismiss with prejudice.157
The Corcino decision underscores that, although insurers have increasingly added exclusions to “traditional” policies purporting to limit or cut
off coverage for privacy liability and electronic data related claims,158
there may yet be valuable privacy and data breach coverage under traditional policies that should not be overlooked.
(b) Recall Total—On January 14, 2014, a Connecticut appellate court
issued an insurance coverage opinion, Recall Total Information Management,
Inc. v. Federal Insurance Co.,159 which, while negating coverage under the
specific facts at issue in the case, also actually tends to support an argument
in favor of coverage under so-called traditional CGL policies for a company
involved in a data breach incident such as the Target breach. The Recall
case also addressed potential coverage for data breach under the “personal
and advertising injury” coverage section of the insured’s CGL policies. As
noted, the current standard industry form states that the insurer “will pay
those sums that the insured becomes legally obligated to pay as damages
because of ‘personal and advertising injury,’ ” which is defined to include
153. Id.
154. Id.
155. Id.
156. Id. at *6.
157. Id.
158. See Roberta D. Anderson, ISO’s Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber” Insurance, LAW360 (Sept. 23, 2013).
159. 83 A.3d 664 (Conn. App. Ct. 2014)
Viruses, Trojans, and Spyware
561
the “offense” of “[o]ral or written publication, in any manner, of material
that violates a person’s right of privacy.”160
The lead plaintiff in Recall had an agreement in place to transport and
store various electronic media for International Business Machines (IBM).
It subcontracted with Executive Logistics, Inc. (Ex Log) to provide the
transportation services. During an Ex Log transport of computer tapes
from an IBM facility in New York to another location, a cart fell out of
the transport van and approximately 130 tapes, which contained Social
Security numbers, birthdates, and contact information for some 500,000
past and present IBM employees, were removed from the roadside by
an unknown person and never recovered. IBM took typical crisis management steps to address the incident, including notification to potentially affected employees, the establishment of a call center to answer inquiries regarding the lost data, and a year of credit monitoring to protect against
identity theft. IBM claimed over $6 million for these costs from Recall,
which paid the entire amount of the loss and sought indemnification
from Ex Log. Ex Log tendered the claim under its CGL policies, which,
similar to many other CGL policies, stated that the insurer would “pay
damages that the insured becomes legally obligated to pay by reason of
liability” for “personal injury,” which was defined as “injury . . . caused
by an offense of . . . electronic, oral, written or other publication of material
that . . . violates a person’s right to privacy.”161 The insurers denied coverage on the basis that there had been no “publication” of the data contained on the tapes.
Importantly, the court did not summarily hold that there was no coverage for crisis management costs, such as IBM’s notification, call centers,
and credit monitoring efforts. Rather, the court appears to accept that
these costs would be covered—presumably in addition to any damage
awards, settlements, and defense costs in connection with any underlying
litigation brought by the impacted employees—provided there was a
“publication” of the data. The court ultimately determined that the “publication” requirement was not satisfied because the plaintiffs “failed to
provide a factual basis that the information on the tapes was ever accessed
by anyone.”162 The court noted that there was nothing in the record to
suggest that “the unknown party even recognized that the tapes contained
personal information.”163 The court also cited to a letter to IBM employees stating that there was “no indication that the personal information on
the missing tapes, which are not the type that can be read by a personal
160.
161.
162.
163.
ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §§ 1.a., 14.e.
Recall Total, 83 A.3d at 672 (court’s emphasis).
Id.
Id. at 673 n.9.
562
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
computer, has been accessed or has been used for any improper purpose.”164 The court concluded that “because the parties stipulated that
none of the IBM employees have suffered injury as a result of the tapes
being lost,” the court was “unable to infer that there has been a publication.”165 The court also rejected the plaintiff ’s argument that the triggering of statutes requiring IBM to notify its affected employees of the data
loss gave rise to “presumptive invasions of privacy,” finding that “merely
triggering a notification statute is not a substitute for a personal injury.”166
Although the insureds in the Recall case did not ultimately prevail, in
contrast to the facts in that case, there will be no doubt in many data breach
cases, such as the Target breach, that there has been a “publication” of the
data of those individuals impacted by the data breach. Under Recall, therefore, and numerous other cases, the “personal injury” coverage presumably
would be triggered by the facts such as those at issue in connection with the
Target breach.
In addition to invasion of privacy, the plaintiffs in the class action litigation brought against Target specifically allege harm arising from breach of
state data breach notification statutes. For example, one of the first class action suits filed against Target (the day the breach was confirmed) alleges
that Target breached California’s data breach notification law by “fail[ing]
to disclose . . . without unreasonable delay, and in the most expedient
time possible, the breach of security” after Target “knew or reasonably
believed such information had been compromised” and that, as a result,
“[p]laintiff and other class members incurred economic damages, including expenses associated with necessary credit monitoring.”167 Based on
the allegations of the Target putative class plaintiffs (and putting aside
the merits of their allegations), Target is not a case, as opposed to Recall,
where there was a “mere triggering” of notification statutes.
(c) Sony—On February 21, 2014, a New York trial court judge let
Sony’s insurers, Zurich American Insurance Co. and Mitsui Sumitomo
Insurance Co., off the coverage hook for Sony’s massive 2011 PlayStation
data breach. That breach, in which hackers stole the personally identifiable information of PlayStation users, is one of the largest data breaches
to date. In the wake of a breach, Zurich filed a declaratory judgment action against Sony, and Sony’s other insurers, seeking to avoid or minimize
its coverage obligations.
The coverage litigation turns on whether Sony is covered for the data
breach under Coverage B of its CGL insurance policies. Under the
164.
165.
166.
167.
Id. at 673.
Id.
Id.
Kirk v. Target Corp., 3:13-cv-05885-NC (N.D. Cal.), ¶¶ 46, 73, 75.
Viruses, Trojans, and Spyware
563
standard industry form, which is materially the same as Sony’s policies,
Zurich committed to “pay those sums that [Sony] becomes legally obligated to pay as damages because of ‘personal and advertising injury’,”
which is defined to include “injury . . . arising out of . . . [o]ral or written
publication, in any manner, of material that violates a person’s right of
privacy.”
While insurers frequently attempt to avoid coverage for privacy-related
claims by arguing that the requirements of a “publication,” “right of privacy,” or both are not satisfied, this would have been a weak argument for
Zurich. Instead, Zurich sought to avoid coverage (so far successfully) on
the basis that Sony itself did not invade any privacy rights. In particular,
in its cross motion for summary judgment, Zurich asserted that its policy
“coverage is limited to protect against the purposeful and intentional acts
committed by the insured or its agents, not by non-insureds or thirdparties.”168
Putting aside the fact that it is somewhat astonishing for an insurer to
take the position that “purposeful and intentional acts committed by the
insured” are covered, the New York trial court agreed with this proposition, ruling from the bench that Sony’s liability policies are triggered only
by actions by Sony and not to the actions of the third-parties who hacked
into the network and stole the PII.
With all respect to the New York trial court, this one should have been
a clear Sony victory and should be overturned on appeal.169 Zurich,
Sony’s insurer, itself has expressly recognized that the language of its policies may provide coverage in the event of a data security breach via hacking, i.e., third party actions, because hacking can lead to legal exposure to
the insured (i.e., liability, which is the genuine coverage trigger, and not
Sony’s action or inaction as now asserted by Zurich):
Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of non-public personal information are all
circumstances that can lead to legal exposure. Potential causes of action resulting from data security breaches may include increased risk of identity
theft, actual or attempted identity theft, violation of consumer protection
statutes, negligence, breach of contract, breach of fiduciary duty, and even
fraud.
168. See, e.g., Zurich Am. Ins. Co.’s Mem. of Opp. to Sony Computer Entertainment Am.
LLC’s Motion for Partial Summary Judgment and in Support of Cross-Motion for Summary
Judgment, at 16 (Aug. 30, 2013).
169. See Roberta D. Anderson, Five Reasons Why the Sony Data Breach Coverage Decision Is Wrong, K&L Gates LLP Ins. Coverage Alert (Mar. 10, 2014), available at http://
www.klgates.com/five-reasons-why-the-sony-data-breach-coverage-decision-is-wrong-03-102014/ (last visited Mar. 15, 2014).
564
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
A company’s standard property and casualty insurance policies may provide
some coverage in the event of a data security breach, but specialized cyberliability coverages may be worth exploring and evaluating.170
In the meantime, however, the Sony decision underscores the issues
that insureds face in obtaining coverage under CGL policies, even
where there is a good argument in favor of coverage.
iv. ISO’s New Data Breach Exclusions—During the fall of 2013,
ISO filed a number of data breach exclusionary endorsements for use
with its standard-form primary, excess, and umbrella CGL policies.
These already have been approved by insurance regulators in at least
forty-five U.S. states and territories to become effective on or after
May 1, 2014. By way of example, one of the endorsements, entitled “Exclusion–Access Or Disclosure Of Confidential Or Personal Information
And Data-Related Liability–Limited Bodily Injury Exception Not Included,” modifies the “electronic data” exclusion contained in Coverage A171 to state that “[t]his insurance does not apply to”:
Damages arising out of:
(1) Any access to or disclosure of any person’s or organization’s confidential
or personal information, including patents, trade secrets, processing
methods, customer lists, financial information, credit card information,
health information or any other type of nonpublic information; or
(2) The loss of, loss of use of, damage to, corruption of, inability to access, or
inability to manipulate electronic data.
This exclusion applies even if damages are claimed for notification costs,
credit monitoring expenses, forensic expenses, public relations expenses or
any other loss, cost or expense incurred by you or others arising out of that
which is described in Paragraph (1) or (2) above.172
ISO states that “when this endorsement is attached, it will result in a
reduction of coverage due to the deletion of an exception with respect
to damages because of bodily injury arising out of loss of, loss of use of,
damage to, corruption of, inability to access, or inability to manipulate
electronic data.”173
170. Zurich, Data Security: A Growing Liability Threat (2009), available at http://www.
zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (last visited Mar. 15, 2014).
171. See text accompanying note 214, infra.
172. See CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives,
cells, data processing devices or any other media which are used with electronically controlled
equipment.” Id.
173. ISO Commercial Lines Forms Filing CL-2013-0DBFR, at 8.
Viruses, Trojans, and Spyware
565
The endorsement also adds exclusionary language to Coverage B,
which states that that “[t]his insurance does not apply to”:
“Personal and advertising injury” arising out of any access to or disclosure of
any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.
This exclusion applies even if damages are claimed for notification costs,
credit monitoring expenses, forensic expenses, public relations expenses or
any other loss, cost or expense incurred by you or others arising out of
any access to or disclosure of any person’s or organization’s confidential or
personal information.174
ISO states that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication
that violates a person’s right of privacy, this revision may be considered
a reduction in personal and advertising injury coverage.”175 While acknowledging that coverage for data breaches is currently available under
its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches
were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such
events were not necessarily contemplated under the policy.”176 The scope
of this exclusion ultimately will be determined by judicial review.
Even before the recent 2014 data breach exclusions were introduced, as
part of its April 2013 revisions to the CGL policy forms, ISO introduced
an endorsement, entitled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key definition of “[o]ral
or written publication, in any manner, of material that violates a person’s
right of privacy” (found at Paragraph 14.e of the Definitions section of
Coverage B). The endorsement states: “With respect to Coverage B Personal and Advertising Injury Liability, Paragraph 14.e. of the Definitions
section does not apply.”177
Although this endorsement appears to have quietly flown in under the
radar, in reality it is even more sweeping than the 2014 data breach exclu174. CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives,
cells, data processing devices or any other media which are used with electronically controlled equipment.” Id.
175. ISO Commercial Lines Forms Filing CL-2013-0DBFR, at 8.
176. Id. at 3.
177. See CG 24 13 04 13 (2012) (“With Respect to Coverage B Personal and Advertising
Injury Liability, Paragraph 14.e. of the Definitions Section Does Not Apply.”).
566
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
sionary endorsements because it entirely eliminates in the first instance
the key definition that is the “hook” for the data breach coverage under
the CGL Coverage B, i.e., “[o]ral or written publication, in any manner,
of material that violates a person’s right of privacy.”
Although it may take some time for the new (or similar) exclusions to
make their way into CGL policies and the full reach of the exclusions will
remain unclear until judicially tested, they provide another reason for
companies to carefully consider specialty cybersecurity insurance policies.
It warrants mention that excess policies may provider broader coverage, even where a primary policy contains newer exclusions. The Southern District of Ohio’s recent July 2013 decision in Encore Receivable Management, Inc. v. Ace Property and Casualty Insurance Co.178 is instructive. In
that case, the insureds faced two lawsuits, both alleging that the defendants recorded various telephone conversations without consent.179 The
primary insurance policies contained the “Recording and Distribution
of Material or Information in Violation of Law Exclusion” language contained in the 2007 and later ISO forms.180 The insureds contended that
this exclusion “excludes coverage for the [underlying actions] because they
constitute claims arising from the recording of information in violation of
law” and therefore, their excess insurer “ha[d] an immediate duty to defend”
the underlying actions.181
The excess policies stated that the insurer had a duty to defend “[w]hen
damages sought for . . . ‘personal and advertising injury’ are not covered
by ‘underlying insurance.’. . .”182 The excess policies did not contain the
“Recording and Distribution of Material or Information in Violation of
Law” exclusion.183 However, the excess insurer denied coverage on the
178. 2013 WL 3354571 (S.D. Ohio July 3, 2013) (Ohio law).
179. One action alleged than the defendant “operated a call center, and that [its] employees allegedly recorded various telephone conversations between Hyundai customers and . . .
customer service representatives without obtaining the customers’ consent, and that these recordings were then distributed internally . . . for training and quality control purposes.” Id. at
*1. The other action similarly alleged that the defendant “operated a call center and allegedly
recorded various telephone conversations between Hyundai customers and Hyundai customer service representatives without obtaining the customers’ consent.” Id.
180. The exclusion in the primary policies stated that “[t]his insurance does not apply to
‘Personal and advertising injury’ arising directly or indirectly out of any action or omission
that violates or is alleged to violate . . . [a]ny federal, state or local statute, ordinance or regulation [other than certain irrelevant exceptions] that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or
distribution of material or information.” Id. at *4.
181. Id. at *2.
182. Id. at *1.
183. The excess policies included a different exclusion for “liabilities arising out of communications ‘in which the recipient has not specifically requested the communication’ and
‘to communications which are made or allegedly made in violation of . . . [a]ny statute, ordinance or regulation, other than the TCPA or CAN–Spam Act of 2003, which prohibits or
Viruses, Trojans, and Spyware
567
basis that there was no “publication” because there was no “distribution of
information to the public at large.”184 According to the insurer, “ ‘publication,’ as that term is used in the [insurance policies] requires the distribution of information or news to the public.”185 The insurer further argued that “eavesdropping is not an act of communication to the public,
but rather an invasion of seclusion accomplished by a non-communicative
act.”186 The court rejected this argument, finding that “the initial dissemination of the conversation constitutes a publication at the very moment
that the conversation is disseminated or transmitted to the recording device” and, therefore, the court did not need to “find that the recordings
were disseminated to the public in order to find publication.”187
The conceded applicability of the exclusion in the primary policies
notwithstanding, therefore, the court concluded that the insurer “ha[d]
an immediate duty to defend and pay the costs of defending” the underling actions.188
b. Claims Alleging DDoS Attacks, Malware Transmission, and Other
Claims Alleging Damage to, or Loss of Use of, Third-Party Data, Computers,
or Computer Systems—Claims alleging damage to third-party data, computers, and computer systems may be available under the “Bodily Injury
And Property Damage” section of the standard ISO CGL policy form,
which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of . . . ‘property damage’ ” that “occurs during the policy period.”189 In addition to providing
indemnity coverage, the standard form states that the insurer “will have
the right and duty to defend the insured against any ‘suit’ ” seeking potentially covered damage.190 For many years, the ISO standard form has defined “property damage” to include “[p]hysical injury to tangible property, including all resulting loss of use of that property” and “[l]oss of
use of tangible property that is not physically injured.”191
limits the sending, transmitting, communicating or distribution of material or information.’ ”
Id. at *4.
184. Id. at *2.
185. Id. at *8.
186. Id.
187. Id. The court also found inapplicable the “prior publication,” “professional services,”
“contractual liability,” and “criminal act” exclusions.
188. Id. at *13.
189. ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §§ 1.a., 1.b.(2). ISO’s new
standard CGL policy forms, including both its occurrence-based form (CG 00 01 04 13) and
claims-made form (CG 00 02 04 13), came into effect on April 1, 2013. However, the pertinent insuring language has remained the same for many years. See, e.g., ISO Form CG 00
01 11 85 (1986).
190. ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, § 1.a.
191. See, e.g., ISO Form CG 00 01 04 13 (2012), Section V, § 17; ISO Form CG 00 01 11
85 (1986), Section V, § 12.
568
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
One major issue in cases alleging lost or damaged data, software, computers, or computer systems is whether the definition of “property damage” is satisfied. A standard form definition of “property damage” includes
both (1) “[p]hysical injury to tangible property, including all resulting loss
of use of that property”; and (2) “[l]oss of use of tangible property that is
not physically injured.”192 Insurers typically argue that data is not “tangible
property” that can suffer “physical injury” and, therefore, cannot satisfy the
definition of “property damage.” However, a number of courts have held
that damaged or corrupted software or data is “tangible property” that
can suffer “physical injury” and have upheld coverage on this basis.
For example, the Minnesota intermediate appellate court determined
that a computer tape and data were “tangible property” in Retail Systems,
Inc. v. CNA Insurance Co.193 In that case, the claimant filed suit against the
insured, a data processing consultant, seeking damages allegedly suffered
as a result of the loss of a computer tape and its data, which had disappeared during remodeling of the insured’s computer room.194 The insured tendered the claim to its insurer, which denied coverage. The
court considered the following question on appeal: “Did the trial court
err by finding that the computer tape and data were tangible property?”195
Finding “no precedent in Minnesota or elsewhere” concerning
“whether computer tapes and data are tangible property under an insurance policy,”196 the court concluded that “[a]t best, the policy’s requirement that only tangible property is covered is ambiguous” and, therefore,
the language “must be construed in favor of the insured.”197 Therefore,
the court upheld the trial court’s finding “that the computer tape and
192. ISO Form CG 00 01 04 13 (2012), Section V, § 17. “Property damage” is defined in
the current form as follows:
17. “Property damage” means:
a. Physical injury to tangible property, including all resulting loss of use of that
property. All such loss of use shall be deemed to occur at the time of the physical
injury that caused it; or
b. Loss of use of tangible property that is not physically injured. All such loss of use
shall be deemed to occur at the time of the “occurrence” that caused it.
For the purposes of this insurance, electronic data is not tangible property.
As used in this definition, electronic data means information, facts or programs stored as
or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells,
data processing devices or any other media which are used with electronically controlled
equipment.
ISO Form CG 00 01 04 13 (2012), Section V, § 17.
193. 469 N.W.2d 735 (Minn. Ct. App. 1991).
194. Id. at 736.
195. Id. at 737.
196. Id.
197. Id.
Viruses, Trojans, and Spyware
569
data were tangible property under the insurance policy.”198 In reaching its
decision, the court found it significant that “[t]he data on [a] tape was of
permanent value and was integrated completely with the physical property of the tape.”199
Other decisions likewise support an argument that data is tangible
property,200 including decisions considering the issue in the first-party
property context. The decisions are not uniform, however, and a number
of decisions have held that computer data is not tangible property and
therefore is not susceptible to property damage.201 A leading insurance
198. Id. at 738. The court also found inapplicable an exclusion for “damage to property
‘entrusted’ to the insured ‘for storage or safekeeping.’ ” Id. at 737.
199. Id. Conversely, the court did not find relevant certain “property and sales tax cases
that address the question whether recorded material is tangible property for tax purposes,”
finding it “inappropriate to apply tax law to the interpretation of an insurance policy.” Id.
at 737 n.1.
200. See, e.g., Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288, 1290–
91 (7th Cir. 1983) (California law) (holding that the insurer had a duty to defend a suit alleging that the insured, a company that sold computer hardware and software products,
introduced a faulty controller into the plaintiff ’s data processing system, causing “loss of customer billing and patient care information,” finding that “[a] fair reading of the complaint . . .
clearly raises the spectre that liability for property damage may ensue”); Computer Corner,
Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380, slip op. at 3–4 (2d Dist. Ct. N.M.
May 24, 2000) (finding that computer data “was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed” and concluding
that “computer data is tangible property” where the claimant sought the cost of reconstructing data files after the insured reformatted its hard drive and erroneously stated that the “data
could not be retrieved”), rev’d in part on other grounds, 46 P.3d 1264 (N.M. Ct. App. 2002).
201. See, e.g., Liberty Corp. Capital Ltd. v. Security Safe Outlet, Inc., 2013 WL 1311231,
at *7 (E.D. Ky. Mar. 27, 2013) (Kentucky law) (“[W]hat [the plaintiff ] alleges was misappropriated were [the plaintiff ]’s customer’s email addresses obtained from an electronic backup
copy of [the plaintiff ]’s customer database. Because such ‘property’ has no physical form or
characteristics, it simply does not fall within the definition of ‘tangible property.’ ”); Cincinnati Ins. Co. v. Prof ’l Data Servs., Inc., 2003 WL 22102138, at *6–7 (D. Kan. July 18, 2003)
(predicting Kansas law) (“[T]he Underlying Action is limited to allegations of the loss of use
of the APM Software and the lost or corrupted patient account data incorporated therein. . . .
Neither the APM Software nor the data incorporated therein constitute tangible property
because neither has any physical substance and neither is perceptible to the senses”); America
Online Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459, 467, 468–69 (E.D. Va. 2002)
(“Similar to the information written on a notepad, or the ideas recorded on a tape, or the
design memorialized in a blueprint, computer data, software and systems are intangible
items stored on a tangible vessel—the computer or a disk. . . . In light of the plain meaning
of the term tangible and established case-law, the Court holds that the Policy does not cover
damage to computer data, software and systems because such items are not tangible property.”), aff ’d, 347 F.3d 89 (4th Cir. 2003); State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113, 1116 (W.D. Okla. 2001) (Oklahoma law) (“Although
the medium that holds the information can be perceived, identified or valued, the information itself cannot be. Alone, computer data cannot be touched, held, or sensed by the human
mind; it has no physical substance. It is not tangible property.”). Cf. Lucker Mfg. v. Home
Ins. Co., 23 F.3d 808 (3d Cir. 1994) (holding that an insurer had no duty to defend or indemnify claims alleging loss of use of a product design because “none of the losses [the
claimant] sought from [the insured] represented a loss in value of the storage medium in
which the design . . . was embodied or in the costs in reducing the design to blueprints or
570
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
law authority notes that the issue as to whether “computerized information is tangible property” has “not been satisfactorily resolved.”202 Under
the law of many states, however, this fact alone would militate in favor of
a finding of coverage.203
Even where a court determines that data itself is not “tangible” property that can suffer “physical injury,” there should be coverage for claims
alleging damage to or loss of use of computers and system components
under the second prong “b” of the definition of “property damage.”204
The Western District of Oklahoma’s decision in State Auto Property & Casualty Insurance Co. v. Midwest Computers & More205 is instructive. In that
case, the claimants brought a lawsuit alleging that the insured’s negligent
performance of service work on their computer system had “deprived
[them] of the use of their computers,” and that the claimants “lost extensive amounts of appraisal data and other business information which was
[sic] stored on their computer system.”206 The insured sought defense and
the insurer brought an action seeking a declaration that it has no duty to
indemnify or defend its insured.207
computer tape (e.g., the costs of having engineers draw up the plans for the system),” but
rather “was for the loss of use of the design itself—for the loss in usefulness of the original
concept,” which was “not loss of use of something which could be touched or felt”); St. Paul
Fire & Mar. Ins. Co. v. Nat’l Computer Sys., Inc., 490 N.W.2d 626, 631–32 (Minn. Ct. App.
1992) (“[The claimant]’s claims . . . alleged that [the insured] misappropriated . . . proprietary
information. [The claimant] was not suing [the insured] for . . . misappropriation of the binders in which [The claimant]’s information was kept; [the claimant] was suing [the insured] for
taking information that gave [the insured] a competitive advantage over Boeing. Boeing had
sought to keep the information in the binders confidential; it was the loss of the confidential
nature of the information that led to [the claimant]’s damages, not the loss of the binders
containing the information. . . . Misappropriation of confidential proprietary information
does not constitute property damage within the meaning of the [insurance] policy.”) (distinguishing Retail Systems).
202. 9 COUCH ON INSURANCE § 126:40 (3d ed. 2012); see also Catherine L. Rivard & Michael A. Rossi, Is Computer Data “Tangible Property” or Subject to “Physical Loss or Damage”?—
Part 1 (Aug. 2001), available at http://www.irmi.com/expert/articles/2001/rossi08.aspx (last
visited July 12, 2013) (“the lack of clear and unequivocal case law on the subject can leave
some commercial insurance buyers in the dark as to the scope of coverage for computer
data losses provided by their insurance programs”).
203. See, e.g., Cohen v. Erie Indem. Co., 432 A.2d 596, 599 (Pa. Super. Ct. 1981) (“[t]he
mere fact that several appellate courts have ruled in favor of a construction denying coverage,
and several others have reached directly contrary conclusions, viewing almost identical policy
provisions, itself creates the inescapable conclusion that the provision in issue is susceptible
to more than one interpretation”).
204. See Jerold Oshinsky et al., Fighting Phishing, Pharming, and Other Cyber-Attacks: Coverage for High Tech Liabilities, URMIA J. REPRINT, at 20 (2010), available at http://jenner.com/
system/assets/publications/274/original/URMIA_Journals_2010_.pdf?1313178664 (last visited May 13, 2013) (“If a cyber-attack causes physical damage to an organization’s servers
or hard drives, the insurer must cover the losses because there is no question that there has
been direct physical damage.”).
205. 147 F. Supp. 2d 1113 (W.D. Okla. 2001) (Oklahoma law).
206. Id. at 1115.
207. See id.
Viruses, Trojans, and Spyware
571
Although the court would have “conclude[d] that computer data is intangible, not tangible, personal property,”208 the court noted that this is
“not dispositive” in view of “the second part of the policy’s definition of
[property damage], which includes “loss of use of tangible property.”209
The court concluded that the allegation of loss of use of the claimant’s
computers was “clearly” “property damage” as defined in the policy: “The
[claimants] plainly allege in their state court petition that defendant’s negligence caused a loss of use of their computers. . . . Because a computer clearly
is tangible property, an alleged loss of use of computers constitutes “property damage” within the meaning of plaintiff ’s policy.”210
There may be coverage, therefore, in data breach cases where the
claimants allege loss of use. This issue may be considered in the Sony
data breach insurance coverage litigation, since at least one of the class action complaints alleges loss of use of PlayStation consoles:
Plaintiffs seek damages to compensate themselves and the Class for their loss
(both temporary and permanent) of use of their PlayStation consoles and the
PlayStation® Network and Qriocity services (collectively referred to herein
as ‘PSN’ service), and their time and effort spent attempting to protect their
privacy, identities and financial information.211
In addition to the question of whether data is “tangible,” another potential hurdle for insureds is that the current ISO standard-form policy
and other ISO standard-form policies effective on or after December 1,
2001, expressly exclude “electronic data” from the definition of “property
damage.”212
In addition, ISO standard-form policies effective on or after December 1, 2004, expressly exclude “[d]amages arising out of the loss of, loss
of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”213 “Electronic data” is defined as follows:
As used in this exclusion, electronic data means information, facts or programs
stored as or on, created or used on, or transmitted to or from computer soft208. Id.
209. Id. at 1116.
210. Id. The court denied coverage, however, based on application of the “your work” exclusion. See id. at 1117; see also Nationwide Ins. Co. v. Hentz, 2012 WL 734193, at *3–5 (S.D.
Ill. Mar. 6, 2012) (holding that a homeowner’s general liability policy potentially covered
“notification, credit monitoring and insurance costs” as “ ‘damages. . . . Because of ‘property
damage’ ” resulting from the theft of a CD-ROM containing personally identifiable information where “the medium on which the data were stored—the CD–ROM—was stolen” and
thus the insured “clearly suffered a ‘loss of use’ of that ‘tangible property,’ ” but holding
that coverage was barred by an exclusion for “property . . . in the care of the ‘insured’ ”).
211. Johns v. Sony Computer Entm’t Am. LLC, 3:11-cvN263-EDL, ¶ 8 (N.D. Cal.
Apr. 27, 2011).
212. See note 192, supra.
213. See CG 00 01 04 13 (2012), Section I, Coverage A, § 2.p.
572
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
ware, including systems and applications software, hard or floppy disks,
CDROMs, tapes, drives, cells, data processing devices or any other media
which are used with electronically controlled equipment.
Courts generally have upheld such limitations and exclusions.214
It is important to recognize that “data” limitations and exclusions may not
vitiate coverage, however. Coverage may have been added back through endorsement. For example, the ISO “Electronic Data Liability Endorsement”
adds “electronic data” back to the definition of “property damage”215 Coverage also may have been purchased through the ISO “Electronic Data Liability Coverage Form,”216 under which the insurer pays “those sums that
the insured becomes legally obligated to pay as damages because of ‘loss
of electronic data’ ” that “[i]s caused by an ‘electronic data incident[.]’ ”217
214. See, e.g., Liberty Corp. Capital Ltd. v. Sec. Safe Outlet, Inc., 2013 WL 1311231, at
*7 (E.D. Ky. Mar. 27, 2013) (Kentucky law) (“[T]he terms of the Policy clearly and unequivocally exclude ‘electronic data,’ including information stored, created or used on computer
software, from the definition of ‘tangible property.’ Information obtained from [the insured]’s customer database falls squarely within this exclusion.”); Union Pump Co. v. Centrifugal Tech., Inc., 2009 WL 3015076, at *2 (W.D. La. Sept. 18, 2009) (holding that there
was no coverage for claims alleging “the unauthorized and wrongful use, and ultimately, the
destruction of its design drawings, autocad drawings, and pump models” where the policy
definition of “property damage” stated that “electronic data is not tangible property” and
“[t]he policy itself specifically excludes electronic data, which would encompass all electronic
copies of the design and autocad drawings”); Recall Total Info. Mgmt., 2012 WL 469988, at
*1, 5 (holding that there was no coverage for “$2,467,245 for notifying current and/or former
employees, $595,122 for maintaining call centers and $3,130,101 for credit monitoring services” incurred by the claimant after “an IBM cart containing electronic media fell out of [the
insured’s] transport van” and “[t]he cart and approximately 130 computer data tapes, containing personal information for more than 500,000 IBM employees, were then removed
by an unknown person and never recovered” where the policy definition of “property damage” stated that “electronic data is not tangible property and that electronic data is explicitly
excluded from the definition of tangible property”).
215. The endorsement provides in relevant part:
17. “Property damage” means:
a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury
that caused it;
b. Loss of use of tangible property that is not physically injured. All such loss of use
shall be deemed to occur at the time of the “occurrence” that caused it; or
c. Loss of, loss of use of, damage to, corruption of, inability to access, or inability to
properly manipulate “electronic data”, resulting from physical injury to tangible
property. All such loss of “electronic data” shall be deemed to occur at the time of
the “occurrence” that caused it.
For the purposes of this insurance, “electronic data” is not tangible property.
ISO Form CG 04 37 04 13 (2012), ¶ D. The endorsement defines “electronic data” as “information, facts or programs stored as or on, created or used on, or transmitted to or from
computer software (including systems and applications software), hard or floppy disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with
electronically controlled equipment.” Id. ¶ C.
216. CG 00 65 04 13 (2012).
217. Id. § I.1.a., b(1)(a). “Loss of electronic data” is defined as “damage to, loss of, loss of
use of, corruption of, inability to access, or inability to properly manipulate, ‘electronic
Viruses, Trojans, and Spyware
573
Standard form ISO policies written or effective on or before December 1, 2001, moreover, do not except “electronic data” from the definition
of “property damage”218 and do not exclude “electronic data.” Even recently issued policies may not contain such exceptions or exclusions.
One might reasonably presume, for example, that the Zurich policies in
the Sony PlayStation coverage litigation, which as alleged were effective
for the policy period beginning April 1, 2011,219 do not contain any express exceptions or exclusions—none are raised in Zurich’s complaint.220
Even where a policy contains an express “electronic data” exclusion,
moreover, there should be coverage if a cyber attack causes physical damage to or loss of use of computers or computer systems. For example, the
Eighth Circuit in Eyeblaster, Inc. v. Federal Insurance Co.221 held that an insurer had a duty to defend a complaint alleging injury to the plaintiff ’s
“computer, software, and data after he visited [the insured’s] website.”222
The plaintiff alleged that “his computer was infected with a spyware program from [the insured] on July 14, 2006, which caused his computer to
immediately freeze up” and that “he lost all data on a tax return on which
he was working and that he incurred many thousands of dollars of
loss.”223 The plaintiff further alleged that “he ha[d] experienced the following: numerous pop-up ads; a hijacked browser that communicates
with websites other than those directed by the operator; random error
messages; slowed computer performance that sometimes results in crashes;
and ads oriented toward his past web viewing habits.”224
The insured’s CGL policy obligated “the insurer to provide coverage
for property damage caused by a covered occurrence.”225 “Property damdata.’ ” Id. § VI.10. “Electronic data incident” is defined as “an accident, or a negligent act,
error or omission, or a series of causally related accidents, negligent acts, or errors or omissions, which results in ‘loss of electronic data’.” Id. § VI.6.
218. See, e.g., ISO Form CG 00 01 07 98 (1997), Section V, § 17; ISO Form CG 00 01 01
96 (1994), Section V, § 15; ISO Form CG 00 01 10 93 (1992), Section V, § 15; ISO Form
CG 00 01 11 88 (1991), Section V, § 12.
219. Complaint ¶¶ 41, 48, 55.
220. In contrast, in a case filed in February 2012, Arch Insurance Co. v. Michaels Stores, Inc.,
1:12-cv-00786 (N.D. Ill.), the insurer denied coverage for underlying lawsuits alleging that
the insured had failed to safeguard its retail store PIN pad devices, based on the “electronic
data” exclusion and the updated definition of “property damage.” As Arch alleged, “[t]o the
extent the lawsuit alleges ‘bodily injury’ or ‘property damage’ under Coverage A, any coverage for such ‘bodily injury’ or ‘property damage’ is eliminated by the ‘Electronic Data’ exclusion.” Complaint ¶ 25(d); see also id. ¶ 21 (quoting the “property damage” definition).
The Arch lawsuit was stayed and dismissed in September 2012 without prejudice in order
for the parties to finalize the terms of a settlement. See Docket Minute Entry No. 50
(Sept. 10, 2012). The docket, as of March 15, 2014, indicates that the parties have filed a
Joint Motion to Dismiss. See Docket Minute Entry No. 50 ( July 1, 2013).
221. 613 F.3d 797 (8th Cir. 2010).
222. Id. at 799.
223. Id. at 800.
224. Id.
225. Id. at 801.
574
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
age” was defined in the policy at issue as “physical injury to tangible property, including resulting loss of use of that property . . . ; or loss of use of
tangible property that is not physically injured.”226 The definition of
“tangible property” excluded “any software, data or other information that
is in electronic form.”227
Notwithstanding the exclusion, the court held that the insurer was obligated to defend the insured because the complaint alleged “loss of use of
tangible property that is not physically injured” under the second prong of
the “property damage” definition:
[The insured] points to language from the [claimant’s] complaint in which he
alleges his computer was “taken over and could not operate,” “froze up,” and
would “stop running or operate so slowly that it will in essence become inoperable.” [The claimant] also alleges that he experienced “a hijacked browsera browser program that communicates with websites other than those directed
by the operator,” and “slowed computer performance, sometimes resulting in
crashes.” [The claimant] asserts that his computer has three years of client tax
returns that he cannot transfer because he believes the spyware files would also
be transferred, and he therefore must reconstruct those records on a new computer. He thus argues that his computer is no longer usable, as he claims
among his losses “the cost of his existing computer.”
[The insurer] did not include a definition of “tangible property” in its General Liability policy, except to exclude “software, data or other information
that is in electronic form.” The plain meaning of tangible property includes
computers, and the [underlying] complaint alleges repeatedly the “loss of use”
of his computer. We conclude that the allegations are within the scope of the
General Liability policy.228
Other common policy exclusions, such as the “your work,”229 “impaired property,”230 or “intentional act”231 exclusion may apply, however,
and it is important to recognize that resolution of each claim will depend
226. Id.
227. Id.
228. Id. at 801–02.
229. See, e.g., Midwest Computers, 147 F. Supp. 2d at 1116 (the insurer had no duty to defend or indemnify because the policy “your work” exclusion barred coverage for “allegations
that defendant’s negligent performance of service work caused [the claimants] to lose the use
of their computers”).
230. See, e.g., Am. Online, 207 F. Supp. 2d at 93, 98–99 (holding that the impaired property exclusion barred coverage for complaints alleging “in general that AOL’s Version 5.0
access software altered the customers’ existing software, disrupted their network connections, caused them loss of stored data, and caused their operating systems to crash” and declining to address whether the underlying complaints “allege[d] loss of use”).
231. See, e.g., Compaq Computer Corp. v. St. Paul Fire & Mar. Ins. Co., 2003 WL
22039551, at *7 (Minn. Ct. App. Sept. 2, 2003) (Texas law) (“even if we were to decide
that data stored on a floppy disk are ‘tangible property,’ the intentional-acts exclusion prohibits coverage under the Tech GL agreement”).
Viruses, Trojans, and Spyware
575
upon the specific facts of such claim, the specific policy language at
issue,232 and applicable law.
As claims increase, we can expect to see more courts addressing whether
such claims raise sufficient issues to at least trigger a defense obligation
under the CGL Coverage A.
c. “Cyber”-Related Infringement Claims—The current ISO form definition of “personal and advertising injury” includes the “offenses” of “[t]he
use of another’s advertising idea in your ‘advertisement’ ” and “[i]nfringing
upon another’s copyright, trade dress or slogan in [the insured’s] ‘advertisement.’ ”233 There may be coverage for cyber-related infringement of intellectual property under this standard form language. Although insurers
sometimes argue that offenses such as copyright, trade dress or trademark
infringement are not covered because the “unauthorized use” exclusion234
applies, insureds have met with some success in achieving coverage.
The Eleventh Circuit’s recent decision in St. Luke’s Cataract and Laser
Institute, P.A. v. Zurich American Insurance Co.235 is instructive. In that
case, the insured had worked as an oculoplastic surgeon at St. Luke’s Cataract and Laser Institute, P.A., where he worked with a webmaster to create a website to promote St. Luke’s oculoplastic surgery practice. The
webmaster registered the domain names LASERSPECIALIST.com and
LASEREYELID.com to use for the website.236 Each page of the website
contained a copyright notice stating “Copyright © [Year] St. Luke’s Cosmetic Laser Center, All Rights Reserved.”237 After resigning from St. Luke’s,
the insured relaunched the website using the same domain names.238
St. Luke’s brought suit alleging, among other things, copyright infringe232. Although the ISO standard forms are used by a majority of insurers, some insurers
use their own terms and conditions that may be broader or more restrictive than the ISO
forms.
233. ISO Form CG 00 01 04 13 (2012), Section V, § 14.g.
234. The current ISO form states that “[t]his insurance does not apply to”:
l. Unauthorized Use Of Another’s Name Or Product
“Personal and advertising injury” arising out of the unauthorized use of another’s name
or product in your e-mail address, domain name or metatag, or any other similar tactics
tomislead another’s potential customers.
CG 24 13 04 13 (2012), Section I, Coverage B, § 2.l. Insurers also typically raise the “knowing violation of rights” exclusion:
a. Knowing Violation Of Rights Of Another
“Personal and advertising injury” caused by or at the direction of the insured with the
knowledge that the act would violate the rights of another and would inflict “personal
and advertising injury.”
CG 24
235.
236.
237.
238.
13 04 13 (2012), Section I, Coverage B, § 2.a.
506 Fed. App’x 970 (11th Cir. 2013) (Florida law).
See id. at 972.
Id. at 973.
See id.
576
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
ment and removal of the copyright notice in violation of the Digital Millennium Copyright Act (DMCA).239
Eventually, the insured and St. Luke’s settled for a $2.4 million final
judgment against the insured and pursued insurance coverage.240 The insurers denied coverage, arguing that “although the policies may provide
coverage for copyright infringement, such claims are not covered when
they: Aris[e] out of the unauthorized use of another’s name or product
in your e-mail address, domain name or metatag, or any other similar tactics to mislead another’s potential customers.”241 The district court agreed
and the insured and St. Luke’s appealed.
The Eleventh Circuit reversed. Considering first the copyright infringement claim, the court found that the claim was based on “wrongful use of
the contents, layout, and design of St. Luke’s LASERSPECIALIST.com
website,” which is “not the same thing as the use of ‘another’s name or
product.’ ”242 The court further found that the insured “used the content
for display on his own website, rather than in an ‘e-mail address, domain
name or metatag.’ ”243 The court refused to “allow the ‘similar tactics’
language to swallow the narrow language used in the exclusion and turn
it into a catch-all exclusion for the use on the Internet in any way of material belonging to another.”244 Finally, the court found the requisite causal
connection lacking: “[n]either the district court nor the Insurance Companies point to any causal connection between [the insured]’s copyright infringement and his use of St. Luke’s domain name as required by Florida
law. St. Luke’s copyright claim may be related to—but it does not arise
out of—[the insured]’s use of the LASERSPECIALIST.com domain
name.”245
Turning to the DMCA claim, the Eleventh Circuit likewise held the
exclusion imapplicable: “[t]he DMCA violation does not itself constitute
either (i) unauthorized use of another’s name or product in an email address, domain name or metatag, or (ii) a similar tactic to mislead another’s
customers. Nor can it be said to arise out of such conduct.”246
239. See id.
240. Id. at 974.
241. Id.
242. Id. at 976.
243. Id.
244. Id.
245. Id. at 978.
246. Id. at 978–79. Compare CollegeSource, Inc. v. Travelers Indem. Co. of Conn., 507
Fed. App’x 718, 720 (9th Cir. 2013) (“The only reasonable reading of the complaint’s allegation (that CollegeSource used AcademyOne’s domain name in its own domain name in a
way likely to cause confusion in the marketplace) is that it claims injury from an activity that
(1) is “similar to” the unauthorized use of another’s name or product in one’s domain name,
and (2) would mislead customers.”).
Viruses, Trojans, and Spyware
577
In addition to the potential applicability of exclusions, coverage disputes and decisions often turn on whether there is an “advertisement.”
The industry standard form has, since 1998, defined “advertisement” as
follows: “ ‘Advertisement’ means a notice that is broadcast or published
to the general public or specific market segments about your goods, products or services for the purpose of attracting customers or supporters.”247
Since 2001, the standard form has contained the following additional
language:
For the purposes of this definition:
a. Notices that are published include material placed on the Internet or on
similar electronic means of communication; and
b. Regarding web-sites, only that part of a website that is about your goods,
products or services for the purposes of attracting customers or supporters is considered an advertisement.248
In contrast, the 1996 and prior industry standard forms do not use or
define the term “advertisement”; rather, they use and define the term “advertising injury” as follows:
1. “Advertising injury” means injury arising out of one or more of the following offenses:
a. Oral or written publication of material that slanders or libels a person
or organization or disparages a person’s or organization’s goods, products or services;
b. Oral or written publication of material that violates a person’s right of
privacy;
c. Misappropriation of advertising ideas or style of doing business; or
d. Infringement of copyright, title or slogan.249
The decisions are mixed and turn on the specific policy language at
issue, the particular facts of the case, and applicable law.250
247. ISO Form CG 00 01 07 98 (1997), Section V, § 1.
248. ISO Form CG 00 01 10 01 (2000), Section V, § 1.
249. ISO Form CG 00 01 01 96 (1994), Section V, § 1. The coverage agreement in the
1996 and prior forms states that the insured “will pay those sums that the insured becomes
legally obligated to pay as damages because of . . . ‘advertising injury’ . . . caused by an offense
committed in the course of advertising your goods, products or services.” Id. Section I, Coverage B § 1. Prior to 1986, this coverage was offered under a “Broad Form Endorsement”
that defined “advertising injury” as “injury arising out of an offense committed during the
policy period occurring in the course of the named insured’s advertising activities, if such
injury arises out of libel, slander, defamation, violation of right of privacy, piracy, unfair
competition, or infringement of copyright, title or slogan.”
250. Compare Sentex Sys., Inc. v. Hartford Acc. & Indem. Co., 93 F.3d 578, 580 (9th Cir.
1998) (“Hartford’s principal contention is that the district court erred . . . because ‘advertising injury,’ defined in part in the policy as arising out of the ‘misappropriation of advertising
ideas,’ ” includes only alleged wrongdoing that involves the text, words, or form of an advertisement. This policy’s language . . . does not limit itself to the misappropriation of an actual
578
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
2. Potential Coverage Under Property Policies
a. Injury to Computers, Data, Networks, and Components—Most companies have insurance coverage that is intended to insure the company’s
own assets. By way of example, the 2007 standard-form ISO commercial
property policy covers the insured for “direct physical loss of or damage
to Covered Property at the premises described in the Declarations caused
by or resulting from any Covered Cause of Loss.”251 Property policies
advertising text. It is concerned with ‘ideas,’ a broader term.”) and Liberty Corp. Capital
Ltd. v. Sec. Safe Outlet, Inc., 2013 WL 1311231, at *12 (E.D. Ky. Mar. 27, 2013) (Kentucky
law) (finding that “email ‘blasts’ would appear to constitute a notice that is broadcast to a
specific market segment about [the insured]’s goods, products or services for the purpose
of attracting customers, and, accordingly, potentially fall within the Policy’s definition of
an ‘advertisement,’ ” but ruling that, although the plaintiff ’s “claim for misappropriation
of trade secrets [wa]s potentially covered as a ‘personal or advertising injury’ under the Policy,” a policy breach of contract exclusion precluded coverage) with Oglio Entm’t Group,
Inc. v. Hartford Cas. Ins. Co., 132 Cal. Rptr. 3d 754, 763 n.7 (Cal. Ct. App. 2011)
(“There is no description of any advertisement used by [the insured], or any allegation
that [the insured] used an advertisement that copied an advertisement or advertising idea
of [the claimant]. This is especially clear, given that the policy defines advertisement as
the widespread dissemination of information or images with the purpose of selling a product[.]. . . Under earlier Hartford policy language that provided coverage for ‘misappropriation of advertising ideas or style of doing business,’ and which did not define ‘advertising,’
[the claimant] might have had a better argument.”) and Union Pump Co. v. Centrifugal
Tech., Inc., 2009 WL 3015076, at *6–7 (W.D. La. Sept. 18, 2009) (Louisiana law) (finding
no coverage for claims alleging “the unauthorized and wrongful use, and ultimately, the destruction of its design drawings, autocad drawings, and pump models” where the policy defined “advertisement” where the court found that “no evidence was presented during the
course of the trial that [the insureds] directly engaged in any act that would be consistent
with advertisement” and “even if the Defendants had engaged in advertisement, such advertisement would fall within the exclusion contained in the policy [for “injuries caused by the
insured with knowledge that the act would violate the rights of another”]”).
Importantly, courts have found that even patent infringement may be covered if the patented concept is an advertising method. See, e.g., DISH Network Corp. v. Arch Specialty Ins.
Co., 659 F.3d 1010, 1022 (10th Cir. 2011) (Colorado law) (holding that the insurer had a
duty to defend claims alleging that the insured had infringed one or more claims in each
of twenty-three patents by “making, using, offering to sell, and/or selling . . . automated telephone systems, including without limitation the DISH Network customer service telephone
system, that allow [DISH’s] customers to perform pay-per-view ordering and customer service functions over the telephone” because the complaint “allege[d] that Dish misappropriated a product: it allegedly used, made, sold, or offered for sale a telephone system patented
by RAKTL” and “may be read to allege actions that misappropriated patented advertising
ideas, insofar as the product at issue was designed expressly for product promotion and dissemination of advertising information”); Hyundai Motor Am. v. Nat’l Union Fire Ins. Co.,
600 F.3d 1092, 1100–03 (9th Cir. 2010) (California law) (holding that the insurer had a duty
to defend claims alleging patent infringement resulting from certain features on its website,
including a “build your own vehicle” (BYO) feature and a parts catalogue feature” because
the underlying claims alleged a “misappropriation of advertising ideas” because they “allege[d] violation of a method patent involving advertising ideas” and “there [wa]s a direct
causal connection between the advertisement (i.e., the use of the BYO feature on the website)
and the advertising injury (i.e., the patent infringement)”).
251. ISO Form CP 00 99 06 07 (2007), Section A.
Viruses, Trojans, and Spyware
579
may be in the form of broadly worded “all-risk,” “difference in conditions,” “multiperil,” or “inland marine” policies.
Similar to the “property damage” discussion above in connection with
potential CGL coverage for cyber risks,252 a company’s ability to recover
for cyber attacks under all risk property policies may turn upon whether
data loss comprises “physical loss of or damage” to “covered property.”
A number of courts have held that data loss does comprise “physical
loss” in the first-party context.
The District of Arizona’s decision in American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc.253 is instructive. In that case the insured
sought coverage for damages it incurred when its three mainframe computers lost all of their programming information stored in random access
memory as a result of a power outage and the lost programming information had to be re-entered.254 The insured suffered additional business
interruption until its employees were able to bring the network back up
to operation by means of bypassing a matrix switch, which needed to be
reprogrammed.255
The insurer admitted that the insured’s “mainframe computers and the
matrix switch did not function as before the power outage and that certain
data entry and reconfiguration processes were necessary,” but denied coverage on the basis that “the computer system and the matrix switch were
not ‘physically damaged’ because their capability to perform their intended functions remained intact.”256
The court rejected this argument, agreeing with the insured that
“physical damage” can include “loss of use and functionality”:
At a time when computer technology dominates our professional as well as
personal lives, the Court must side with [the insured]’s broader definition of
“physical damage.” The Court finds that “physical damage” is not restricted
to the physical destruction or harm of computer circuitry but includes loss
of access, loss of use, and loss of functionality.257
The court therefore granted summary judgment to the insured.258
252. See discussion supra accompanying notes 193–213.
253. 2000 WL 726789 (D. Ariz. Apr. 18, 2000).
254. See id. at *1.
255. See id. at *2.
256. Id.
257. Id. In support of its holding, the Ingram Micro court cited to various state and federal
laws that make it a crime to cause “damage” to computer hardware or data, noting that
“[l]awmakers around the country have determined that when a computer’s data is unavailable, there is damage; when a computer’s services are interrupted, there is damage; and
when a computer’s software or network is altered, there is damage.” Id. at *3. The court observed that “[r]estricting the Policy’s language to that proposed by [the insurer] would be archaic.” Id.
258. See id. at *4.
580
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
The Fourth Circuit’s decision in NMS Services Inc. v. Hartford 259 is also
instructive. In that case, a former employee of the insured software development company installed two hacking programs on the insured’s network systems, permitting the hacker to gain full access to the systems
by “overriding security codes and unencrypting secured passwords.”260
This enabled him to cause “the erasure of vital computer files and databases necessary for the operation of the company’s manufacturing, sales,
and administrative systems.”261
The insurer denied coverage and coverage litigation ensued. The court
upheld coverage for business interruption under policy language stating
that the insurer would “pay for the actual loss of Business Income [the insured] sustain[s] due to the necessary suspension of your ‘operations’ during the ‘period of restoration.’ The suspension must be caused by direct
physical loss of or damage to property at the described premises. . . .”262
The court found that “[t]here [wa]s no question that [the insured] suffered
damage to its property, specifically, damage to the computers it owned”—
thus satisfying the policy requirement of “direct physical loss of or damage to property.”263 The court further held that the insured had extra expense coverage and additional coverage under an extension for “Valuable
Papers and Records” for its “costs to research, replace or restore the lost
information.”264
Other cases have likewise found in favor of coverage, including those
discussed in the next section, although the decisions are not uniform.265
b. Business Interruption and Extra Expense—As the Ingram Micro and
NMS Services cases illustrate, many first-party policies provide, in addition
259. 62 Fed. App’x 511 (4th Cir. 2003).
260. Id. at 513.
261. Id. at 512.
262. Id. at 514 (original emphasis).
263. Id.
264. Id. at 515. The court also found that a “dishonesty” exclusion in the policy was inapplicable because the insured’s “property was not only damaged, but was completely destroyed . . . which triggers the exception to the dishonesty exclusion. . . .” Id. at 514.
265. Compare Greco & Traficante v. Fid. & Guar. Ins. Co., 2009 WL 162068, at *5 (Cal.
Ct. App. Jan. 26, 2009) (citing Ward) (“[I]t seems logical to say that one cannot suffer a direct
physical loss of computer data unless that data has been stored on media and is unavailable
for use as a result of corresponding computer damage . . . Even if the missing data were
somehow stored on the computer, there is no evidence suggesting any loss of use or functionality of the computer occurred that would amount to a physical loss of covered property.”) with Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851
(Cal. App. Ct. 2003) (“Plaintiff did not lose the tangible material of the storage medium.
Rather, plaintiff lost the stored information. The sequence of ones and zeros can be altered,
rearranged, or erased, without losing or damaging the tangible material of the storage medium. We conclude the loss of the database, with its consequent economic loss, but with no
loss of or damage to tangible property, was not a “direct physical loss of or damage to” covered property under the terms of the subject insurance policy, and, therefore, the loss is not
covered.”).
Viruses, Trojans, and Spyware
581
to repair or replacement coverage for the insured’s property, so-called
time element coverages, including business interruption and extra expense
coverages, that cover loss resulting from the company’s inability to conduct normal business operations. These coverages may cover business interruption resulting from a cyber attack.
Business interruption coverage generally reimburses the insured for its
loss of earnings or revenue resulting from covered property damage. For
example, the ISO “Business Income (and Extra Expense) Coverage Form”
covers the loss of net profit and operating expenses that the insured “sustain[s] due to the necessary ‘suspension’ of [the insured’s] ‘operations’
during the ‘period of restoration.’ ”266
Extra expense coverage generally covers the insured for certain extra
expenses incurred to minimize or avoid business interruption and to resume normal operations. For example, the ISO standard form covers,
among other things, “Extra Expense” to “[a]void or minimize the ‘suspension’ of business and to continue operations at the described premises or
at replacement premises or temporary locations. . . .”267
Again, the business interruption and extra expense coverage is typically
subject to a requirement of “direct physical loss.” For example, a 2007
standard industry business interruption form states that “[t]he ‘suspension’ [of the insured’s “operations”] must be caused by direct physical loss
of or damage to property at premises which are described in the Declarations
and for which a Business Income Limit of Insurance is shown in the Declarations.”268 Likewise, the form defines “Extra Expense” as “necessary
expenses” that the insured “would not have incurred if there had been
no direct physical loss or damage to property caused by or resulting from a
Covered Cause of Loss.”269
266. ISO Form CP 00 30 06 07 (2007), Section A.1. “Period of restoration” is defined as
“the period of time that”:
a. Begins:
(1) 72 hours after the time of direct physical loss or damage for Business Income
Coverage; or
(2) Immediately after the time of direct physical loss or damage for Extra Expense
Coverage; caused by or resulting from any Covered Cause of Loss at the described premises; and
b. Ends on the earlier of:
(1) The date when the property at the described premises should be repaired, rebuilt
or replaced with reasonable speed and similar quality; or
(2) The date when business is resumed at a new permanent location.
Id. Section F.3.
267. Id. Section A.2.
268. Id. Section A.1 (emphasis added).
269. Id. Section A.2.b (emphasis added).
582
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
Courts have upheld coverage for business interruption and extra expense caused by data loss, finding the “direct physical loss” requirement
satisfied. The Texas appellate court’s decision in Lambrecht & Associates,
Inc. v. State Farm Lloyds270 is instructive. In Lambrecht, the insured sought
coverage for a loss of computer data and the related loss of business income after a “virus caused the [insured’s] computers to have difficulties
while ‘booting up,’ perform a number of ‘illegal functions’ and eventually
completely ‘freeze up,’ thereby rendering the computers useless.”271 The
insured’s computer system had to be taken offline and its employees were
unable to use their computers until the server was restored.272 The insurance policy at issue committed the insurer to “pay for accidental direct
physical loss to business personal property” and “the actual loss of ‘business income’ [the insured] sustained due to the necessary suspension of
[its] ‘operations’ during this ‘period of restoration.’ ”273
The court disagreed with the insurer’s argument that “the loss of information on [the insured’s] computer systems was not a ‘physical’ loss because the data . . . did not exist in physical or tangible form”274 and
held that “the plain language of the policy dictates that the personal property losses alleged by [the insured] were ‘physical’ as a matter of law.”275
The court further held that “the business income [the insured] lost as a
result of the virus [wa]s covered under the policy.”276
To the same effect is Southeast Mental Healthcare Center, Inc. v. Pacific
Insurance Co., Ltd.277 In that case, a heavy rain and windstorm destroyed
or disabled approximately twenty power and utility poles, resulting in
the loss of electrical and telephone service at the insured’s property.278
The insured alleged “that the loss of electricity also damaged its pharmacy
computer . . . which resulted in the loss of data from the computer” and
that the insured’s “operations were suspended and it lost significant business income.”279
The insurer argued that “[the insured]’s business losses due to the damage to its pharmacy computer [we]re not covered because there was no di270. 119 S.W.3d 16 (Tex. App. 2003).
271. Id. at 23.
272. Id. at 19.
273. Id.
274. Id. at 23.
275. Id. at 25. The policy in that case covered loss of business income caused by “accidental direct physical loss” to “electronic media and records,” as defined to include “electronic
data processing, recording or storage media such as films, tapes, discs, drums or cells,” “data
stored on such media” and “programming records used for electronic data processing or
electronically controlled equipment.” Id.
276. Id.
277. 439 F. Supp. 2d 831 (W.D. Tenn. 2006) (Tennessee law).
278. See id. at 833.
279. Id. at 833–34.
Viruses, Trojans, and Spyware
583
rect physical damage to the computer.”280 The court rejected this argument and found “that the corruption of the pharmacy computer constitutes ‘direct physical loss of or damage to property’ under the business interruption policy.”281 In this regard, citing with approval the Ingram Micro
case, the court found “the Ingram court’s reasoning persuasive, and finds
that Plaintiff ’s pharmacy computer sustained direct physical damage, within
the meaning of the business interruption provision.”282 Accordingly, the
court granted the insured’s motion for summary judgment “as to its loss
of income due to the damaged computer drive.”283
In a more recent decision, the Middle District of Louisiana upheld coverage under a property policy in Landmark American Insurance Co. v. Gulf
Coast Analytical Laboratories, Inc.284 The insured in Landmark provided
chemical data analysis to the petrochemical industry and certain governmental agencies and, as part of its business, “analyze[d] chemical samples and
stores the information as electronic data on a hard disk storage system . . .
called a RAID5 system.”285 This system “failed to read two hard disk
drives and resulted in the corruption of data,” resulting in “$112,000.00
in recovery costs to third party vendors and over $1 million in losses to
business income.”286
The insured sought coverage under its property policy, which covered
“risks of direct physical ‘loss or damage’ to Covered Property, including
‘computer viruses,’ except those causes of ‘loss and damage’ listed in
the Exclusions.”287 The insurer filed suit “seeking declaratory judgment
that electronic data is not susceptible to direct physical loss or damage.”288 The insurer argued that “electronic data is intangible in nature
and, as a result, not susceptible to ‘direct, physical loss or damage’ as a
covered cause of loss.”289 The court initially noted that “[t]he question
of whether electronic data is physical or nonphysical has been debated
in several jurisdictions and has led to various conclusions.290 Although
finding the “issue of whether stored data is physical” to be one of first impression in Louisiana, the court noted that Louisiana’s highest court “has
determined electronic software data is physical.”291 Therefore, the court
280.
281.
282.
283.
284.
285.
286.
287.
288.
289.
290.
291.
1994)).
Id. at 837.
Id.
Id. at 838.
Id. at 840.
2012 WL 1094761 (M.D. La. Mar. 30, 2012) (Louisiana law).
Id. at *1.
Id.
Id. at *2.
Id. at *1.
Id.
Id. at *3.
Id. (following S. Cent. Bell Tele. Co. v. Barthelemy, 643 So. 2d 1240, 1244 (La.
584
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
found that “according to Louisiana law, [the insured]’s electronic chemical analysis data must be considered a corporeal movable or physical in
nature” and held that “summary judgment [wa]s appropriate, declaring
that electronic data is susceptible to ‘direct, physical ‘loss or damage.’ ”292
c. Contingent Business Interruption and Service Interruption—In addition
to business interruption coverage, companies may have “contingent business interruption” coverage that covers the insured with respect to losses,
including lost earnings or revenue, as a result of damage, not to the insured’s own property, but to the property of an insured’s supplier, customer or some other business partner or entity. For example, the standard
industry “Business Income Form Dependent Properties” endorsement
states that the insurer:
will pay for the actual loss of Business Income you [the insured] sustain due
to the necessary “suspension” of your “operations” during the “period of restoration.” The “suspension” must be caused by direct physical loss of or
damage to “dependent property” at a premises described in the Schedule
caused by or resulting from a Covered Cause of Loss.293
Contingent business interruption may be increasingly important coverage in the context of “cloud” outsourcing of maintenance and control over
data to third parties. As one commentator has noted, “business interruption losses resulting from loss of access to the cloud should, in the majority of cases, be covered under so-called ‘legacy’ contingent business interruption forms.”294
292. Id. at *4.
293. See, e.g., ISO CP 15 08 04 02 (2001), Section A. “Dependent property” is defined to
include:
1. “Dependent Property” means property operated by others whom you depend on to:
a. Deliver materials or services to you, or to others for your account (Contributing
Locations). But any property which delivers any of the following services is not a
Contributing Location with respect to such services:
(1) Water supply services;
(2) Power supply services; or
(3) Communication supply services, including services relating to Internet access
or access to any electronic network;
b. Accept your products or services (Recipient Locations);
c. Manufacture products for delivery to your customers under contract of sale (Manufacturing Locations); or
d. Attract customers to your business (Leader Locations).
Id. Section E.
294. Lon Berk, CBI for the Cloud, 21:6 COVERAGE, at 11 (ABA Nov./Dec. 2011); Scott N.
Godes, Insurance Coverage for Denial-of-Service Attacks, 41:14 LAWYER’S BRIEF 6 ( July 31,
2011) (“Contingent business interruption losses may include losses that the policyholder
faces arising out of a cyber security-based business interruption of another party, such as a
cloud provider, network host, or others.”).
Viruses, Trojans, and Spyware
585
Although it should be noted that the above-quoted standard industry
form contains a data limitation, which states that “coverage under this endorsement does not apply when the only loss to ‘dependent property’ is
loss or damage to electronic data, including destruction or corruption
of electronic data,”295 this exclusion should be inapplicable to many incidents of cloud interruption, including incidents in which it is the insured,
rather than the “dependent property,” that sustains a loss of or damage to
data.296
In addition to contingent business interruption coverage, an insured
may have service interruption coverage. Covered services can include
electricity, gas, water, phone, and sewer services. By way of illustration,
the current standard ISO Utility Services–Time Element endorsement
provides coverage for “loss of Business Income or Extra Expense at the
described premises caused by the interruption of service to the described
premises.”297 The endorsement further states that “[t]he interruption
must result from direct physical loss or damage by a Covered Cause of
Loss to the property. . . .”298 The interruption of service includes
“Water Supply Services,” “Communication Supply Services,” and “Power
Supply Services,” each as defined.299 An insured may have coverage in
the event of a cyber security-based service interruption.
295. CP 15 08 04 02 (2001), Section A. The policy further states that “[t]he term electronic data has the meaning set forth in the Coverage Form to which this endorsement applies.” Id. The following is a typical definition:
Electronic data means information, facts or computer programs stored as or on, created
or used on, or transmitted to or from computer software (including systems and applications software), on hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other repositories of computer software which are used with electronically controlled equipment. The term computer programs, referred to in the foregoing
description of electronic data, means a set of related electronic instructions which direct
the operations and functions of a computer or device connected to it, which enable the
computer or device to receive, process, store, retrieve or send data.
ISO CP 15 08 04 02 (2001), Section A.4.c.
296. See Berk, supra note 294, at 16 (“This exclusion should not apply to the vast majority
of incidents that might result in interruption of computation services provided by cloud vendors. . . . In the vast majority of cases, it will not be the dependent property that sustains
such a loss, but the insured’s property that is unable to access data at a vendors server
farms, that is, at the dependent property. The data in other words may remain intact at
the server property, but not be accessible by the customer because of other loss at the dependent property.”).
297. BP 04 57 07 02, Section A. Again, it should be noted that the more recent iterations
of this exclusion contain an “exception” stating that “[c]overage under this endorsement does
not apply to Business Income loss or Extra Expense related to interruption in utility service
which causes loss or damage to ‘electronic data,’ including destruction or corruption of ‘electronic data.’ ” See, e.g., BP 04 57 01 06 (2004), Section B; BP 04 57 07 13, Section B. Again,
this would not void coverage for a lot of scenarios, including all those where “loss or damage
to ‘electronic data’ ” causes the “interruption in service.”
298. BP 04 57 07 02, Section A.
299. Id. Section B.
586
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
Although not specifically addressing a cybersecurity event, the decision
in Wakefern Food Corporation v. Liberty Mutual Fire Insurance Co.300 is instructive. In that case, problems with the interconnected North American
power system (the electrical grid) resulted in a four-day electrical blackout
over much of the northeastern United States and eastern Canada and the
insured supermarkets “suffered losses due to food spoilage during the
blackout, in addition to incurring loss of business.”301
The insureds had purchased, in addition to a basic property policy, a
“Services Away From Covered Location Coverage Extension,” which “extended coverage for consequential loss or damage resulting from an interruption of electrical power to [the insureds]’ supermarkets where that interruption is caused by ‘physical damage’ to specified electrical equipment
and property located away from the supermarkets.”302
Following the outage, the insureds sought coverage for spoiled food
and business interruption and the insurer denied coverage under the “direct physical loss or damage” portions of the [basic] policy and under the
‘physical damage’ part of the Extension.”303 In doing so, the insurer
“characterized the food-spoilage damages as consequential and not direct
losses and asserted that plaintiffs had failed to present ‘evidence of any
physical damage to transmission lines, connections or supply pipes which
furnish electricity to any covered location.’ ”304 The trial court granted
summary judgment in favor of the insurer, holding that the grid was not
physically damaged because it could be returned to service after the interruption. The insureds appealed.
In a thoughtful opinion, the Appellate Division, applying wellestablished principles of insurance contract interpretation, concluded “that
300. 968 A.2d 724 (N.J. Super. Ct. App. Div. 2009).
301. Id. at 727.
302. Id.
A. We will pay for consequential loss or damage resulting from interruption of:
(1) Power;
....
B. We
(1)
(2)
(3)
will pay only if the interruption results:
From physical damage by a peril insured against;
Away from a covered location; and,
To the following types of property, if marked with an “X”:
(X) Any powerhouse, generating plant, substation, power switching station, gas
compressor station, transformer, telephone exchange;
....
(X) Transmission lines, connections or supply pipes which furnish electricity
. . . to a covered location.
Id. at 728.
303. Id. at 732.
304. Id. at 732–33.
Viruses, Trojans, and Spyware
587
the undefined term ‘physical damage’ was ambiguous and that the trial
court construed the term too narrowly, in a manner favoring the insurer
and inconsistent with the reasonable expectations of the insured.”305 The
court found that “the electrical grid was ‘physically damaged’ because, due
to a physical incident or series of incidents, the grid and its component
generators and transmission lines were physically incapable of performing
their essential function of providing electricity.”306 The court also “look[ed]
at the larger picture concerning the loss of function of the system as a
whole” and the reasonable expectations of the insureds:
[I]n concluding that the term “physical damage” is ambiguous, we consider
the context, including the identity of the parties. These were not two electric
utilities contracting about the technical aspects of the grid. Rather, the parties are an insurance company, in the business of covering risks, and a group
of supermarkets that paid for what they believed was protection against a
very serious risk-the loss of electric power to refrigerate their food. The average policy holder in plaintiffs’ position would not be expected to understand the arcane functioning of the power grid, or the narrowly-parsed definition of “physical damage” which the insurer urges us to adopt. In this
context, we conclude that if [the insurer] intended that its policy would provide no coverage for an electrical blackout, it was obligated to define its policy exclusion more clearly.307
Likewise, the court found that “from the perspective of the millions of
customers deprived of electric power for several days, the system certainly
suffered physical damage, because it was incapable of providing electricity.”308 The court concluded that “the term ‘physical damage’ is capable
of at least two different reasonable interpretations” and therefore “is ambiguous” and “must be construed favorably to the insured.”309 The court
further noted that “[i]n reality, the entire system was incapable of producing power for several days.”310
The Appellate Division reversed the trial court opinion and remanded
the case.311
305. Id. at 734.
306. Id.
307. Id. at 734–35. While “acknowledg[ing] that based on the highly technical analysis in
the Final Report, one could certainly argue that the system was not physically damaged,” the
court noted that “the report was not written for the purpose of construing insurance policies;
it was written as an operational analysis for the purpose of determining how the blackout occurred, who was at fault, and how future blackouts could be avoided.” Id. at 735.
308. Id. at 735.
309. Id.
310. Id. at 737.
311. See id. at 739. In view of its conclusion that the Extension covered the loss, the court
declined to address the insured’s “argument premised on the all-risks portion of the basic
policy pertaining to ‘direct physical loss to covered property.’ ” Id.
588
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
It is important to note that some standard forms seek to shift data loss
from the principal coverage grant by excluding electronic data from the
definition of “Covered Property” and instead providing coverage under
“additional coverage” that may be subject to relatively low, presumptively
inadequate, coverage sublimits. For example, the 2007 ISO Commercial
Property Form excepts “electronic data” from the definition of “Covered
Property”312 and provides coverage under an “Additional Coverage” that
is limited to “$2,500 for all loss or damage sustained in any one policy
year, regardless of the number of occurrences of loss or damage or the
number of premises, locations or computer systems.”313
Likewise, the 2007 ISO standard-form Business Income (and Extra Expense) Coverage Form excludes coverage for electronic data under the
main coverage part314 and provides coverage under an “Additional Coverage” subject to a $2,500 limit for “all loss sustained and expense incurred in any one policy year, regardless of the number of interruptions
or the number of premises, locations or computer systems involved.”315
It should be noted that, as part of its recent April 2013 revisions to its
commercial property forms, ISO has clarified that electronic data integrated into the operation of elevators, lighting, HVAC, and security systems shall no longer be subject to the $2,500 electronic data aggregate
limit. This data shall be covered up to the limits of coverage. The Standard Property Policy316 now states:
2. Property Not Covered
Covered Property does not include:
....
n. Electronic data, except as provided under the Additional Coverage, Electronic Data. Electronic data means information, facts or computer programs stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software), on hard or
floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or
any other repositories of computer software which are used with electronically controlled equipment. The term computer programs, referred to in
the foregoing description of electronic data, means a set of related elec312. CP 00 99 06 07 (2007), Section A.2.n. Other limitations may apply. For example, although “Covered Causes of Loss include a virus, harmful code or similar instruction introduced into or enacted on a computer system (including electronic data) or a network to
which it is connected,” the policy excludes “loss or damage caused by or resulting from manipulation of a computer system (including electronic data) by any employee . . .” CP 00 99
06 07, Section A.4e.(3)(b).
313. Id. Section A.4.e.(1),(2),(4).
314. ISO Form CP 00 30 06 07 (2007), Section A.4.
315. Id. Section A.5.d. Again, other limitations may apply. For example, the standard form
states that “there is no coverage for an interruption related to manipulation of a computer
system (including electronic data) by any employee.” Id. Section 1.5.d.(3)(d).
316. CP 00 99 10 12 (2012).
Viruses, Trojans, and Spyware
589
tronic instructions which direct the operations and functions of a computer or device connected to it, which enable the computer or device to
receive, process, store, retrieve or send data. This paragraph, n., does not
apply to your “stock” of prepackaged software, or to electronic data which is integrated in and operates or controls the building’s elevator, lighting, heating, ventilation, air conditioning or security system[.]317
The Business Income (And Extra Expense) Coverage Form318 now states:
4. Additional Limitation–Interruption Of Computer Operations
a. Coverage for Business Income does not apply when a “suspension” of
“operations” is caused by destruction or corruption of electronic data,
or any loss or damage to electronic data, except as provided under the
Additional Coverage, Interruption Of Computer Operations.
b. Coverage for Extra Expense does not apply when action is taken to
avoid or minimize a “suspension” of “operations” caused by destruction
or corruption of electronic data, or any loss or damage to electronic
data, except as provided under the Additional Coverage, Interruption
Of Computer Operations.
c. Electronic data means information, facts or computer programs stored
as or on, created or used on, or transmitted to or from computer software (including systems and applications software), on hard or floppy
disks, CD-ROMs, tapes, drives, cells, data processing devices or any
other repositories of computer software which are used with electronically controlled equipment. The term computer programs, referred to
in the foregoing description of electronic data, means a set of related
electronic instructions which direct the operations and functions of a
computer or device connected to it, which enable the computer or device to receive, process, store, retrieve or send data.
d. This Additional Limitation does not apply when loss or damage to electronic
data involves only electronic data which is integrated in and operates or controls a building’s elevator, lighting, heating, ventilation, air conditioning or
security system.319
Sublimits underscore the importance of considering not only what
cyber risks may be covered, but also whether the limits are sufficient.
3. Potential Coverage Under Other “Traditional” Policies
It is important not to overlook other types of “traditional” insurance policies that may respond to cyber risks. For example, directors’ and officers’
(D&O) policies provide coverage for claims against directors and officers
alleging “wrongful acts” committed in their capacity as directors and officers of the insured organization. These policies typically also provide
317. Id. at Coverage A.2.n. (emphasis added); see also id. at Coverage A.4.e.(1).
318. CP 00 30 10 12 (2012).
319. Id. Section A.4 (emphasis added).
590
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
coverage for claims against the organization itself, although this coverage
is usually limited to coverage for “securities claims.” There may be coverage under D&O policies to the extent, for example, a data security
breach impacts upon a company’s stock price. To be sure, in recent
years, shareholders have increasingly looked to hold directors and officers
accountable for a drop in stock price and they may do so in the event an
argument could be made that the directors and officers did not appropriately prepare for, respond to, or mitigate a cyber incident—all the more so
in view of the SEC’s recent guidance on cybersecurity disclosures.320 Although the insured organization’s coverage is limited to “securities
claims,” at a minimum there should be coverage to the extent derivative
litigation against individual directors and officers ensues.
Coverage also may be available under professional liability or errors
and omissions (E&O) policies, which generally cover “wrongful acts” committed in the insured’s performance of “professional services.” For example,
in the Eyeblaster case discussed above, the Eighth Circuit also upheld coverage under an Information and Network Technology E&O policy.321
In addition, many companies have various types of crime coverage, including fidelity insurance and financial institution bonds, that may cover
cyber risks and losses.322 Such policies often expressly include computer
fraud, such as the transfer of money or securities to an outside location
as well as the cost to repair or replace software and data.
Addressing the question of coverage under a crime policy, the Sixth
Circuit recently confirmed that an insured was covered for more than
$6.8 million in stipulated losses associated with a data breach that compromised customer credit card and checking account information in Retail
Ventures, Inc. v. National Union Fire Insurance Co. of Pittsburgh, Pa.323 In
that case, the insured incurred substantial expenses for customer communications, public relations, customer claims and lawsuits, and attorneys
fees in connection with investigations by seven state attorneys general
and the Federal Trade Commission.324 The Sixth Circuit confirmed
that there was coverage under the computer fraud rider of the insured’s
blanket crime policy, which stated that the insurer would pay the insured
for “Loss which the Insured shall sustain resulting directly from . . . [t]he
320. See supra note 15.
321. See text accompanying footnotes 221–28 supra.
322. See Louis Chiafullo & Brett Kahn, Coverage for Cyber Risks, 21:3 COVERAGE at 6–7
(ABA May/June 2011) (discussing coverage for cyber risks under D&O, E&O, and other
types of insurance coverages); see also Where to Find the Best Possible Cyber Coverage,
supra note 109 (discussing coverage for cyber risks under EPL, fiduciary, crime, and other
coverages); Oshinsky et al., supra note 204 (discussing coverage for cyber risks under D&O,
E&O, and other types of insurance coverages).
323. 691 F.3d 821 (6th Cir. 2012) (predicting Ohio law).
324. Id. at 824.
Viruses, Trojans, and Spyware
591
theft of any Insured property by Computer Fraud.”325 “Computer Fraud”
was defined as
the wrongful conversion of assets under the direct or indirect control of a
Computer System by means of: (1) The fraudulent accessing of such Computer System; (2) The insertion of fraudulent data or instructions into
such Computer System; or (3) The fraudulent alteration of data, programs,
or routines in such Computer System.326
The court also rejected the insurer’s argument that the loss was excluded by a provision excluding “any loss of proprietary information,
Trade Secrets, Confidential Processing Methods, or other confidential information of any kind,”327 finding that the “district court did not err in
finding that the loss in this case was not clearly excluded[.]”328
B. Filling Potential Gaps in the Road: Specialty “Cyber” Policies
The Sony coverage suit does not represent the first time that insurers have
refused to pay claims resulting from a network security breach or other
cyber-related liability under CGL policies. Nor will it be the last. Even
where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other “traditional” policies.329
Insurers are marketing newer insurance products specifically tailored
to cover cyber risks. Coverage for cyber risks has been called “the new
325. Id. at 826.
326. Id. at 826–27.
327. Id. at 832.
328. Id. at 834.; see also Vonage Holdings Corp. v. Hartford Fire Ins. Co., 2012 WL
1067694, at *1 (D.N.J. Mar. 29, 2012) (New Jersey law) (denying the insurer’s motion to dismiss an insured telecommunications company’s claim for loss arising out of the fact that
“computer hackers located outside of its premises used a computer to fraudulently access
[the insured’s servers] for the purpose of transferring the use of those servers to themselves
and others” under a policy stating that the insurer would “pay for loss of and loss from damage to ‘money’, ‘securities’ and ‘other property’ following and directly related to the use of
any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or
‘banking premises’ ” to an outside person or premises). Compare Peoples Tel. Co., Inc. v.
Hartford Fire Ins. Co., 36 F. Supp. 2d 1335, 1341 (S.D. Fla. 1997) (finding that there was
no coverage where “lists containing combinations of electronic serial numbers and mobile
telephone identification numbers . . . which are necessary to activate and use cellular phones”
were stolen by an employee and sold to third parties to “clone” cellular phones).
329. See Scott Godes & Jennifer G. Smith, Insurance for Cyber Risks: Coverage Under CGL
and “Cyber” Policies, ABA Section of Litigation 2012 Insurance Coverage Litigation Committee CLE Seminar, at 2 (Mar. 1–3, 2012), available at http://www.americanbar.org/content/
dam/aba/administrative/litigation/materials/2012_inscle_materials/17_1_risks.authcheckdam.
pdf (last visited May 13, 2013) (noting that “[i]nsurance companies have become more aggressive in asserting (even if wrongfully so) that ‘traditional’ insurance may not cover security liability or adequately cover privacy risks”).
592
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
frontier of the 21st century market.”330 Cyber risk policies can be extremely valuable. Although “traditional” policies will likely cover some
cyber risks faced by a company, there inevitably will be gaps in coverage
and insurers invariably will argue that “traditional” policies do not respond to cyber risks and costly coverage disputes are likely to ensue.
For these reasons, virtually every company that (1) relies upon technology
as part of its day-to-day operations or (2) handles PII or business confidential information should seriously consider cyber coverage as part of
its overall risk management strategy, particularly in the wake of the recent
explosion of data breaches and increasing regulatory scrutiny. But companies should not focus on data and privacy liability to the exclusion of
potentially more substantial sources of liability, such as supply chain disruption, “cloud” security failure, or disruption or intellectual property infringement claims.
Even companies that believe they may have relatively less cyber risk exposure may be well served to backstop IT security safeguards by filling
gaps in existing insurance coverage through stand-alone cyber policies
or tailored endorsements. Of course, companies that have already purchased specialty “cyber” policies should be fully familiar with the coverage
provided so that they can take full advantage of the coverage and negotiate
enhanced terms at renewal. In addition, companies should carefully review the coverage they have purchased to ensure that it adequately addresses their risk profile and requirements.
Although “cyber” coverage has been around since the 1990s, the new
coverages have evolved significantly in terms of scope, availability, and
pricing in recent years.331 The new cyber policies may come under names
such as “Privacy and Security,” “Network Security,” and names that incorporate “Cyber,” “Privacy,” “Media,” or some form of “Technology” or “Digital.” ISO has a standard form called “Internet Liability and Network Protection Policy.”332
Many are often sold in a “modular” format (even within the same policy),333 permitting a company to choose some or all of specific different
330. Harry Cylinder, Evaluating Cyber Insurance, CPCU EJOURNAL (Dec. 2008), available
at http://www.cpcusociety.org/file_depot/0-10000000/0-10000/3267/conman/CPCUeJournal
Dec08article.pdf (last visited Dec. 20, 2012).
331. See Cyber Insurance 3.0, supra note 40, at 2 (“Cyber insurance, the fastest-growing
specialty line in the commercial market, is rapidly becoming vital to the financial health of
organizations.”); Where to Find the Best Possible Cyber Coverage, supra note 109 (“As cyber
insurance has evolved, the coverage has become more comprehensive and insurers are looking for ways to distinguish products with a variety of bells and whistles.”).
332. EC 00 10 07 05 (2004).
333. For example, ISO’s “Internet Liability and Network Protection Policy,” includes five
coverage modules: (1) Web Site Publishing Liability; (2) Network Security Liability; (3) Replacement or Restoration of Electronic Data; (4) Cyber Extortion; and (5) Business Income
and Extra Expense. See EC 00 10 07 05 (2004), Section I.
Viruses, Trojans, and Spyware
593
types of cyber-coverages or as an optional part of a packaged policy that
may provide, for example, E&O, D&O, crime, cyber, and EPL coverages.
These products also may be combined with other types of insurance coverage, such as E&O coverage. Policies are typically written on a claimsmade and reported basis with coverage available on a worldwide basis.334
Many cyber risk policies offer both first-party and third-party cyber
coverage as separate coverage parts. Companies can often select coverages
on an individual or combined basis. The types of losses and liabilities that
cyber risk policies may cover include the following:
• losses resulting from a data breach, including defense and indemnity costs
associated with third-party claims
• response costs associated with post-breach remediation, including notification requirements, credit monitoring, call centers, public relations efforts,
forensics, and crisis management
• regulatory investigations, fines, and/or penalties
• losses resulting from a misappropriation of intellectual property or confidential business information
• losses resulting from the receipt or transmission of malicious code, denial
of third-party access to the insured’s network, and other security threats to
networks
• the cost to restore or recover data that is lost or damaged
• business interruption resulting from operations being disabled by a cyber
attack
• cyber extortion
Cyber insurance products also increasingly offer pre- and post-loss risk
management services, such as pre-loss risk management, including employee privacy training, post-loss forensics, credit monitoring, and data
breach notification services. After a breach, the policies afford companies
access to established industry experts, including forensics specialists, public relations consultants, and attorneys well-versed in navigating data privacy laws. All of this greatly assists in mitigating ultimate exposure. The
application process itself shines a spotlight on the company’s current
cybersecurity risk management practices and is likely to reveal potential
cybersecurity weaknesses that should be addressed.
334. In addition to stand-alone cyber policies, many insurers are now making cyber coverage available as part of the traditional insurance policies that these businesses are already
purchasing, such as business owners policies (BOP), which typically provide property, general liability, crime, auto, and inland marine floater coverage, and management liability insurance (MLI) policies, which can provide errors and omissions liability, directors and officers liability, employment practices liability, fiduciary liability, and other liability coverages.
For an excellent summary of these issues, see Betterley, supra note 7, at 21. Some of these
cyber coverage include “services only” (i.e., no risk transfer) “services plus breach response
coverage” or “services plus breach response plus liability.” Id. at 4.
594
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
Although the coverages can be very valuable, choosing the right cyber
insurance product presents a real and significant challenge. For starters,
there is a dizzying array of cyber products in the marketplace, each with
its own different terms and conditions that vary quite dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer.335 In addition, the range of e-commerce activities engaged in by different companies is far-reaching and diverse. Even more than is the case
with most types of insurance policies, therefore, successful negotiation
and placement of cyber coverage requires identification and consideration
of a company’s specific risk profile and risk tolerance, knowledge of the
available coverages in the marketplace, and careful attention to the specific
policy language under consideration.336 Successful placement of this coverage often requires the input, not only of the risk management department
and the broker, but also in-house legal, IT, resources, and compliance personnel in addition to insurance coverage counsel.
The market is competitive and cyber insurance products are highly
negotiable. The terms of the insurer’s “specimen” policy can often be significantly enhanced and customized to respond to the insured’s particular
circumstances—often for no increase in premium. In addition, if an IT
security or compliance assessment is required as a predicate to placement of coverage, the insurer typically pays for such assessment. This
exercise can be useful to a company, even if the coverage ultimately is not
purchased.
The author is unaware of any cases addressing coverage under these
newer policies. An overview of certain types of coverage available under
these policies is provided below. It is important to remember that the actual language contained in the policy issued to an insured could be substantially different from an insurer’s “off the shelf ” specimen policy.
1. Third-Party “Cyber” Coverages
a. Privacy and Network Security—“Third-party” cyber liability policies
typically cover the insured against liability arising from, for example,
data breaches, transmission of malicious code, denial of third-party access
335. Betterley, supra note 7, at 3 (“The types of coverage offered by Cyber Risk insurers
vary dramatically . . . More than most insurance policies, Cyber Risk requires experienced
risk professionals to craft the proper coverage.”).
336. Kalinich, supra note 36, at 4 (“Few privacy and security risks are alike, and many entities have unique needs, which vary greatly depending on the scope of business, number and
type of personally identifiable information records at issue, use of third-party contractors,
applicable regulatory rules and regulations, and the use of technology.”), available at http://
litigationconferences.com/wp-content/uploads/2012/10/1000-Network-Security-Privacy-RiskInsurance-2012-Update.pdf (last visited Sept. 4, 2013).
Viruses, Trojans, and Spyware
595
to the insured’s network, and other security threats to networks. The
“triggers” of coverage may include:
• failure to secure data
• network security failure, including unauthorized access to or unauthorized use of the insured’s network
• acts, errors, or omissions of employees
• acts, errors, or omissions of third party subcontractors, vendors,
and “cloud” providers
• theft or loss of property (such as data on a laptop or storage media)
By way of example, the new Hartford CyberChoice 2.09SM337 specimen policy provides coverage for loss of customer data, denial of access,
and other cyber risk events. The specimen policy states that the insurer
will pay “damages” that the insured “shall become legally obligated to
pay as a result of a Claim . . . alleging a Data Privacy Wrongful Act or
a Network Security Wrongful Act.”338 “Data Privacy Wrongful Act” is
defined to include “any negligent act, error or omission by the Insured
that results in: the improper dissemination of Nonpublic Personal Information”339 or “any breach or violation by the Insured of any Data Privacy
Laws.”340 “Network Security Wrongful Act” is defined to include “any
337. The Hartford CyberChoice 2.09SM Specimen Network Security liability Insurance
Policy Form #DP 00 H003 00 0312 (2012) is available at http://www.hfpinsurance.com/
servlet/Satellite?c=Page&cid=1150848583573&pagename=HFP%2FPage%2FHFP_Product
Page&pagetab=30 (visited Dec. 20, 2012) (hereinafter “Hartford CyberChoice 2.09SM Specimen Form”).
338. Hartford CyberChoice 2.09SM Specimen Form, Section I (A).
339. Id. Section III (N(1)). “Nonpublic Personal Information” is defined as follows:
(1) a natural person’s first name and last name combination with any one or more of the
following:
(a) Social Security number;
(b) medical or healthcare information or data;
(c) financial account information that would permit access to that individual’s financial account; or
(2) a natural person’s information that is designated as private by a Data Privacy Law.
Id. Section III (DD).
340. Id. (N(2)). “Data Privacy Laws” are defined to include “any Canadian or U.S., federal, state, provincial, territorial and local statutes and regulations governing the confidentiality, control and use of Nonpublic Personal Information including but not limited to” the
following:
(1) Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191)
(HIPAA); or
(2) Gramm-Leach-Bliley of 1999 (G-L-B), also known as the Financial Services Modernization Act of 1999; or
(3) State privacy protection laws, including but not limited to the California Database
Protection Act of 2003 (Cal. S.B. 1386) and Cal. Civil Code § 1798.82, that require
commercial Internet sites or on-line services that collect personal information or
medical information (as defined by such laws or acts) to post privacy policies and
596
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
negligent act, error or omission by the Insured resulting in Unauthorized
Access or Unauthorized Use of the Organization’s Computer System, the
consequences of which include, but are not limited to:
(1) the failure to prevent Unauthorized Access to, use of, or tampering with
a Third Party’s computer systems;
(2) the inability of an authorized Third Party to gain access to the Insured’s
services;
(3) the failure to prevent denial or disruption of Internet service to an authorized Third Party;
(4) the failure to prevent Identity Theft or credit/debit card fraud; or
(5) the transmission of Malicious Code.341
“Malicious Code” includes “unauthorized and either corrupting or
harmful software code, including but not limited to computer viruses,
Trojan horses, worms, logic bombs, spy-ware, malware or spider ware.”342
The AIG Specialty Risk Protector® specimen policy343 provides similar types of coverage. The specimen policy states that the insurer will
“pay . . . all Loss” that the “Insured is legally obligated to pay resulting
from a Claim alleging a Security Failure or a Privacy Event.”344 “Privacy
Event” includes:
(1) any failure to protect Confidential Information (whether by “phishing,”
other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
(2) failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
(3) violation of any federal, state, foreign or local privacy statute alleged in
connection with a Claim for compensatory damages, judgments, settle-
adopt specific privacy controls or to notify those impacted by identity or data thief,
abuse or misuse; or
(4) Federal and state consumer credit reporting laws, including but not limited to the
Federal Fair Credit Reporting Act (FCRA) and the California Consumer Credit Reporting Agencies Act (CCCRAA); or
(5) The Fair and Accurate Credit Transaction Act of 2003 (FACTA). Data Privacy
Laws does not include any foreign law, regulation or statute other than the laws
and regulations or Canada.
Id. (K).
341. Id. (CC).
342. Id. (AA).
343. The AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security
and Privacy Coverage Section, is available at http://www.aig.com/ncglobalweb/Internet/US/
en/files/Specimen%20Security%20%20Privacy%20Coverage%20Section_tcm295-315822.
pdf (last visited Mar. 31, 2013).
344. Id. Section 1.
Viruses, Trojans, and Spyware
597
ments, pre-judgment and post-judgment interest from Sub-paragraphs
(1) or (2) above.345
“Security Failure” includes the following:
(1) a failure or violation of the security of a Computer System including,
without limitation, that which results in or fails to mitigate any unauthorized access, unauthorized use, denial of service attack or receipt or transmission of a malicious code;
(2) physical theft of hardware controlled by a Company (or components
thereof ) on which electronic data is stored, by a person other than an Insured, from a premises occupied and controlled by a Company; or
(3) failure to disclose an event referenced in Sub-paragraphs (1) or (2) above
in violation of any Security Breach Notice Law.346
“Security Failure” also “includes any such failure or violation, resulting
from the theft of a password or access code from an Insured’s premises,
the Computer System, or an officer, director or employee of a Company
by non-electronic means in direct violation of a Company’s specific written security policies or procedures.”347
345. “Confidential Information” is defined as follows:
“Confidential Information” means any of the following in a Company’s or Information
Holder’s care, custody and control or for which a Company or Information Holder is
legally responsible:
(1) information from which an individual may be uniquely and reliably identified or
contacted, including, without limitation, an individual’s name, address, telephone
number, Social Security number, account relationships, account numbers, account
balances, account histories and passwords;
(2) information concerning an individual that would be considered “nonpublic personal
information” within the meaning of Title V of the Gramm-Leach Bliley Act of
1999 (Public Law 106–102, 113 Stat. 1338) (as amended) and its implementing
regulations;
(3) information concerning an individual that would be considered “protected health
information” within Health Insurance Portability and Accountability Act of 1996
(as amended) and its implementing regulations;
(4) information used for authenticating customers for normal business transactions;
(5) any third party’s trade secrets, data, designs, interpretations, forecasts, formulas,
methods, practices, processes, records, reports or other item of information that
is not available to the general public.[ ]
Id. Section 2.(d). “Security Breach Notice Law” includes “any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any entity that
has provided Confidential Information to an Information Holder, to provide notice of any
actual or potential unauthorized access by others to Confidential Information stored on
such Computer System, including but not limited to, the statute known as California SB
1386 (Cal. Civil Code § 1798.82). Id. Section 2.(m).
346. Id. Section 2.(n).
347. Id.
598
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
There are numerous other products currently available on the market
that respond to third-party cyber risks, including but not limited to:
• ACE’s DigiTech® specimen policy,348 which generally covers against
liability for, among other things, failures to: “protect against unauthorized access to, unauthorized use of, a denial of service attack
by a third party directed against, or transmission of unauthorized,
corrupting or harmful software code to, the Insured’s Computer
System;”349 or “properly handle, manage, store, destroy or otherwise control . . . Personal Information.”350
• The Philadelphia Insurance Company’s Cyber Liability specimen
policy,351 which generally covers against liability for claims related
to, among other things, “[u]nauthorized access of [the insured’s]
computer system or unauthorized use of computer systems,” “[a] denial of service attack against your computer systems” or “[i]nfection
of [the insured’s] computer systems by malicious code or transmission of malicious code from [the insured’s] computer systems”; or
“public disclosure of a person’s private information.” 352
• CNA’s NetProtect 360SM specimen policy,353 which generally covers against liability for claims arising out of, among other things, the
denial of access or use of an “Insured Entity’s Network,” “disruption
or degradation of another’s Network” or “the unauthorized copying, destruction, addition, deletion, alteration or theft of any in348. The ACE DigiTech® Digital Technology & Professional Liability Insurance Policy,
Form ?PF-26996 (05/09) is available at http://www.acegroup.com/us-en/assets/ace-digi
tech-declaration-policy-specimen.pdf (last visited Dec. 20, 2012) (hereinafter “ACE DigiTech® Specimen Form”).
349. ACE DigiTech® Specimen Form, Sections I.C, II. OO.3, II.X. “Computer System”
is defined to include “computer hardware, software, firmware, and the data stored thereon, as
well as associated input and output devices, data storage devices, networking equipment and
Storage Area Network or other electronic data backup facilities.” Id. Section II.G.
350. Id. Section II. OO.4.a.i. “Personal Information” includes:
1. an individual’s name, Social Security number, medical or healthcare data, other protected health information, drivers license number, state identification number, credit
card number, debit card number, address, telephone number, account number, account histories, or passwords; and
2. other nonpublic personal information as defined in Privacy Regulations in any format. Personal Information shall not include information that is lawfully made available to the general public for any reason, including but not limited to information
from federal, state or local government records.
Id. Section II.Z.
351. Philadelphia Insurance Company Cyber Liability Coverage Form #PI-CYB-001
(05/10) is available at https://www.phly.com/products/CyberSecurity.aspx (last visited
Mar. 20, 2013).
352. Cyber Liability Coverage Form, Sections I.E., III.W.
353. A copy of the CNA NetProtect 360SM Specimen Policy Form #G-147051-A (2007)
(hereinafter “CNA NetProtect 360SM Specimen Form”) is on file with the author.
Viruses, Trojans, and Spyware
599
formation”; or claims for acts with respect to “Nonpublic Personal
Information.”354
• Axis’s PRO® TechNet Solutions™ specimen policy,355 which generally covers against liability for claims arising out of, among other
things, “release, unauthorized disclosure, theft, or loss of Protected
Data”; “[u]nauthorized access to or unauthorized use of Protected
Data on the Insured’s Computer System that directly results in
theft, alteration, destruction, deletion, corruption or damage of Protected Data”; “[t]ransmitting or receiving Malicious Code via the Insured’s Computer System”; or “[u]nauthorized access to or unauthorized use of the Insured’s Computer System that directly results in
denial or disruption of access of authorized parties.”356
• Beazley’s AFB Media Tech® specimen policy,357 which generally
covers against liability for claims arising out of, among other things,
“theft, loss, or Unauthorized Disclosure of Personally Identifiable
Non-Public Information or Third Party Corporate Information” and
the “failure of Computer Security to prevent a Security Breach.”358
In purchasing this type of coverage, consideration should be given to,
among other things, the types of data included in the coverage. Certain
types of covered data almost always are expressly included, such as PII.
Data can also include confidential corporate data and even non-electronic
data, such as paper records. Another important consideration is whether
the policy affords coverage to information in the hands of third parties,
including cloud service providers. Although some insurers may be reluc354. CNA NetProtect 360SM Specimen Form, Sections I.A.2., I.A.4, X. “Nonpublic Personal Information” is defined to include: “information not available to the general public
from which an individual may be identified, including without limitation, an individual’s
name, address, telephone number, Social Security number, account relationships, account
numbers, account balances, and account histories.” Id. Section X.
355. A copy of the Axis PRO® TechNet Solutions™ Specimen Policy Form TNS-7000
(03-10) (hereinafter “Axis PRO® TechNet Solutions™ Specimen Form”) is available at http://
www.axisproinsurance.com/programs/technet_applications.asp (last visited Dec. 20, 2012).
356. Axis PRO® TechNet Solutions™ Specimen Form, Sections I.A.1, I.A.3, X.M.
357. A copy of Beazley’s AFB Media Tech® Specimen Policy, Form ? F00226 (2011) is
available at https://www.beazley.com/forms_and_resources_searchpage.html?business=165&
type=156 (last visited Dec. 20, 2012) (hereinafter “AFB Media Tech® Specimen Policy”).
358. AFB Media Tech® Specimen Policy, Section I.C (1, 2). “Security Breach” includes:
1. Unauthorized Access or Use of Computer Systems, including Unauthorized Access
or Use resulting from the theft of a password from a Computer System or from any
Insured;
2. a Denial of Service Attack against Computer Systems or Third Party Computer Systems; or
3. infection of Computer Systems by Malicious Code or transmission of Malicious
Code from Computer Systems, regardless of whether any of the foregoing is a specifically targeted or generally distributed attack.
Id. Section VI.II.
600
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
tant to add third party vendors and subcontractors,359 this coverage is expressly included by some carriers and can be endorsed if not initially included by others.
b. Media Liability—Many “third-party” cyber risk policies include defense and indemnity coverage for claims for alleging infringement of
copyright and other intellectual property rights and misappropriation of
ideas or media content. Although it is important to recognize that some
coverage may already exist in the “Personal And Advertising Injury Liability” coverage section of the insured’s CGL policies, as discussed above,
more specific—and potentially substantially broader—coverage may be
obtainable through the purchase of specialty cyber coverage.360 Often the
coverage includes, or can be extended to include, broad coverage for liabilities, including infringement and misappropriation claims, arising out of
the insured’s media content.
The new Hartford CyberChoice 2.09SM specimen policy states that the
insurer will pay “damages” that the insured “shall become legally obligated
to pay as a result of a claim “alleging a e-Media Wrongful Act.”361 An
“e-Media Wrongful Act” includes “any negligent act, error or omission”
by the Insured that results in the following:
(1) infringement of copyright, service mark, trademark, or misappropriation
of ideas or any other intellectual property right, other than infringement
of patents or trade secrets; defamation, libel, product disparagement,
trade libel, false arrest, detention or imprisonment, or malicious prosecution, infringement or interference with rights of privacy or publicity;
wrongful entry or eviction; invasion of the right of private occupancy;
and/or plagiarism, misappropriation of ideas under implied contract invasion or other tort related to disparagement or harm to the reputation
or character of any person or organization in the Insured Entity’s Electronic Content or in the Insured Entity’s Advertising; or
(2) misappropriation or misdirection of Internet based messages or media of
third parties on the Internet by the Insured, including meta-tags, web site
domains and names, and related cyber content.362
359. See Betterley, supra note 7, at 6 (“There is a great deal of concern over accumulation
risk (that is, the same cause of loss affecting multiple insureds, leading to massive claims). . . .
With much data moving to the cloud, this accumulation risk is becoming more severe, a
trend that concerns us greatly.”).
360. See Richard S. Betterley, Intellectual Property and Media Liability Insurance Market Survey (2013), at 6 (“Most Advertising Liability coverages are written to narrowly focus coverage
on actual advertising activity. . . . Since alleged infringement can occur in many situations not
involving advertising, it is apparent that a CGL policy, even with advertising liability coverage, is an ineffective source of coverage. Another problem with commercial liability coverage
is that an infringement can be construed as an intentional act, quickly denied by the GL
carrier.”).
361. Harftord CyberChoice 2.09SM Specimen Form, Section I (B).
362. Id. Section III (Q).
Viruses, Trojans, and Spyware
601
“Advertising” and “Electronic Content” are defined as follows:
(A) Advertising means electronic promotional material and media, publicly
disseminated on the Internet or any Website or offline copies of such
material and media, either by or on behalf of the Insured including banner and buttons, beacons and tracking, branding, click tags and cookies,
co-branding, directory listings, flash sites, metatags and coded media,
rectangles and pop-ups, search engine endorsements, sponsorships, skyscrapers, and/or endorsements.
....
(P) Electronic Content means any data, e-mails, graphics, images, net or web
casting, sounds, text, web site or similar matter disseminated electronically, including matter disseminated electronically on a Website, Computer System or the Internet, and including content disseminated by
other means of media transmittal by the Insured Entity provided that it
is a duplication of content already disseminated electronically on the Insured Entity’s Internet Website, Computer System or the Internet.363
The ACE DigiTech® specimen policy “Electronic Media Activities Liability” coverage part provides a similar type of coverage. The specimen
form covers the insured’s “Wrongful Acts,” which are defined to include
any error, misstatement, misleading statement, act, omission, neglect, breach
of duty, or Personal Injury offense actually or allegedly committed or attempted by any Insured . . . in the course of the provision of Electronic
Media Activities [defined to include “the electronic publishing, dissemination, releasing, gathering, transmission, production, webcasting, or other distribution of Electronic Content on the Internet . . .”], which gives rise to any
of the following Claims against an Insured:
a. product disparagement, trade libel, infliction of emotional distress, mental
anguish, outrage or outrageous conduct;
b. false light, public disclosure of private facts, or the intrusion and commercial appropriation of a name, persona or likeness;
c. plagiarism, piracy (excluding patent infringement), or the misappropriation or unauthorized use of advertising ideas, advertising material, titles,
literary or artistic formats, styles or performances;
d. the infringement of copyright, domain name, trademark, trade name,
trade dress, title or slogan, service mark, or service name; or
e. negligence with respect to the Insured’s creation or dissemination of Electronic Content.364
Again, there are numerous other products currently available on the
market that cover infringement of copyright and other intellectual
property rights, including but not limited to the Cybersecurity By
363. Id. Section III (A, P).
364. ACE DigiTech® Specimen Form, Section II. OO.2.
602
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
ChubbSM365 specimen policy, Axis’s PRO® TechNet Solutions™366 specimen policy, and Beazley’s AFB Media Tech® specimen policy.367
It is important to note that patent infringement typically is excluded
under cyber liability policies, but it may be purchased separately.
c. Regulatory Liability—Many “third-party” cyber risk policies include
defense and indemnity coverage for claims for civil, administrative, or regulatory proceedings, fines, and penalties. By way of example, the Beazley
AFB Media Tech® specimen policy provides the following coverage:
The Underwriters agree with the Named Insured . . .
....
To pay on behalf of the Insured:
Claims Expenses and Penalties in excess of the Retention, which the Insured
shall become legally obligated to pay because of any Claim in the form of a
Regulatory Proceeding, first made against any Insured during the Policy Period or Optional Extension Period (if applicable) and reported in writing to
the Underwriters during the Policy Period or as otherwise provided in
Clause X. of this Policy, resulting from a violation of a Privacy Law. . . .368
“Regulatory Proceeding” is defined to include:
a request for information, civil investigative demand, or civil proceeding
commenced by service of a complaint or similar proceeding brought by or
on behalf of the Federal Trade Commission, Federal Communications Commission, or any federal, state, local or foreign governmental entity in such entity’s regulatory or official capacity in connection with such proceeding.369
The CNA NetProtect 360SM specimen policy provides a similar coverage grant:
If the Insuring Agreement has been purchased, as indicated in the Declarations, the Insurer will pay on behalf of the Insured all sums in excess of
the Deductible and up to the applicable limit of insurance that the Insured
shall become legally obligated to pay:
....
as Damages and Claim Expenses resulting from any Privacy Regulation Proceeding both first made against the Insured and reported to the Insurer in
writing during the Policy Period, or any Extended Reporting Period, if ap-
365. Cybersecurity By ChubbSM Specimen Policy Form #14-02-14874 (02/2009), Section II (“Content injury”). A copy of this specimen policy is available at http://search.
chubb.com/formsearch/formZoneResults.aspx?formType=&productName=cyber&usState=
(last visited Dec. 20, 2012) (hereinafter “Cybersecurity By ChubbSM Specimen Form”).
366. Axis PRO® TechNet Solutions™ Specimen Form, Sections A.2, V. KK.2.
367. AFB Media Tech® Specimen Form, Section I.F.
368. Id. Section I.E. “Privacy Law” is defined to include: “a federal, state or foreign statute
or regulation requiring the Insured Organization to protect the confidentiality and/or security of Personally Identifiable Non-Public Information.” Id. Section VI.BB.
369. Id. Section VI.FF.
Viruses, Trojans, and Spyware
603
plicable, alleging any Wrongful Act by the Insured or by someone for whose
Wrongful Act the Insured is legally responsible[.]370
“Privacy Regulation Proceeding” is defined to include “a civil, administrative or regulatory proceeding against an Insured by a federal, state or
foreign governmental authority alleging violation of any law referenced
under the definition of Privacy Injury or a violation of a Security Breach
Notice Law.”371
2. First-Party “Cyber” Coverage
a. Remediation/Crisis Management—Cyber policies that cover privacy
and network security also typically provide valuable remediation coverage
for the costs associated with a data breach, including:
• the costs associated with post-data breach notification—notification
required by regulation and voluntary notification
• credit monitoring services
• forensic investigation to determine the existence or cause of a
breach
• public relations efforts and other “crisis management” expenses
• legal services to determine an insured’s indemnification rights where
a third party’s error or omission has caused the problem
Importantly, these “remediation” coverages, which are often grouped
under labels such as “Crisis Management,” “Notification & Credit Monitoring Fund,” and “Public Relations Expense Fund,” frequently are not
subject to retentions or co-insurance.
The following discusses these coverages in more detail.
i. Notification and Credit Monitoring—Cyber risk policies typically provide coverage for the costs associated with notification of a
data breach and credit monitoring services. For example, Beazley’s AFB
Media Tech® specimen policy provides coverage for “Privacy Notification Costs . . . resulting from the Insured Organization’s legal obligation
to comply with a Breach Notice Law because of an incident (or reasonably
suspected incident) described in [the Information Security & Privacy Liability] Insuring Agreement . . .”372 “Privacy Notification Costs” are defined to include a number of “reasonable and necessary costs incurred by
the Insured Organization,” among them costs “to provide notification to
370. CNA NetProtect 360SM Specimen Form, Sections I.A.2.B.
371. Id. Section X. “Security Breach Notice Law” is defined to include “any statute or regulation that requires an entity storing Nonpublic Personal Information on its Network to provide notice to specified individuals of any actual or potential unauthorized access with respect
to such Nonpublic Personal Information, including Sections 1789.29 and 1798.82–1798.84 of
the California Civil Code (formerly S.B. 1386).” Id. “Privacy Injury” includes reference to,
among other things, “any federal, state, foreign or other law, statute or regulation governing
the confidentiality, integrity or accessibility of Nonpublic Personal Information.” Id.
372. AFB Media Tech® Specimen Policy, Section I.D.
604
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
individuals who are required to be notified by the applicable Breach Notice Law” and costs of “offering of one (1) year of credit monitoring services to those individuals whose Personally Identifiable Non-Public Information was compromised or reasonably believed to be compromised as a
result of theft, loss or Unauthorized Disclosure of information giving rise
to a notification requirement pursuant to a Breach Notice Law.”373 Hartford’s CyberChoice 2.09SM specimen policy similarly states that the insurer
“will reimburse the Insured Entity, for reasonable and necessary Notification and Credit Monitoring Expenses,”374 which are defined to include:
the amount of reasonable and necessary expenses incurred by the Insured
Entity (i) to notify its customers or clients of a Data Privacy Wrongful Act
to comply with a Notification Law; or (ii) for credit monitoring services offered by the Insured Entity to individuals after a Data Privacy Wrongful Act
to comply with Notification Laws; or iii) to provide courtesy notifications to
individuals when such notifications are not mandated by Notification Laws
but are reasonably necessary to preserve the reputation and good name of
the Insured Entity and to mitigate the potential for a future Claim.375
ii. Forensic Investigation—Cyber risk policies often provide coverage for the investigatory costs associated with determining the cause and
scope of a breach or attack. For example, Hartford’s CyberChoice 2.09SM
specimen policy states that the insurer “will reimburse the Insured Entity
for reasonable and necessary Cyber Investigation Expenses,”376 which include “reasonable and necessary expenses the Insured Entity incurs to
conduct an investigation of its Computer System by a Third Party to determine the source or cause of the Data Privacy Wrongful Act or Network Security Wrongful Act.”377
Beazley’s AFB Media Tech® specimen policy includes coverage for
costs “to hire a computer security expert to determine the existence and
cause of any electronic data breach.”378
iii. Crisis Management—The costs associated with a cyber attack
often include crisis management activities. Cyber insurance policies typically provide coverage for such activities. For example, the AIG netAdvantage® specimen policy Crisis Management Module Form covers
“crisis management expenses,”379 defined to include “amounts for which
an organization incurs for the reasonable and necessary fees and expenses
incurred by a crisis management firm in the performance of crisis manage373.
374.
375.
376.
377.
378.
379.
(2007),
Id. Sections I.D.2.(a), I.D.4.(a), and III.(EE).
CyberChoice 20SM, Section II.(A).
Id. Section III.(EE).
CyberChoice 20SM, Section II.(D).
Id. Section III.(I).
AFB Media Tech® Specimen Policy, Section I.D.1.
AIG netAdvantage Specimen Policy, Crisis Management Module Form #90594
Section 3.
Viruses, Trojans, and Spyware
605
ment services for an organization,” arising from a “failure of security” or
“privacy peril.”380 The Hartford’s CyberChoice 2.09SM specimen policy
states that the insurer “will reimburse the Insured Entity, for reasonable
and necessary Crisis Management Expenses” that “directly result from a
Data Privacy Wrongful Act.”381 “Crisis Management Expenses” are defined
as “amounts for which the Insured Entity incurs for the reasonable and necessary fees and expenses in the procurement of Crisis Management Services
for the Insured Entity arising from a Data Privacy Wrongful Act.”382
iv. Public Relations—The costs associated with a cyber attack often
include expenses related to public relations and crisis management. Again,
coverage is often included in specialty cyber policies. For example, Beazley’s
AFB Media Tech® specimen policy includes coverage for up to $100,000
“for the costs of a public relations consultancy for the purpose of averting
or mitigating material damage to the Insured Organization’s reputation,”
subject to 20 percent co-insurance.383 CNA’s Net protect 360SM specimen policy likewise covers “Public Relations Event Expenses . . . to respond to adverse or unfavorable publicity or media attention arising out
of a Public Relations Event,” which is defined as “any situation which
in the reasonable opinion of an Executive did cause or is reasonably likely
to cause economic injury to the Insured Entity.”384 Hartford’s CyberChoice 2.09SM specimen policy similarly states the insurer “will reimburse
the Insured Entity, for reasonable and necessary Crisis Management Expenses” that “directly result from a Data Privacy Wrongful Act. . . .”385
“Crisis Management Expenses” include
reasonable and necessary fees and expenses in the procurement of . . . services
performed by any public relations firm, crisis management firm or law firm
hired or appointed by us, to minimize potential reputational harm . . . including, without limitation, maintaining and restoring public confidence in the
Insured Entity. . . .386
It warrants mention that some policies require the insured to use designated vendors or require the written consent of the insurer to use remediation service providers. In addition, there may be a time limitation for
certain services, notably credit monitoring.
b. Information Asset Coverage—“First-party” cyber coverage may include damage to or theft of the insured’s own computer systems and hardware and may cover the cost of restoring or recreating stolen or corrupted
data. For example, the AIG netAdvantage® specimen policy states that the
380.
381.
382.
383.
384.
385.
386.
Id. Section 5, CM(a), (b)(1).
Hartford CyberChoice 2.09SM Specimen Form, Section II.(B).
Id. Section III.(G)(1).
AFB Media Tech® Specimen Policy, Section I.D.3.
CNA NetProtect 360SM Specimen Form, Section I.B.1., Section X.
Hartford CyberChoice 2.09SM Specimen Form, Section II.(B).
Id. Sections III.((G),(H)).
606
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
insurer will pay the insured’s “actual information asset loss . . . resulting
directly from injury to information assets” that results “from a failure of
security of your computer system.”387 “Information asset loss” is defined
to include “software or electronic data, including without limitation, customer lists and information, financial, credit card or competitive information, and confidential or private information” “that are altered, corrupted,
destroyed, disrupted, deleted or damaged. . . .”388 CNA’s NetProtect
360SM specimen policy states that the insurer will pay the insured “all
sums” for “reasonable and necessary expenses resulting from an Exploit
[defined as Unauthorized Access, Electronic Infection or a Denial of Service Attack that results in Network Impairment, each as separately defined]” that are “required to restore the Insured Entity’s Network or information residing on the Insured Entity’s Network to substantially the
form in which it existed immediately prior to such Exploit.”389 Many
other products offer similar types of coverage.
c. Network Interruption and Extra Expense—Cyber policies often include
coverage for business interruption and extra expense caused by malicious
code, such as viruses, worms, Trojans, malware, spyware, and the like;
DDoS attacks; unauthorized access to, or theft of, information; and
other security threats to networks. For example, the AIG netAdvantage®
specimen policy covers the insured’s
actual business interruption loss . . . which [the insured] sustains during the
period of recovery (or the extended interruption period if applicable), resulting directly from a material interruption [defined as “the actual and measurable interruption or suspension of [the insured’s] computer system, which is
directly caused by a failure of security”].390
“Business interruption loss” includes “the sum of: (1) income loss; (2) extra
expense; (3) dependent business interruption loss; and (4) extended business
interruption loss,”391 each as separately defined.392
387.
(2006),
388.
389.
390.
(2006),
391.
AIG netAdvantage® Specimen Policy, Information Asset Module Form #90612
Section 3.
Id. Section 5 I.A (b, c).
CNA NetProtect 360SM Specimen Form, Section II.B.
AIG netAdvantage® Specimen Policy, Business Interruption Module Form #90593
Section 3, Section 5 BI (k).
Id. Section 5 BI (b). “Period of recovery is defined as the following:
“Period of recovery” means the time period that:
(1) begins on the date and time that a material interruption first occurs; and
(2) ends on the date and time that the material interruption ends, or would have ended
if you had exercised due diligence and dispatch.
Provided, however, the period of recovery shall end no later than thirty (30) consecutive
days after the date and time that the material interruption first occurred.
Id. Section 5 BI (l).
392. Id. Section 5 BI (d, e, g, j).
Viruses, Trojans, and Spyware
607
The Hartford CyberChoice 20SM specimen policy covers
Business Interruption Loss . . . that the [insured] incurs during the Period of
Restoration directly resulting from a Network Outage [defined to include
“the actual and measurable interruption, suspension in service or the failure
of the Organization’s Computer System directly resulting from a Network
Security Wrongful Act”].393
Business Interruption Loss” includes both “Actual Loss” and “Extra Expense,” each as separately defined.394
Many other products offer similar types of coverage.395 When considering business interruption coverages, it is important to note that, as with
many terms and conditions, the length of the period of recovery is often
negotiable (it may be increased from 120 to 180 days, for example). In addition, a cyber specimen policy may sublimit certain business interruption
losses arising from the security failure of a third party provider’s network.396 A policyholder may be able to remove the restriction or increase
the sublimit.
d. Extortion—Cyber policies often cover losses resulting from extortion
(payments of an extortionist’s demand to prevent network loss or imple393. Hartford CyberChoice 20SM Specimen Form, Section I (D), Section III (ff ). “Period
of Restoration” is defined as follows:
Period of Restoration means the period of time that:
(1) begins with the date and time that Computer Systems have first been interrupted by
a Network Outage and after application of the Waiting Period set forth on the Declarations; and
(2) ends with the earlier of
(a) the date and time Computer Systems have been restored to substantially the
level of operation that had existed prior to the Network Outage; or
(b) 30 days from the time that Computer Systems were first interrupted by such
Network Outage.
The Waiting Period represents the number of hours the Organization’s Computer Systems are interrupted before the Insurer is first obligated to pay Damages and Defense
Expenses (other than Extra Expense) covered by Insuring Agreement (D). The Waiting
Period incepts immediately following the interruption of the Organization’s Computer
Systems.
Id. Section III (D).
394. Id.
395. See, e.g., Hartford CyberChoice 20SM Specimen Policy Form #CC 00 H003 00 0608
(2008) (hereinafter “CyberChoice 20SM”) (a copy is on file with the author), Section I (D),
Sections III (D), (ff ); Cybersecurity By ChubbSM Specimen Form, Section I.D, Section II.
396. For example, AIG’s Specialty Risk Protector® product states that “the maximum liability of the Insurer for all Loss arising from a Security Failure of the Computer System of
an Outsource Provider [defined as “an entity not owned, operated or controlled by an Insured that such Insured depends on to conduct its business”] shall be $100,000.” Specialty
Risk Protector Specimen Policy Form 101014 (11/09), Network Interruption Coverage Section, at Part 2(f ) and Part 4. A copy of the policy form is available at http://www.aig.com/
ncglobalweb/Internet/US/en/files/Specimen%20Network%20Interruption%20Coverage%20
Sectiong_tcm295–315824.pdf (last visited Mar. 31, 2013).
608
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
mentation of a threat), which may be an increasingly valuable protection.
For example, the AIG netAdvantage® specimen policy indemnifies the insured “for those amounts” the insured pays “as extortion monies resulting
from an extortion claim. . . .”397 “Extortion claim” is defined to include
“any threat or connected series of threats to commit an intentional computer attack. . . .”398 The Hartford CyberChoice 20SM specimen policy
likewise covers “amounts which the Organization pays as Extortion Payments directly resulting from a Cyber Extortion Claim.”399 Cybersecurity
By ChubbSM includes coverage for “E-Threat Expenses resulting directly
from an Insured having surrendered any funds or property to a natural
person who makes a Threat directly to an Insured.”400 The ACE DigiTech® specimen policy states that the insurer “will pay Extortion Expenses incurred by the Insured”401 CNA’s Net protect 360SM specimen
policy covers “all sums . . . for Network Extortion Expense resulting
from a Network Extortion.”402
3. Beware the Fine Print
Cyber insurance coverages can be extremely valuable, but they deserve—
indeed require—a careful review. The specific policy terms and conditions must be analyzed carefully to ensure that the coverage provided
meets the company’s specific loss scenarios and potential exposures and
to ensure that important facets of coverage are not vitiated.
Some insurers, for example, may insert exclusions based on purported
shortcomings in the insured’s security measures if identified in the underwriting process or known to the insured prior to policy inception.403 One
specimen form policy excludes any claim “alleging, arising out of or resulting, directly or indirectly” from
(1) any shortcoming in security that [the insured] knew about prior to the
inception of this policy,
(2) [the insured’s] failure to take reasonable steps, to use, design, maintain
and upgrade [the insured’s] security, or
397. AIG netAdvantage® Specimen Policy, Cyber Extortion Module Form #90595
(2006), Section 2.
398. Id. Section 5 CE(b).
399. CyberChoice 20SM, Section I (E).
400. Cybersecurity By ChubbSM Specimen Form, Section I.G.
401. ACE DigiTech® Specimen Form, Section I.F.
402. CNA NetProtect 360SM Specimen Form, Sections II.A., X.
403. See Ben Berkowitz, Recent hacker attacks have more companies eyeing cyber risk coverage,
REUTERS ( June 14, 2011), available at http://www.reuters.com/article/2011/06/14/us-insur
ance-cybersecurity-idUSTRE75D5MK20110614 (last visited Dec. 26, 2012) (“As with any
kind of insurance, data breach policies carry all sorts of exclusions that put the onus on
the company. Some, for example, exclude coverage for any incident that involves an unencrypted laptop. In other cases, insurers say, coverage can be voided if regular software updates are not downloaded or if employees do not change their passwords periodically.”).
Viruses, Trojans, and Spyware
609
(3) the inability to use, or lack of performance of, software: (a) due to expiration, cancellation, or withdrawal of such software; (b) that has not yet
been released from its development stage; or (c) that has not passed all
test runs or proven successful in applicable daily operations.404
It remains to be seen whether broad exclusions of this kind will be upheld and enforced by the courts, particularly given that the new policies
are specifically marketed to cover the risk of liability for negligence in
connection with failure of network security. In addition, there may be exclusions for war, warlike operations, terrorism, or hostilities that need
to be considered carefully given that many cyber attacks originate from
foreign nations, a number of which are under the auspices of foreign governments.405 On a more mundane point, many cyber policies contain contractual liability exclusions found in many “traditional” policies. These
exclusions should contain adequate exceptions to cover, for example, customer or employee claims arising out of a privacy or network security
breach.
Other provisions that warrant close attention are the claims reporting/
extended reporting period (ERP) options, the retroactive date, and the defense and settlement provisions. Cyber specialty policies are written on a
“claims made” basis, so it is important that a policy contain an affordable
ERP provision. A sixty-day automatic ERP should be included; ideally the
policyholder would have the opportunity to purchase up to thirty-six
months for an additional premium. In addition, most cyber products policies limit coverage to breaches that occur after a specified “retroactive
date,” which may be commensurate with the policy inception date. It is important to request “retroactive” coverage for network security breaches that
happened, but were not discovered, before the policy inception. This is important given that recent studies indicate that months, sometimes years,
elapse between a network security breach and the discovery of the breach.406
As to defense of claims, many, although not all, insurers reserve the
right to select or pre-approve defense counsel. Other insurers present the
insured with a “panel counsel” list such as those typical in the D&O coverage context. Again, however, the policies vary considerably and some insurers permit the insured to select counsel. As to settlement provisions,
404. AIG netAdvantage® Specimen Policy, Base Form #91239 (2006), Section 4 (t).
405. See, e.g., Mandiant, APT1, Exposing One of China’s Cyber Espionage Units, at 2
(“Our analysis has led us to conclude that APT1 is likely government-sponsored and one
of the most persistent of China’s cyber threat actors. We believe that APT1 is able to
wage such a long-running and extensive cyber espionage campaign in large part because it
receives direct government support.”) (hereinafter “Mandiant, APT1”).
406. Verizon, 2013 Data Breach Investigations Report, at 6 (2013) (reporting that 66% of
breaches “took months or more to discover”); Mandiant, APT1, supra note 405, at 3 (reporting that one particularly prolific Advanced Persistent Threat group, APT1, “maintained access to victim networks for an average of 356 days.”).
610
Tort Trial & Insurance Practice Law Journal, Winter 2014 (49:2)
hammer clauses,407 also typical in the D&O coverage context, are often
included in specialty cyber policies. Insurers are often willing to amend
specimen forms such that the insurer will agree to pay a higher percentage
of post-settlement-offer defense costs (80 percent as opposed to 50 percent, for example) in the event the policyholder refuses a settlement offer.
The adequacy of limits and sublimits warrants careful attention as does
the issue of retentions. Owing to the modular format of the coverages
provided under cyber policies, for example, a policy specimen may state
that separate retentions will apply where a cyber event triggers coverage
under more than one coverage section. It may be possible, however, to
achieve an amendment whereby only one retention applies to all loss arising out of an event that triggers multiple coverage sections.
As noted above, the cyber insurance market remains relatively soft, and
favorable enhancements to coverage can often be achieved in these and
other areas. Indeed, cyber coverage is highly negotiable.408
iii. conclusion
Every company should appreciate that it is a vulnerable next “Target” for
a serious cybersecurity incident, together with the range of negative consequences that typically follows. Exposure to cyber liability is by no means
limited to retailers financial institutions, health care providers, and other
industries that maintain confidential information of third parties. When
targeted by an attack or facing a claim, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable
asset. Before an attack, companies should take the opportunity to evaluate
carefully and address their risk profile, potential exposure to cyber risks,
risk tolerance, the sufficiency of their existing insurance coverage, and
the role of specialized cyber risk coverage.
407. The hammer clause is a provision that gives the insurer more control in claims handling. A “soft” version of the clause provides that if the insured declines to settle then the
insurer can cap its liability for the amount of the settlement offer plus some portion of defense
costs following the settlement.
408. See Roberta D. Anderson, How to Purchase “Cyber” Insurance, INSURANCE COVERAGE
ALERT (Oct. 21, 2013), available at http://m.klgates.com/files/Publication/f9bc5a65-748a402a-b677-172191e4e9bb/Presentation/PublicationAttachment/2b641a0d-1cc4-41e8-8e661dd66554eb59/Insurance_Coverage_Alert10212013.pdf (last visited Mar. 15, 2014).