The Insurance Coverage Law Information Center

The following article is from National Underwriter’s latest online resource,
FC&S Legal: The Insurance Coverage Law Information Center.
The Insurance Coverage Law Information Center
VIRUSES, TROJANS AND SPYWARE, OH MY! THE YELLOW BRICK ROAD
TO COVERAGE IN THE LAND OF INTERNET OZ – PART II
By Roberta D. Anderson
Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against
the increasing threat of cyber risk. In Part 2 of this four-part article, the author examines potential coverage for cyber
and privacy-related risks under general liability insurance policies. Part 3 will examine potential coverage under property
and other common types of “traditional” insurance policies. Part 4 will examine the types of coverages available
under revolutionary new “cyber” insurance products.
While some companies carry specialty insurance policies that are specifically designed to afford coverage for cyber risk,
most companies have various forms of “traditional” insurance policies that may cover cyber risks, including commercial
general liability (“CGL”), commercial property/business interruption, directors and officers, errors and omissions,
professional liability, fiduciary, crime and other policies.
Although insurers typically argue that “cyber” risks are not intended to be covered under CGL policies or other
“traditional” types of insurance coverages, insureds pursuing coverage under CGL policies have met with some, albeit
not universal, success in obtaining coverage for certain types of cyber risks. Coverage in a particular case necessarily
will depend on the specific facts of each case, the terms, conditions and exclusions of each individual policy, and the
applicable law.
A brewing legal dispute between Sony and one of its insurers concerning the PlayStation Network data breach highlights
the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL
policies. In Zurich American Insurance Co., et al. vs. Sony Corp. of America, et al.,1 the insurer seeks a declaration that
there is no coverage under the CGL policies at issue on the basis that the underlying lawsuits arising from hacker attacks
that resulted in unauthorized access to and theft of personal identification and financial information “do not assert claims
for ‘bodily injury,’ ‘property damage’ or ‘personal and advertising injury.’”2
The Sony coverage case may provide additional guidance on the scope of coverage for data breaches and other cyber
risks under traditional CGL policies. In the meantime, the current case law is instructive.
Claims Alleging Damage to, or Loss of Use of, Third-Party Data, Computers or Computer Systems
Claims alleging damage to third-party data, computers, and systems may be available under the “Bodily Injury And
Property Damage” section of the standard Insurance Services Office, Inc. (“ISO”)3 CGL policy form, which states that
the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property
damage’” that “occurs during the policy period.”4 In addition to providing indemnity coverage, the standard form
states that the insurer “will have the right and duty to defend the insured against any ‘suit’” seeking potentially covered
damage.5
For many years, the ISO standard form has defined “property damage” to include “[p]hysical injury to tangible property,
including all resulting loss of use of that property” and “[l]oss of use of tangible property that is not physically injured.”6
One major issue in cases alleging lost or damaged data, software, computers, or computer systems is whether the
definition of “property damage” is satisfied. A standard form definition of “property damage” includes both (1) “[p]
hysical injury to tangible property, including all resulting loss of use of that property”; and (2) “[l]oss of use of tangible
property that is not physically injured.”7 Insurers typically argue that data is not “tangible property” that can suffer
“physical injury” and, therefore, cannot satisfy the definition of “property damage.” However, a number of courts have
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury” and have upheld
coverage on this basis.
For example, the Minnesota intermediate appellate court determined that a computer tape and data were “tangible
property” in Retail Systems, Inc. v. CNA Insurance Co.8 In that case, the claimant filed suit against the insured, a data
processing consultant, seeking damages allegedly suffered as a result of the loss of a computer tape and its data, which
had disappeared during remodeling of the insured’s computer room.9 The insured tendered the claim to its insurer, which
denied coverage. The court considered the following question on appeal: “Did the trial court err by finding that the
computer tape and data were tangible property?”10
Finding “no precedent in Minnesota or elsewhere” concerning “whether computer tapes and data are tangible property
under an insurance policy,”11 the court concluded that “[a]t best, the policy’s requirement that only tangible property is
covered is ambiguous” and, therefore, the language “must be construed in favor of the insured.”12 Therefore, the court
upheld the trial court’s finding “that the computer tape and data were tangible property under the insurance policy.”13 In
reaching its decision, the court found it significant that “[t]he data on [a] tape was of permanent value and was integrated
completely with the physical property of the tape.”14
Other decisions likewise support an argument that data is tangible property,15 including decisions considering the issue
in the first-party property context.16 The decisions are not uniform, however, and a number of decisions have held that
computer data is not tangible property and therefore is not susceptible to property damage.17 A leading insurance law
authority notes that the issue as to whether “computerized information is tangible property” has “not been satisfactorily
resolved.”18 Under the law of many states, however, this fact alone would militate in favor of a finding of coverage.19
Even where a court determines that data itself is not “tangible” property that can suffer “physical injury,” there should be
coverage for claims alleging damage to or loss of use of computers and system components under the second prong “b”
of the definition of “property damage.”20 The Western District of Oklahoma’s decision in State Auto Property & Casualty
Insurance Co. v. Midwest Computers & More21 is instructive. In that case, the claimants brought a lawsuit alleging that
the insured’s negligent performance of service work on their computer system had “deprived [them] of the use of their
computers,” and that the claimants “lost extensive amounts of appraisal data and other business information which
was [sic] stored on their computer system.”22 The insured sought defense and the insurer brought an action seeking a
declaration that it has no duty to indemnify or defend its insured.23
Although the court would have “conclude[d] that computer data is intangible, not tangible, personal property,”24 the
court noted that this is “not dispositive” in view of “the second part of the policy’s definition of [property damage], which
includes “loss of use of tangible property.”25 The court concluded that the allegation of loss of use of the claimant’s
computers was “clearly” “property damage” as defined in the policy:
The [claimants] plainly allege in their state court petition that defendant’s negligence caused a loss of use of their
computers. … Because a computer clearly is tangible property, an alleged loss of use of computers constitutes
“property damage” within the meaning of plaintiff’s policy.26
There may be coverage, therefore, in data breach cases where the claimants allege loss of use. This issue may be
considered in the Sony data breach insurance coverage litigation, since at least one of the class action complaints alleges
loss of use of PlayStation consoles:
Plaintiffs seek damages to compensate themselves and the Class for their loss (both temporary and permanent)
of use of their PlayStation consoles and the PlayStation® Network and Qriocity services (collectively referred to
herein as “PSN” service), and their time and effort spent attempting to protect their privacy, identities and financial
information.27
Indeed, Zurich, one of Sony’s insurers, has expressly recognized that liability insurance policies may provide coverage in
the event of a data security breach:
Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of
non-public personal information are all circumstances that can lead to legal exposure. Potential causes of action
resulting from data security breaches may include increased risk of identity theft, actual or attempted identity theft,
violation of consumer protection statutes, negligence, breach of contract, breach of fiduciary duty and even fraud.
A company’s standard property and casualty insurance policies may provide some coverage in the event of a data
security breach, but specialized cyberliability coverages may be worth exploring and evaluating.28
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
In addition to the question of whether data is “tangible,” another potential hurdle for insureds is that the current ISO
standard-form policy, and other ISO standard-form policies effective on or after December 1, 2001, expressly exclude
“electronic data” from the definition of “property damage.”29
In addition, ISO standard-form policies effective on or after December 1, 2004 expressly exclude “[d]amages arising out
of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”30
“Electronic data” is defined as follows:
As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used
on, or transmitted to or from computer software, including systems and applications software, hard or floppy
disks, CDROMs, tapes, drives, cells, data processing devices or any other media which are used with electronically
controlled equipment.
Courts generally have upheld such limitations and exclusions.31
It is important to recognize that “data” limitations and exclusions may not vitiate coverage, however. Coverage may have
been added back through endorsement. For example, the ISO “Electronic Data Liability Endorsement” adds “electronic
data” back to the definition of “property damage”32 Coverage also may have been purchased through the ISO
“Electronic Data Liability Coverage Form,”33 under which the insurer pays “those sums that the insured becomes legally
obligated to pay as damages because of ‘loss of electronic data’” that “[i]s caused by an ‘electronic data incident[.]’”34
Standard form ISO policies written or effective on or before December 1, 2001, moreover, do not except “electronic data”
from the definition of “property damage”35 and do not exclude “electronic data.” And even recently issued policies may
not contain such exceptions or exclusions. One might reasonably presume, for example, that the Zurich policies in the
Sony PlayStation coverage litigation, which as alleged were effective for the policy period beginning April 1, 2011,36 do
not contain any express exceptions or exclusions—none are raised in Zurich’s complaint.37
Even where a policy contains an express “electronic data” exclusion, moreover, there should be coverage if a cyber
attack causes physical damage to or loss of use of computers or computer systems. For example, the Eighth Circuit in
Eyeblaster, Inc. v. Federal Insurance Co.38 held that an insurer had a duty to defend a complaint alleging injury to the
plaintiff’s “computer, software, and data after he visited [the insured’s] website.”39 The plaintiff alleged that “his computer
was infected with a spyware program from [the insured] on July 14, 2006, which caused his computer to immediately freeze
up” and that “he lost all data on a tax return on which he was working and that he incurred many thousands of dollars of
loss.”40 The plaintiff further alleged that “he ha[d] experienced the following: numerous pop-up ads; a hijacked browser
that communicates with websites other than those directed by the operator; random error messages; slowed computer
performance that sometimes results in crashes; and ads oriented toward his past web viewing habits.”41
The insured’s CGL policy obligated “the insurer to provide coverage for property damage caused by a covered
occurrence.”42 “Property damage” was defined in the policy at issue as “physical injury to tangible property, including
resulting loss of use of that property ...; or loss of use of tangible property that is not physically injured.”43 The definition of
“tangible property” excluded “any software, data or other information that is in electronic form.”44
Notwithstanding the exclusion, the court held that the insurer was obligated to defend the insured because the complaint
alleged “loss of use of tangible property that is not physically injured” under the second prong of the “property damage”
definition:
[The insured] points to language from the [claimant’s] complaint in which he alleges his computer was “taken
over and could not operate,” “froze up,” and would “stop running or operate so slowly that it will in essence
become inoperable.” [The claimant] also alleges that he experienced “a hijacked browser-a browser program that
communicates with websites other than those directed by the operator,” and “slowed computer performance,
sometimes resulting in crashes.” [The claimant] asserts that his computer has three years of client tax returns that he
cannot transfer because he believes the spyware files would also be transferred, and he therefore must reconstruct
those records on a new computer. He thus argues that his computer is no longer usable, as he claims among his
losses “the cost of his existing computer.”
[The insurer] did not include a definition of “tangible property” in its General Liability policy, except to exclude
“software, data or other information that is in electronic form.” The plain meaning of tangible property includes
computers, and the [underlying] complaint alleges repeatedly the “loss of use” of his computer. We conclude that the
allegations are within the scope of the General Liability policy.45
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
Other common policy exclusions, such as the “your work,”46 “impaired property”47 or “intentional act”48 exclusion may
apply, however, and it is important to recognize that resolution of each claim will depend upon the specific facts of such
claim, the specific policy language at issue,49 and applicable law.
As claims increase, we can expect to see more courts addressing whether such claims raise sufficient issues to at least
trigger a defense obligation under the CGL Coverage A.
Claims Alleging “Bodily Injury”
The main coverage part of the current standard form ISO CGL policy form states that the insurer “will pay those sums
that the insured becomes legally obligated to pay as damages because of ‘bodily injury’”50 that “occurs during the policy
period.”51 There is little if any case law to date that addresses whether claims arising from data breaches or other cyber
risks allege “bodily injury,” which is defined in the current ISO CGL policy as “bodily injury, sickness or disease sustained
by a person, including death resulting from any of these at any time.”52 This potential source of coverage for data breach
claims should not be overlooked, however, as case law may support an argument that “bodily injury” as defined in the
policy includes emotional harm. In addition, the specific policy at issue may contain a broadened definition of “bodily
injury” that expressly extends to emotional harm.53
Depending on the policy language and applicable law, there may be coverage for data breach cases. For example, one of
the class action complaints filed against Sony arising out of the 2011 high-profile attack on the Sony PlayStation Network
alleges the following injuries:
Defendant has failed to provide regular credit reports and credit monitoring at their own expense to those whose
private data was exposed and left vulnerable. This has caused, and continues to cause, millions of consumers fear,
apprehension, and damages including extra time. effort, and costs for credit monitoring, and extra time, effort,
and costs associated with replacing cards and account numbers, and burden, and is harming both consumers’ and
merchants’ ability to protect themselves from such fraud. This lawsuit seeks to remedy this reprehensible situation.54
It warrants mention that, as part of its April 2013 revisions to the CGL policy forms, including the main forms and the ISO
“Electronic Data Liability Endorsement,” ISO has clarified that the “electronic data” exclusion “does not apply to liability
for damages because of ‘bodily injury.’”55 ISO has characterized this as a “broadening of coverage”56 and has stated that
its intention with this change is to confirm that there should be coverage if the loss of use of data or the inability to access
it leads to bodily injury.
However, the 2007 and later ISO forms contain an exclusion for privacy-related laws, which is applicable to Coverage A.57
The current standard form, which became effective in most states in April 2013, contains an updated version of this
exclusion, which states that “[t]his insurance does not apply to” …”‘Bodily injury’ or ‘property damage’ arising directly
or indirectly out of any action or omission that violates or is alleged to violate … [a]ny federal, state or local statute,
ordinance or regulation …. That addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording,
sending, transmitting, communicating or distribution of material or information.”58
Very recently, ISO filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess
and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements,
entitled “Exclusion - Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability - Limited
Bodily Injury Exception Not Included,” modifies the “electronic data” exclusion59 to state that “[t]his insurance does not
apply to”:
Damages arising out of:
(1)Any access to or disclosure of any person’s or organization’s confidential or personal information, including
patents, trade secrets, processing methods, customer lists, financial information, credit card information, health
information or any other type of nonpublic information; or
(2) The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic
expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of
that which is described in Paragraph (1) or (2) above.60
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an
exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of,
inability to access, or inability to manipulate electronic data.”61
Claims Alleging “Publication” That Violates a “Right of Privacy”
The “Personal And Advertising Injury Liability” coverage section of the current standard-form ISO CGL policy62 states that
the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and
advertising injury,’63 which is caused by an offense arising out of [the insured’s] business.”64 “Personal and advertising
injury” is defined in the ISO standard form policy to include a list of specifically enumerated offenses,65 which include the
“offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”66 Similar
to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any
‘suit.’”67 The CGL Coverage B can indemnify and provide a defense against a wide variety of claims, including claims
alleging violation of privacy rights, including data breach cases.
For example, in Tamm v. Hartford Fire Insurance Co.,68 the Superior Court of Massachusetts confirmed that the insurer had
a duty to defend a lawsuit alleging, inter alia, that the insured had “access[ed] and distribut[ed] information obtained in
private email accounts” and “threatened to contact a list of specific e-mail addresses for individuals ….”69 The underlying
lawsuit set out ten counts against the insured, including “violations of RICO, misappropriation of trade secrets, and
violations of Federal wiretapping laws” and requested that “the court restrain [the insured] from ‘disclosing to any person
or entity, or using in any other manner, any confidential or proprietary information or materials belonging to or wrongfully
acquired from [the plaintiff] or its officers, directors, employees, attorneys, or agents.’”70
Based on the complaint, the court easily concluded that the insurer had a duty to defend under the standard insurance
policy language at issue:
In order to trigger the duty to defend under the invasion of privacy language of the policy, an underlying complaint
must allege two things: (1) an “oral or written publication” of (2) “materials that violate person’s rights of privacy.”
The [underlying] complaint alleges that [the insured] accessed the private e-mail accounts of [the plaintiff] and its
executives and sent these private communications and materials to several outside counsel for [the plaintiff]. The
allegations of sending these private communications via e-mail to outside attorneys seemingly satisfies both prongs
under the invasion of privacy clause of the policy.71
Potential issues arising under Coverage B include whether there has been a “publication” that violates the claimant’s
“right of privacy”—both terms are left undefined in standard-form ISO policies. These requirements have been
addressed in a number of decisions considering underlying claims alleging improper use of credit reports in violation
of the Fair Credit Reporting Act (“FCRA”). Many of these decisions have construed these terms in favor of the insured.
For example, Pietras v. Sentry Insurance Co.72 is instructive. In Pietras, the class plaintiff alleged that the insured had
“accessed [hers] and other class members’ credit information without authorization or a permissible purpose under the
FCRA”73 by mailing her a solicitation stating that she had been “pre-approved for an auto loan,” but without making a
“firm offer of credit.”74
The court rejected the insurer’s claim that the insured’s “alleged acts did not involve [plaintiff’s] private information or
‘publication’ of such information.”75 Considering first the “right of privacy” requirement, the Northern District of Illinois
found that this requirement was satisfied under controlling precedent in Valley Forge Ins. Co. v. Swiderski Electronics,
Inc.:76
Based on the FCRA (upon which the class action complaint is based) and the allegations in the class action complaint,
it is difficult to see how the complaint does not allege invasions of privacy that triggered the insurer’s duty to defend
[the insured]
*****
The Valley Forge court concluded, based on standard dictionary definitions, that the plain meaning of “right of
privacy” connotes both an interest in seclusion and an interest in secrecy of personal information. Therefore, even
if the [alleged] solicitations did not contain personal credit information, they still implicated the consumers’ right to
privacy protected by the FCRA-the right not to receive credit solicitations sent without a permissible purpose.77
Turning to the “publication” requirement, the court found that this requirement was satisfied by publication to only one
person:
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
The “advertising injury” provision of the Sentry policy also requires “oral or written publication” before coverage is
triggered….Valley Forge expressly holds that “publication” in a policy providing coverage for “advertising injury”
includes communication to as few as one person, thereby resulting in coverage for violations of a statute invoking
privacy interests, such as the FCRA.78
The court concluded that “the FCRA allegations in the underlying complaint fall within the ‘advertising injury’ provision in
the [insurance] policy and, therefore, [the insurer] had a duty to provide [the insured] a defense.”79
To the same effect is Zurich American Ins. Co. v. Fieldstone Mortgage Co.80 The class plaintiff in Fieldstone Mortgage
alleged that the insured had “improperly accessed and used his and others’ credit information, violating FCRA’s
requirement that access be either consented to or for a permissible purpose” by sending “‘prescreened’ offers from [the
insured, Fieldstone] to refinance his mortgage.”81 The plaintiff alleged that the “‘prescreening’ was based on information
contained in his consumer credit report, which was accessed without his consent and without a permissible purpose
under FCRA (such as the extension of a firm offer of credit).”82
The court first rejected the insurer’s argument that “FCRA does not establish a ‘right of privacy’ recognized by the
policies.”83 The court also rejected the argument that “in order to constitute a publication, the information that violates
the right to privacy must be divulged to a third party.”84 The court noted that “[o]f the circuits to examine ‘publication’ in
the context of an ‘advertising injury’ provision, the majority have found that the publication need not be to a third party.”
85
The “right of privacy” and “publication” requirements also have been considered in connection with underlying claims
alleging violations of the Telephone Consumer Protection Act (“TCPA”), which bans unsolicited fax advertisements. The
Tenth Circuit’s decision in Park University Enterprises, Inc. v. American Cas. Co. Of Reading, PA86 is instructive. In that
case, the class plaintiff alleged that the insured “violated the TCPA when it sent an advertisement to [its] telephone fax
machine in Illinois ‘without prior express invitation or permission.’”87 The Tenth Circuit rejected the insurer’s attempt to
ascribe narrow meaning to the undefined terms “privacy” and “publication”:
As noted above, the court correctly determined that in layman’s terms, “[t]he plain and ordinary meaning of privacy
includes the right to be left alone.” Certainly, the insurer could impose a more restrictive, technical and legal
definition to the term “privacy” following that of the classic tort of invasion of secrecy interests or defamation.
*****
We likewise agree with the district court’s broad construction of the term “publication” in favor of [the insured]. …
Reading the terms in the policy from the vantage point of the insured, rather than an insurer or lawyer it is entirely
reasonable to define publication as making something generally known. By faxing advertisements to the class of
plaintiffs as alleged in the underlying state court complaint, [the insured] effectively published material in this broader
sense, i.e., communicated information generally, which undermined the recipients’ rights to be left alone.88
The court concluded that the insurer had a duty to defend the insured in the TCPA action.89
To the same effect is Penzer v. Transportation Ins. Co.,90 in which the Supreme Court of Florida answered the following
question certified by the Eleventh Circuit:
Does a commercial Liability Policy Which Provides Coverage for “Advertising Injury,” Defined as “Injury Arising out
of ... Oral or Written Publication of Material That Violates a Person’s Right of Privacy,” Such as the Policy Described
Here, Provide Coverage for Damages for Violation of a Law Prohibiting Using Any Telephone Facsimile Machine to
Send Unsolicited Advertisement to a Telephone Facsimile Machine When No Private Information is Revealed in the
Facsimile?91
Penzer involved a class action suit alleging that the class claimants received unsolicited facsimile commercial
advertisements in violation of the TCPA.92 The insurer denied coverage on the basis that “‘oral or written publication
of material that violates a person’s right of privacy’ …provides coverage only for injuries to privacy rights caused by the
content of the material” and “coverage exists only when private matters about one person are communicated to another
person.”93
The court first found the “right of privacy” requirement satisfied by the TCPA, “which provides the privacy right to
seclusion,” and the class allegations:
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
In this case, the source of the right of privacy is the TCPA, which provides the privacy right to seclusion. … The facts
of the instant case demonstrate that there was a written dissemination of 24,000 facsimiles that violated the TCPA.
Comparing the policy’s language to [the facts of this case]: there was a written publication [dissemination] of material
[of 24,000 facsimiles] that violated a person’s right of privacy [that violated the TCPA]. Therefore, applying our plain
meaning analysis, we hold that Transportation’s insurance policy provides coverage for sending unsolicited fax
advertisements in violation of the TCPA.94
The court then found the “publication” requirement satisfied, rejecting the insurer’s argument that “the violation [of the
right to privacy] must arise from the content of the material in order to trigger coverage”:
[W]e find that the clause “that violates a person’s right of privacy” is applicable as much to “publication” as to
“material;” therefore, the clause should be read as applicable to all. Accordingly, we reject Transportation’s assertion
that the violation must arise from the content of the material in order to trigger coverage.
Furthermore, even if the phrase “that violates a person’s right of privacy” only modifies the term “material,” it does
not follow that only the secrecy right to privacy is implicated because “material” could also invade one’s seclusion.95
Based on its findings, the Supreme Court of Florida answered the certified question in the affirmative:
Based upon our plain meaning analysis, we hold that an advertising injury provision in a commercial liability policy
that provides coverage for an “oral or written publication of material that violates a person’s right of privacy” provides
coverage for blast-faxing in violation of the TCPA. We therefore answer the certified question in the affirmative.96
In a very recent August 2013 decision, the Supreme Court of Missouri likewise upheld coverage for violations of the
TCPA in Columbia Cas. Co. v. HIAR Holding, L.L.C.97 In that case, the insurer refused to defend or indemnify an action
alleging that its insured, a hotel proprietor, violated the TCPA by “send[ing] approximately 12,500 unsolicited advertising
facsimiles—’junk faxes’—to recipients in the 314 and 636 area codes in October 2001.”98 The insured defended the suit
at its own expense and, after the insurer rejected an offer to settle within the $1 million per “occurrence” insurance limits,
ultimately agreed to a class-wide settlement for $5 million in January 2007.99 Insurance coverage litigation ensued and the
trial court entered judgment against the insurer for the full settlement plus interest.100
In addition to rejecting the insurer’s argument that TCPA damages are not covered because they are penal in nature,101
the court rejected the insurer’s argument that the advertising injury coverage is “limited to privacy violation claims that
allege violations arising out of the content of the advertising material itself” and that the “privacy language in its policy is
not a reference to protecting seclusion rights guarded by the TCPA”:
These privacy rights arguments are not persuasive in establishing that the trial court erred in determining that
“advertising injury” coverage was invoked in this case. The class’s claims alleged privacy rights violations pursuant
to the TCPA, which has been recognized as providing privacy protections. … [A] reasonable interpretation of HIAR’s
policy can include that coverage is available for the privacy rights claims of the class. 102
The court also rejected the insurer’s claim that there was not coverage because “coverage is intended for a private person
and not for an incorporeal interest,” finding that “the TCPA includes privacy rights for businesses and persons.”103 The
court concluded that “the trial court did not err in determining that ‘property damage’ and ‘advertising injury’ coverage
was invoked and triggered Columbia’s duty to defend [the insured].” 104
Courts have upheld coverage for privacy-related claims in a variety of other settings,105 although the decisions are not
uniform.106
It is important to note that policy language may vary, and the policy language at issue will control, together with the
specific facts of the case and applicable law. In the cyber software context, the Ninth Circuit upheld coverage in
Netscape Communications Corp. v. Federal Insurance Co. under language different from the current standard form
“Coverage B” language.107 In that case, the underlying claimants alleged that the insured’s “SmartDownload [software]
violated the claimants’ privacy by, among other things, collecting, storing, and disclosing to Plaintiffs and their engineers
claimants’ Internet usage.”108 The insured “used this information to create profiles of its users, both to help with technical
support, and additionally, to create opportunities for targeted advertising.”109 The claimants alleged that the use of the
feature violated the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.110
The insurance policy obligated the insurer to “pay amounts [the insured] is legally required to pay as damages for
covered personal injury that … is caused by a personal injury offense,” which was defined to include the offense of “[m]
aking known to any person or organization written or spoken material that violates a person’s right to privacy.”111 The
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
district court held that the insurer had a duty to defend, reasoning that “when [the insured] received information from
SmartDownload, it was making it known to AOL by transmitting it to its parent company. Similarly, individual [insured]
employees made the information known to each other by circulating files among themselves with the information gained
from SmartDownload.”112 The Ninth Circuit affirmed that “the district court correctly determined that the claims against
[the insured] were ‘personal injury offenses’ and within the policy’s coverage.”113 The Ninth Circuit dismissed as “dicta”
cases stating that “coverage is triggered by a disclosure to a third party.”114
The “publication” and “right of privacy” requirements may soon be addressed in connection with the Sony PlayStation
insurance coverage litigation. One of the issues in that case involves whether Coverage B is triggered. In its recent
motion for partial summary judgment, Sony argues that the claims alleged fall within the scope of coverage afforded
under the “personal and advertising injury” coverage:
The MDL Amended Complaint, which is currently the operative complaint in the underlying litigation, alleges that
plaintiffs suffered the “loss of privacy” as the result of the improper disclosure of their “Personal Information”--defined as “sensitive personal and financial information” that includes “customer names, mailing addresses, email
addresses, and birth dates, as well as credit and debit card numbers, expiration dates, and security codes, online
network passwords, login credentials, answers to security questions, and other personal information.” This kind of
information has been held to constitute “material that violates a person’s right of privacy.”
*****
For purposes of triggering Personal Injury Coverage, disclosure to a small group of people or a single person is
sufficient. In addition, courts have recognized that “publication” can occur when someone gains unauthorized
access to information, even in the absence of an overt act of disclosure…. Here, the Data Privacy Litigation includes
allegations that the plaintiffs’ “sensitive personal and financial information” was “placed ... in the hands of cyber
criminals.”115
As with Coverage A, there may be coverage hurdles under Coverage B. ISO standard form policies written or effective on
or after December 1, 2001, for example, contain several exclusions relating to internet-related activities.116
In addition, as noted above, the 2007 and later ISO forms contain an exclusion for privacy-related laws, including the
TCPA, which is applicable to Coverage B.117 The current 2013 industry form also includes violations of the FCRA and “[a]
ny federal, state or local statute, ordinance or regulation … that addresses, prohibits, or limits the printing, dissemination,
disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.118 The
current form states that “[t]his insurance does not apply to”:
p. Recording And Distribution Of Material Or Information In Violation Of Law
“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is
alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
(3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and
Accurate Credit Transactions Act (FACTA); or
(4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or
FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination,
disposal, collecting, recording, sending, transmitting, communicating or distribution of material or
information.119
Insurers have raised this exclusion in recent privacy breach cases.120 In addition the exclusion pertaining to insureds
“whose business is … “[a]n Internet search, access, content or service provider”121 is currently at issue in the Sony
PlayStation data breach coverage litigation.122
More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced a new endorsement, entitled
“Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or
written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the
Definitions section of Coverage B).123
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
And most recently, as noted above, ISO has filed a number of data breach exclusionary endorsements for use with
its standard-form primary, excess and umbrella CGL policies. By way of example, one of the endorsements, entitled
“Exclusion - Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability - With Limited
Bodily Injury Exception,” adds exclusionary language to Coverage B, which states that that “[t]his insurance does not
apply to”:
“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s
confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial
information, credit card information, health information or any other type of non public information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic
expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any
access to or disclosure of any person’s or organization’s confidential or personal information.124
ISO states that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or
written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and
advertising injury coverage.”125 While acknowledging that coverage for data breaches is currently available under its
standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking
activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal
or confidential information and associated with such events were not necessarily contemplated under the policy.”126 The
scope of this exclusion ultimately will be determined by judicial review.
It must be emphasized that the specific policy language at issue will control. Even where a primary policy contains
these newer exclusions, moreover, excess policies may provider broader coverage. The Southern District of Ohio’s
recent July 2013 decision in Encore Receivable Management, Inc. v. Ace Property and Cas. Ins. Co.127 is instructive. In
that case, the insureds faced two lawsuits, both alleging that the defendants recorded various telephone conversations
without consent.128 The primary insurance policies contained the “Recording and Distribution of Material or Information
in Violation of Law Exclusion” language contained in the 2007 and later ISO forms.129 The insureds contended that this
exclusion “excludes coverage for the [underlying actions] because they constitute claims arising from the recording of
information in violation of law” and therefore, their excess insurer “ha[d] an immediate duty to defend” the underlying
actions.130
The excess policies stated that the insurer had a duty to defend “[w]hen damages sought for ... ‘personal and advertising
injury’ are not covered by ‘underlying insurance’….”131 The excess policies did not contain the “Recording and
Distribution of Material or Information in Violation of Law” exclusion.132 However, the excess insurer denied coverage
on the basis that there was no “publication” because there was no “distribution of information to the public at large.”133
According to the insurer, “‘publication,’ as that term is used in the [insurance policies] requires the distribution of
information or news to the public.”134 The insurer further argued that “eavesdropping is not an act of communication
to the public, but rather an invasion of seclusion accomplished by a non-communicative act.”135 The court rejected this
argument, finding that “the initial dissemination of the conversation constitutes a publication at the very moment that the
conversation is disseminated or transmitted to the recording device” and, therefore, the court did not need to “find that
the recordings were disseminated to the public in order to find publication.”136
The conceded applicability of the exclusion in the primary policies notwithstanding, therefore, the court concluded that
the insurer “ha[d] an immediate duty to defend, and pay the costs of defending” the underling actions.137
Claims Alleging Use of an “Advertising Idea” or Infringement in the Insured’s “Advertisement”
The current ISO form definition of “personal and advertising injury” includes the “offenses” of “[t]he use of another’s
advertising idea in your ‘advertisement’” and “[i]nfringing upon another’s copyright, trade dress or slogan in [the
insured’s] ‘advertisement.’”138 There may be coverage for “cyber”-related infringement of intellectual property under this
standard form language. Although insurers sometimes argue that offenses such as copyright, trade dress or trademark
infringement are not covered because the “unauthorized use” exclusion139 applies, insureds have met with some success
in achieving coverage.
The Eleventh Circuit’s recent decision in St. Luke’s Cataract and Laser Institute, P.A. v. Zurich American Ins. Co.140 is
instructive. In that case, the insured had worked as an oculoplastic surgeon at St. Luke’s Cataract and Laser Institute, P.A.
(“St. Luke’s”) and, while there, worked with a webmaster to create a website to promote St. Luke’s oculoplastic surgery
practice. The webmaster registered the domain names LASERSPECIALIST.com and LASEREYELID.com to use for the
website.141 Each page of the website contained a copyright notice stating “Copyright © [Year] St. Luke’s Cosmetic Laser
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
Center, All Rights Reserved.”142 After resigning from St. Luke’s, the insured relaunched the website using the same domain
names.143 St. Luke’s brought suit alleging, among other things, copyright infringement and removal of the copyright
notice in violation of the Digital Millennium Copyright Act (“DMCA”).144
Eventually, the insured and St. Luke’s settled for a $2.4 million final judgment against the insured and pursued insurance
coverage.145 The insurers denied coverage, arguing that “although the policies may provide coverage for copyright
infringement, such claims are not covered when they: Aris[e] out of the unauthorized use of another’s name or product in
your e-mail address, domain name or metatag, or any other similar tactics to mislead another’s potential customers.”146
The district court agreed and the insured and St. Luke’s appealed.
The Eleventh Circuit reversed. Considering first the copyright infringement claim, the court found that the claim was
based on “wrongful use of the contents, layout, and design of St. Luke’s LASERSPECIALIST.com website,” which is “not
the same thing as the use of ‘another’s name or product.’”147 The court further found that the insured “used the content
for display on his own website, rather than in an ‘e-mail address, domain name or metatag.’”148 The court refused to
“allow the ‘similar tactics’ language to swallow the narrow language used in the exclusion and turn it into a catch-all
exclusion for the use on the internet in any way of material belonging to another.”149 Finally, the court found the requisite
causal connection lacking: “[n]either the district court nor the Insurance Companies point to any causal connection
between [the insured]’s copyright infringement and his use of St. Luke’s domain name as required by Florida law. St.
Luke’s copyright claim may be related to—but it does not arise out of—[the insured]’s use of the LASERSPECIALIST.com
domain name.”150
Turning to the DMCA claim, the Eleventh Circuit likewise held the exclusion imapplicable: “[t]he DMCA violation does not
itself constitute either (i) unauthorized use of another’s name or product in an email address, domain name or metatag, or
(ii) a similar tactic to mislead another’s customers. Nor can it be said to arise out of such conduct.”151
In addition to the potential applicability of exclusions, coverage disputes and decisions often turn on whether there is an
“advertisement.” The industry standard form has, since 1998, defined “advertisement” as follows:
“Advertisement” means a notice that is broadcast or published to the general public or specific market segments about
your goods, products or services for the purpose of attracting customers or supporters.152
Since 2001, the standard form has contained the following additional language:
For the purposes of this definition:
a.Notices that are published include material placed on the Internet or on similar electronic means of
communication; and
b.Regarding web-sites, only that part of a website that is about your goods, products or services for the purposes of
attracting customers or supporters is considered an advertisement.153
In contrast, the 1996 and prior industry standard forms do not use or define the term “advertisement”; rather, they use
and define the term “advertising injury” as follows:
1.
“Advertising injury” means injury arising out of one or more of the following offenses:
a.Oral or written publication of material that slanders or libels a person or organization or disparages a person’s or
organization’s goods, products or services;
b. Oral or written publication of material that violates a person’s right of privacy;
c. Misappropriation of advertising ideas or style of doing business; or
d. Infringement of copyright, title or slogan.154
The decisions are mixed and turn on the specific policy language at issue, the particular facts of the case and applicable
law.155
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
(Endnotes)
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
No. 651982/2011 (N.Y. Sup. Ct. New York Cty.) (filed July 20, 2011).
Complaint at ¶71. As alleged in the coverage complaint, the underlying lawsuits against Sony “do not assert claims for ‘bodily injury,’ ‘property
damage’ or ‘personal and advertising injury’ so as to entitle [the insured] to defense and/or indemnity” under the insurance policy. Id. The complaint
further alleges that [“[e]ven if claims for ‘bodily injury,’ ‘property damage,’ and/or ‘personal and advertising injury’ were alleged … the [policy]
includes certain exclusions that apply to exclude coverage for the claims asserted in the [underlying] Complaints.” Id. ¶72.
In another recently filed suit, Nationwide Mut. Fire Ins. Co. vs. First Citizens Bank and Trust Co. Inc., et al., No. 4:13cv598 (D.S.C.) (filed Mar. 6,
2013), the insurer alleges that it has no duty to defend or indemnify its insureds against claims that a janitor was allowed to access bank customers’
confidential information, which was kept in the same closet where janitorial supplies were stored. Among other things, Nationwide’s complaint states
that “[t]he alleged damages are not ‘bodily injury’ or ‘property damage’ arising from an ‘occurrence’” or “‘personal injury and advertising injury’ as
defined in the policy.” Complaint at ¶¶40, 43. This case highlights the point that data breaches need not involve “cyber” threat.
ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state
insurance commissioners.
ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §§1.a., 1.b.(2). ISO’s new standard CGL policy forms, including both its “occurrence”-based
form (CG 00 01 04 13) and claims-made form (CG 00 02 04 13), came into effect on April 1, 2013. However, the pertinent insuring language has
remained the same for many years. See, e.g., ISO Form CG 00 01 11 85 (1986).
ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a.
See, e.g., ISO Form CG 00 01 04 13 (2012), Section V, §17; ISO Form CG 00 01 11 85 (1986), Section V, §12.
ISO Form CG 00 01 04 13 (2012), Section V, §17. “Property damage” is defined in the current form as follows:
17. “Property damage” means:
a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time
of the physical injury that caused it; or
b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that
caused it.
For the purposes of this insurance, electronic data is not tangible property.
As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from
computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any
other media which are used with electronically controlled equipment.
ISO Form CG 00 01 04 13 (2012), Section V, §17.
469 N.W.2d 735 (Minn. Ct. App. 1991).
Id. at 736.
Id. at 737.
Id.
Id.
Id. at 738. The court also found inapplicable an exclusion for “damage to property ‘entrusted’ to the insured ‘for storage or safekeeping.’” Id. at 737.
Id. Conversely, the court did not find relevant certain “property and sales tax cases that address the question whether recorded material is tangible
property for tax purposes,” finding it “inappropriate to apply tax law to the interpretation of an insurance policy.” Id. at 737 n. 1.
See, e.g., Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288, 1290-91 (7th Cir. 1983) (California law) (holding that the insurer had a
duty to defend a suit alleging that the insured, a company that sold computer hardware and software products, introduced a faulty controller into the
plaintiff’s data processing system, causing “loss of customer billing and patient care information,” finding that “[a] fair reading of the complaint …
clearly raises the spectre that liability for property damage may ensue”); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380, slip op.
at 3-4 (2d Dist. Ct. N.M. May 24, 2000) (finding that computer data “was physical, had an actual physical location, occupied space and was capable
of being physically damaged and destroyed” and concluding that “computer data is tangible property” where the claimant sought the cost of
reconstructing data files after the insured reformatted its hard drive and erroneously stated that the “data could not be retrieved”), rev’d in part on
other grounds, 46 P.3d 1264 (N.M. Ct. App. 2002).
Further discussion on this point will be provided in Part III, in which the author discusses potential coverage under commercial property insurance
policies.
See, e.g., Liberty Corporate Capital Ltd. v. Security Safe Outlet, Inc., --- F. Supp. 2d ----, 2013 WL 1311231, at *7 (E.D.Ky. Mar. 27, 2013) (Kentucky
law) (“[W]hat [the plaintiff] alleges was misappropriated were [the plaintiff]’s customer’s email addresses obtained from an electronic backup copy
of [the plaintiff]’s customer database. Because such ‘property’ has no physical form or characteristics, it simply does not fall within the definition of
‘tangible property.’”); Cincinnati Ins. Co. v. Professional Data Servs., Inc., 2003 WL 22102138, at *6-7 (D. Kan. July 18, 2003) (predicting Kansas law)
(“[T]he Underlying Action is limited to allegations of the loss of use of the APM Software and the lost or corrupted patient account data incorporated
therein. … Neither the APM Software nor the data incorporated therein constitute tangible property because neither has any physical substance and
neither is perceptible to the senses”); America Online Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459, 467, 468-69 (E.D. Va. 2002) (“Similar to the
information written on a notepad, or the ideas recorded on a tape, or the design memorialized in a blueprint, computer data, software and systems
are intangible items stored on a tangible vessel—the computer or a disk…. In light of the plain meaning of the term tangible and established caselaw, the court holds that the Policy does not cover damage to computer data, software and systems because such items are not tangible property.”);
aff’d, 347 F.3d 89 (4th Cir. 2003); State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F.Supp.2d 1113, 1116 (W.D. Okla. 2001) (Oklahoma
law) (“Although the medium that holds the information can be perceived, identified or valued, the information itself cannot be. Alone, computer data
cannot be touched, held, or sensed by the human mind; it has no physical substance. It is not tangible property.”). Cf. Lucker Mfg., A Unit of Amclyde
Engineered Prods., Inc. v. Home Ins. Co., 23 F.3d 808 (3d Cir. 1994) (holding that an insurer had no duty to defend or indemnify claims alleging loss of
use of a product design because “none of the losses [the claimant] sought from [the insured] represented a loss in value of the storage medium in
which the design … was embodied or in the costs in reducing the design to blueprints or computer tape (e.g. the costs of having engineers draw up
the plans for the system),” but rather “was for the loss of use of the design itself—for the loss in usefulness of the original concept,” which was “not loss
of use of something which could be touched or felt”); St. Paul Fire & Marine Ins. Co. v. National Computer Sys., Inc., 490 N.W.2d 626, 631-32 (Minn. Ct.
App. 1992) (“[The claimant]’s claims … alleged that [the insured] misappropriated … proprietary information. [The claimant] was not suing [the insured]
for … misappropriation of the binders in which [The claimant]’s information was kept; [the claimant] was suing [the insured] for taking information that
gave [the insured] a competitive advantage over Boeing. Boeing had sought to keep the information in the binders confidential; it was the loss of the
confidential nature of the information that led to [the claimant]’s damages, not the loss of the binders containing the information. … Misappropriation
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
of confidential proprietary information does not constitute property damage within the meaning of the [insurance] policy.”) (distinguishing Retail
Systems).
18.9 Couch on Insurance § 126:40 (3d ed. 2012); see also Catherine L. Rivard and Michael A. Rossi, Is Computer Data “Tangible Property” or Subject
to “Physical Loss or Damage”?—Part 1 (August 2001), available at http://www.irmi.com/expert/articles/2001/rossi08.aspx (last visited July 12, 2013)
(“the lack of clear and unequivocal case law on the subject can leave some commercial insurance buyers in the dark as to the scope of coverage for
computer data losses provided by their insurance programs”).
19. See, e.g., Cohen v. Erie Indem. Co., 432 A.2d 596, 599 (Pa. Super. Ct. 1981) (“[t]he mere fact that several appellate courts have ruled in favor of
a construction denying coverage, and several others have reached directly contrary conclusions, viewing almost identical policy provisions, itself
creates the inescapable conclusion that the provision in issue is susceptible to more than one interpretation”).
20. See Jerold Oshinsky et al., Fighting Phishing, Pharming, and Other Cyber-Attacks:Coverage for High Tech Liabilities,
URMIA
Journal
Reprint,
at
20
(2010),
available
at
http://jenner.com/system/assets/publications/274/original/
URMIA_Journals_2010_.pdf?1313178664 (last visited May 13, 2013) (“If a cyber-attack causes physical damage to an organization’s servers or hard
drives, the insurer must cover the losses because there is no question that there has been direct physical damage.”).
21. 147 F. Supp. 2d 1113 (W.D. Okla. 2001) (Oklahoma law).
22. Id. at 1115.
23. See id.
24. Id.
25. Id. at 1116.
26. Id. The court denied coverage, however, based on application of the “your work” exclusion. See id. at 1117; see also Nationwide Ins. Co. v. Hentz,
2012 WL 734193, at *3-5 (S.D.Ill. Mar. 6, 2012) (holding that a homeowner’s general liability policy potentially covered “notification, credit monitoring
and insurance costs” as “‘damages …. Because of ‘property damage’” resulting from the theft of a CD-ROM containing personally identifiable
information where “the medium on which the data were stored—the CD–ROM—was stolen” and thus the insured “clearly suffered a ‘loss of use’ of
that ‘tangible property,’” but holding that coverage was barred by an exclusion for “property … in the care of the ‘insured’”).
27. Johns et al. v. Sony Computer Entm’t Am. LLC et al., 3:11-cvN263-EDL, at ¶8 (N.D. Cal. Apr. 27, 2011).
28.Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (last visited August 30, 2013).
29. See note 7, supra.
30. See CG 00 01 04 13 (2012), Section I, Coverage A, §2.p. Id.
31. See, e.g., Liberty Corporate Capital Ltd. v. Security Safe Outlet, Inc., --- F.Supp.2d ----, 2013 WL 1311231, at *7 (E.D.Ky. Mar. 27, 2013) (Kentucky law)
(“[T]he terms of the Policy clearly and unequivocally exclude ‘electronic data,’ including information stored, created or used on computer software,
from the definition of ‘tangible property.’ Information obtained from [the insured]’s customer database falls squarely within this exclusion.”); Union
Pump Co. v. Centrifugal Tech., Inc., 2009 WL 3015076, at *2 (W.D.La. Sept. 18, 2009) (holding that there was no coverage for claims alleging “the
unauthorized and wrongful use, and ultimately, the destruction of its design drawings, autocad drawings, and pump models” where the policy
definition of “property damage” stated that “electronic data is not tangible property” and “[t]he policy itself specifically excludes electronic data,
which would encompass all electronic copies of the design and autocad drawings”); Recall Total Info. Mgmt., Inc. v. Federal Ins. Co., 2012 WL 469988,
at *1, *5 (Conn. Super. Ct. Jan. 17, 2012) (holding that there was no coverage for “$2,467,245.10 for notifying current and/or former employees,
$595,122.00 for maintaining call centers and $3,130,101.20 for credit monitoring services” incurred by the claimant after “an IBM cart containing
electronic media fell out of [the insured’s] transport van” and “[t]he cart and approximately 130 computer data tapes, containing personal information
for more than 500,000 IBM employees, were then removed by an unknown person and never recovered” where the policy definition of “property
damage” stated that “electronic data is not tangible property and that electronic data is explicitly excluded from the definition of tangible property”).
32. The endorsement provides in relevant part:
17. “Property damage” means:
a. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the
time of the physical injury that caused it;
b. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence”
that caused it; or
c. Loss of, loss of use of, damage to, corruption of, inability to access, or inability to properly manipulate “electronic data”, resulting from
physical injury to tangible property. All such loss of “electronic data” shall be deemed to occur at the time of the “occurrence” that
caused it.
For the purposes of this insurance, “electronic data” is not tangible property.
ISO Form CG 04 37 04 13 (2012), ¶D. The endorsement defines “electronic data” as “information, facts or programs stored as or on, created or used
on, or transmitted to or from computer software (including systems and applications software), hard or floppy disks, CD-ROMs, tapes, drives, cells,
data processing devices or any other media which are used with electronically controlled equipment.” Id. ¶C.
33. CG 00 65 04 13 (2012).
34. Id. §I.1.a., b(1)(a). “Loss of electronic data” is defined as “damage to, loss of, loss of use of, corruption of, inability to access, or inability to properly
manipulate, ‘electronic data.’” Id. §VI.10. “Electronic data incident” is defined as “an accident, or a negligent act, error or omission, or a series of
causally related accidents, negligent acts, or errors or omissions, which results in ‘loss of electronic data’.” Id. §VI.6.
35. See, e.g., ISO Form CG 00 01 07 98 (1997), Section V, §17; ISO Form CG 00 01 01 96 (1994), Section V, §15; ISO Form CG 00 01 10 93 (1992), Section
V, §15; ISO Form CG 00 01 11 88 (1991), Section V, §12.
36. Complaint at ¶¶41, 48, 55.
37. In contrast, in a case filed in February 2012, Arch Ins. Co. v. Michaels Stores, Inc., 1:12−cv−00786 (N.D. Ill.), the insurer denied coverage for underlying
lawsuits alleging that the insured had failed to safeguard its retail store PIN pad devices, based on the “electronic data” exclusion and the updated
definition of “property damage.” As Arch alleged, “[t]o the extent the lawsuit alleges ‘bodily injury’ or ‘property damage’ under Coverage A, any
coverage for such ‘bodily injury’ or ‘property damage’ is eliminated by the ‘Electronic Data’ exclusion.” Complaint at ¶25(d); see also id. at ¶21 (quoting
the “property damage” definition). The Arch lawsuit was stayed and dismissed in September 2012 without prejudice in order for the parties to finalize
the terms of a settlement. See Docket minute entry #50 (September 10, 2012). The most recent docket entry, as of July 11, 2013, indicates that the
parties have filed a Joint Motion to Dismiss. See Docket minute entry #57 (July 1, 2013).
38. 613 F.3d 797 (8th Cir. 2010).
39. Id. at 799.
40. Id. at 800.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
41.
42.
43.
44.
45.
46.
Id.
Id. at 801.
Id.
Id.
Id. at 801-02.
See, e.g., Midwest Computers, 147 F. Supp. 2d at 1116 (the insurer had no duty to defend or indemnify because the policy “your work” exclusion
barred coverage for “allegations that defendant’s negligent performance of service work caused [the claimants] to lose the use of their computers”).
47. See, e.g., America Online, 207 F. Supp. 2d at 93, 98-99 (holding that the impaired property exclusion barred coverage for complaints alleging “in
general that AOL’s Version 5.0 access software altered the customers’ existing software, disrupted their network connections, caused them loss of
stored data, and caused their operating systems to crash” and declining to address whether the underlying complaints “allege[d] loss of use”).
48. See, e.g., A Compaq Computer Corp. v. St. Paul Fire and Marine Ins. Co., 2003 WL 22039551, at *7 (Minn. Ct. App. Sept. 2, 2003) (Texas law) (“even
if we were to decide that data stored on a floppy disk are ‘tangible property,’ the intentional-acts exclusion prohibits coverage under the Tech GL
agreement”).
49. Although the ISO standard forms are used by a majority of insurers, some insurers use their own terms and conditions that may be broader or more
restrictive than the ISO forms.
50. ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a.
51. Id. §1.b.(2).
52. ISO Form CG 00 01 04 13 (2012), Section V, §3.
53. See generally Richard Clarke, Where to Find the Best Possible Cyber Coverage, Insurance Journal (Feb. 19, 2013), available at http://www.
insurancejournal.com/news/national/2013/02/19/281713.htm (last visited May 13, 2013) (hereinafter “Where to Find the Best Possible Cyber
Coverage”) (“Any good insurance broker would go to extreme lengths to try to find coverage based upon the claim situation at hand. An example
might be lawsuit allegations to the effect of ‘invasion of privacy/confidentiality.’ Certainly, cyber insurance policies — and perhaps certain technology
errors and omissions liability policies, and even some professional liability policies — may provide this coverage. But it’s also true that many commercial
general liability (CGL) policy forms, under the definition of ‘Personal Injury,’ will likely provide some form of cyber coverage, as well.”).
54. Johns et al. v. Sony Computer Entm’t Am. LLC et al., 3:11-cvN263-EDL, at ¶3 (N.D. Cal. Apr. 27, 2011). An argument can be made that credit
monitoring is analogous to medical monitoring.
55. See, e.g., CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.
56. 2012 General Liability Multistate Forms Revision To Policyholders (CG P 015 04 13).
57. The standard form added in 2007 states that “[t]his insurance does not apply to”:
q. Distribution Of Material In Violation Of Statutes
“Bodily injury” or “property damage” arising directly or indirectly out of any action or omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; or
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting,
communicating or distribution of material or information.
ISO Form CG 00 01 12 07 (2007), Section I, Coverage A, §2.q.
58. See CG 21 07 05 14 (2013).
59. See text accompanying note 29, supra.
60. See CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or
from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices
or any other media which are used with electronically controlled equipment.” Id.
61. ISO Commercial Lines Forms Filing CL-2013-0DBFR, at p. 8.
62. Pre-1998, the ISO standard forms separated “personal injury” and “advertising injury,” while the more current forms combine “personal and
advertising injury.” Prior to 1986, this coverage was available through a “Broad Form Endorsement” to the standard ISO policy.
63. ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.
64. Id. §1.b.
65. The 2013 CGL policy form defines “personal and advertising injury” as:
14. “Personal and advertising injury” means injury, including consequential “bodily injury”, arising out of one or more of the following offenses:
a. False arrest, detention or imprisonment;
b. Malicious prosecution;
c. The wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person
occupies, committed by or on behalf of its owner, landlord or lessor;
d. Oral or written publication, in any manner, of material that slanders or libels a person or organization or disparages a person’s or
organization’s goods, products or services;
e. Oral or written publication, in any manner, of material that violates a person’s right of privacy;
f. The use of another’s advertising idea in your “advertisement”; or
g. Infringing upon another’s copyright, trade dress or slogan in your “advertisement”.
Id. Section V, §14. “Advertisement” includes:
1. “Advertisement” means a notice that is broadcast or published to the general public or specific market segments about your goods, products
or services for the purpose of attracting customers or supporters. For the purposes of this definition:
a. Notices that are published include material placed on the Internet or on similar electronic means of communication; and
b. Regarding websites, only that part of a website that is about your goods, products or services for the purposes of attracting customers or
supporters is considered an advertisement.
Id. §1.
66. Id. §14.e.
67.Id. Section I, Coverage B, §1.a.
68. 2003 WL 21960374 (Mass. Super. Ct. 2003).
69. Id. at *2.
70. Id. at *3.
71. Id.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
72.
73.
74.
75.
2007 WL 715759 (N.D.Ill. Mar. 6, 2007) (Illinois law).
Id. at *1.
Id. at *2.
Id. The insurance policy covered damages sustained due to “personal and advertising injury caused by an offense arising out of your business” and
defined “personal and advertising injury” as “oral or written publication of material that violates a person’s right of privacy.” Id.
76. 860 N.E.2d 307 (Ill. 2006) (holding that the insurer had a duty to defend “junk fax” lawsuits brought under the TCPA.
77. Pietras, 2007 WL 715759, at *2-3 (court’s emphasis).
78. Id. at *3.
79. Id. at *4; see also American Family Mut. Ins. Co. v. C.M.A. Mortg., Inc., 2008 WL 906230, at *5 (S.D.Ind. Mar. 31, 2008) (Indiana law) (“We share the view
explicated by the court in Pietras …. that the common law principles covering the tort of invasion of privacy have no relevance to insurance contract
interpretations”), rescinded on other grounds, 2008 WL 5069825 (S.D.Ind. Nov. 21, 2008).
80. 2007 WL 3268460 (D.Md. Oct. 26, 2007) (Maryland law).
81. Id. at *1.
82. Id.
83. Id. at *4. The court distinguished Resource Bankshares Corp. v. St. Paul Mercury Ins. Co., 407 F.3d 631 (4th Cir. 2005) on the basis that it was “not
solely the manner of the solicitation that form[ed] the crux of [the claimant]’s complaint; it [wa]s the action that undergirds the message’s content: the
unauthorized accessing of his credit records.” Id.
84. Id. at *5.
85. Id. at *5.
86. 442 F.3d 1239 (10th Cir. 2006) (Kansas law).
87.Id. at 1242.
88.Id. at 1250 (citations omitted).
89. Id. at 1251. Significantly, the court also held that the insurer had a duty to defend under Coverage A because an “unsolicited fax can result in ‘loss of
use of tangible property.’” Id. at 1244; see also Columbia Cas. Co. v. HIAR Holding, L.L.C.,--- S.W.3d ----, 2013 WL 4080770, at *7-8 (Mo. Aug. 13, 2013)
(affirming the trial court’s decision that TCPA allegations triggered Coverage A because there were allegations of lost ink toner, paper, and loss of
use of recipients’ fax machines). Compare American States Ins. Co. v. Capital Assocs. of Jackson County, Inc., 392 F.3d 939, 943 (7th Cir. 2004) (“[T]he
property-damage clause in the policy is no more useful to Capital Associates; junk faxes use up the recipients’ ink and paper, but senders anticipate
that consequence. Senders may be uncertain whether particular faxes violate § 227(b)(1)(C) but all senders know exactly how faxes deplete recipients’
consumables. That activates the policy’s intentional-tort exception (which applies to the property-damage coverage though not the advertisinginjury coverage): it forecloses coverage when the recipient’s loss is ‘expected or intended from the standpoint of the insured.’ Because every junk fax
invades the recipient’s property interest in consumables, this normal outcome is not covered.”).
90. 29 So.3d 1000 (Fla. 2010).
91. Id. at 1002 (quoting Penzer v. Transp. Ins. Co., 545 F.3d 1303, 1312 (11th Cir. 2008)).
92. Id. at 1003.
93. Id.
94. Id. at 1006-07 (citations omitted). The Supreme Court of Florida in Penzer collected cases “holding that similar policy provisions provide coverage
for TCPA violations” and cases “holding that similar policy provisions do not provide coverage.” Penzer, 29 So.3d at 1005 n.5. The court was “more
persuaded by the reasoning in those cases that found coverage by applying a plain meaning analysis.” Id.
95. Id. at 1007 (citations omitted).
96. Id. at 1008.
97. --- S.W.3d ----, 2013 WL 4080770 (Mo. Aug. 13, 2013).
98. Id. at *1.
99.See id.
100. See id. at *2.
101. See id. at *8 (“statutory damages of $500 per occurrence are not damages in the nature of fines or penalties”). See also Standard Mut. Ins. Co. v. Lay,
989 N.E.2d 591, 600 (Ill. 2013) (“We disagree with decisions concluding that the TCPA-prescribed damages of $500 per violation constitute penal or
punitive damages.”).
102. HIAR Holding, 2013 WL 4080770 at *8-9.
103. Id.
104. Id.. at *11.
105. See, e.g., Encore Receivable Mgmt., Inc. v. Ace Prop. and Cas. Ins. Co., 2013 WL 3354571, at *8 (S.D.Ohio July 3, 2013) (Ohio law) (holding that the
“publication” requirement was satisfied in connection with lawsuits alleging that the defendants recorded various telephone conversations without
consent, finding that “the initial dissemination of the conversation constitutes a publication at the very moment that the conversation is disseminated
or transmitted to the recording device” and, therefore, the court did not need to “find that the recordings were disseminated to the public in order
to find publication”); National Fire Ins. Co. of Hartford v. NWM-Oklahoma, LLC, 546 F. Supp. 2d 1238, 1241, 1248 (W.D. Okla. 2008) (Oklahoma law)
(holding that the insurer had a duty to defend a suit alleging that the insured “‘listen[ed] in’ on conversations between [the claimant] and customers
for training purposes,” finding that the “publication” requirement was satisfied because “the [recording] system would function in a way that anyone
in the offices of [the supervisor] or other employees, or anyone near the [recording] … would have had the ability to listen in on the employee and
customer conversations”); Bowyer v. Hi-Lad, Inc., 609 S.E.2d 895, 902, 912 (W.Va. 2004) (upholding coverage for allegations that a hotel employee
“had been subjected to ‘illegal oral surveillance by electronic surveillance apparatus owned and operated by the [appellant]’ in violation of the West
Virginia Wiretapping and Electronic Surveillance Act,” finding nothing in the policy language “indicating that the word publication necessarily means
transmitting the intercepted communications to a third party”); Norfolk & Dedham Mut. Fire Ins. Co. v. Cleary Consultants, Inc., 958 N.E.2d 853, 860
(Mass. App. Ct. 2011) (“the amended complaint explicitly alleges that Adelman ‘invaded [Towers’s] right to privacy and slandered [her] reputation by
circulating his humiliating, vulgar, false, and demeaning statements among co-workers’”).
106. See, e.g., Creative Hospitality Ventures, Inc. v. U.S. Liab. Ins. Co., 444 Fed.Appx. 370, 370-71, 376 (11th Cir. 2011) (Florida law) (CGL insurer had no
duty to defend a class action alleging that the insured violated the he Fair and Accurate Credit Transactions Act (“FACTA”) “by issuing receipts
revealing more than five digits of the consumer’s credit card number or the card’s expiration date” because issuance of a credit card receipt does
not constitute a “publication,” but rather “is a contemporaneous record of a private transaction between [the insured] and the customer” that
was “neither broadcasted nor disseminated … to the general public”) (applying Penzer v. Transp. Ins. Co., 29 So.3d 1000, 1005 (Fla. 2010)); Capital
Assocs., 392 F.3d at 943 (“we hold that an advertising-injury clause of the kind in American States’ policy does not cover the normal consequences
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
of junk advertising faxes”); Whole Enchilada, Inc. v. Travelers Prop. Cas. Co. of America, 581 F.Supp.2d 677, 683, 697 (W.D.Pa. 2008) (Pennsylvania
law) (insurer had no duty to defend a class action alleging that the insured violated FACTA by providing “an electronically printed receipt which
included the expiration date of [the claimant]’s credit or debit card” because the complaint “allege[d] only that the information printed on the
receipt was handed to the class member at the point of sale and [did] not allege that the cardholder’s information was in any way made generally
known, announced publicly, disseminated to the public, or released for distribution” and, therefore, there was no “publication of material that
appropriates a person’s likeness ... or gives unreasonable publicity to a person’s private life” as required by the policy language at issue); Recall Total
Info. Mgmt., 2012 WL 469988, at *6 (no coverage for $2,467,245.10 for notification, call centers and credit monitoring services after “approximately
130 computer data tapes, containing personal information for more than 500,000 IBM employees, were then removed by an unknown person and
never recovered” because “there [wa]s no evidence of communication to a third party”); see also Nationwide Ins. Co. v. Central Laborers’ Pension
Fund, 704 F.3d 522, 524-525 (7th Cir. 2013) (Illinois law) (holding that a homeowner’s policy exclusion for “property … in the care of the ‘insured’” and
separate “business” exclusion each barred defense and indemnity coverage for claims seeking “nearly $200,000 in credit monitoring and insurance
expenses” after a laptop containing a compact disc “containing confidential and protected information, including the names, birth dates, and
Social Security numbers of approximately 30,000 individual[s]” was stolen from an employee’s car).
107. 343 Fed.Appx. 271 (9th Cir. 2009).
108. Netscape, 2007 WL 1288192, at *1 (N.D. Cal. Apr. 27, 2007).
109. Id.
110. Id.
111. Id. at *6 (citations omitted). The phrase “making known to any person or organization” took the place of the phrase “oral or written publication, in
any manner” found in the ISO form.
112. See id.
113. Netscape, 343 Fed.Appx. at 272. See generally Jean-Paul Jaillet, Insurance Coverage For Cyber-Risky Business, Law360 (Feb. 21, 2012), available at
http://www.law360.com/articles/.311174/insurance-coverage-for-cyber-risky-business (last visited Dec. 27, 2012) (discussing recent cases).
114. Netscape, 343 Fed.Appx. at 272. The court in Netscape also found that “[a]lthough the district court correctly determined that the claims were
‘personal injury offenses,’ it erred in how it interpreted the policy exclusion for ‘providing internet access to 3rd parties.’” Id. The policy stated that
“[f]or the purposes of advertising injury and personal injury, all Online Activities are excluded from these coverages,” Netscape, 2007 WL 1288192,
at *2, and defined “Online Activities” as “providing e-mail services, instant messaging services, 3rd party advertising, supplying 3rd party content
and providing internet access to 3rd parties.…” Id. at *3. In particular, the Ninth Circuit found that the “‘[i]nternet access” is commonly equated with
a working [i]nternet connection,” and “[t]he SmartDownload utility does not provide an [i]nternet connection, and, in fact, is useless without one.”
Netscape, 343 Fed.Appx. at 272.
115. Memorandum of Law in Support of the Motion of Sony Corporation of America and Sony Computer Entertainment America LLC for Partial Summary
Judgment Declaring That Zurich and Mitshui Have a Duty to Defend, at 14, 16 (filed May 10, 2013) (hereinafter “Sony Summary Judgment Motion”).
116.The ISO standard form 2001 and later policies contain three exclusions expressly relating to internet activities: (the first of which is an expanded
version of the prior language that simply excluded injury committed “by an insured whose business is advertising, broadcasting, publishing or
telecasting ….”). The standard form states that “[t]his insurance does not apply to”:
j. Insureds In Media And Internet Type Businesses
“Personal and advertising injury” committed by an insured whose business is:
(1) Advertising, broadcasting, publishing or telecasting;
(2) Designing or determining content of web sites for others; or
(3) An Internet search, access, content or service provider.
However, this exclusion does not apply to Paragraphs 14.a., b. and c. of “personal and advertising injury” under the Definitions section.
For the purposes of this exclusion, the placing of frames, borders or links, or advertising, for you or others anywhere on the Internet, is not by itself,
considered the business of advertising, broadcasting, publishing or telecasting.
k. Electronic Chatrooms Or Bulletin Boards
“Personal and advertising injury” arising out of an electronic chatroom or bulletin board the insured hosts, owns, or over which the insured exercises
control.
l. Unauthorized Use Of Another’s Name Or Product
“Personal and advertising injury” arising out of the unauthorized use of another’s name or product in your e-mail address, domain name or metatag,
or any other similar tactics to mislead another’s potential customers.
ISO Form CG 00 01 10 01 (2000), Section I, Coverage B, §§2.j., 2.k., and 2.l.
117.The 2007 standard form states that “[t]his insurance does not apply to”:
p. Distribution Of Material In Violation Of Statutes
“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; or
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting,
communicating or distribution of material or information.
Id., Section I, Coverage B, §2.p.
118. ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §2.p.
119. Id.
120. For example, Nationwide Mutual Fire Insurance Company raised this exclusion in connection with claims alleging that its insured, First Citizens Bank,
allowed a janitor to access bank customers’ confidential information by keeping file cabinets containing the information in the same closet where it
stored janitorial supplies. See Nationwide Mutual Fire Ins. Co. v. First Citizens Bank and Trust Co. Inc., et al., No. 4:13cv598 (D.S.C.), Complaint ¶¶23,
55 (filed Mar. 6, 2013).
In addition, Hartford Fire Insurance Company raised this exclusion in connection with class action litigation alleging that its insured, Crate & Barrel,
violated the California Song-Beverly Act by intentionally requesting and recording customers’ zip code information during credit card transactions. See
Hartford Fire Ins. Co. v. Euromarket Designs, Inc., No. 1:11-cv-03008 (N.D. Ill.), Complaint ¶¶9, 35 (filed May 5, 2011) (“To the extent that the Campbell,
Salmonson. Heon. and Dardarian complaints allege claims for ‘personal and advertising injury,’ the complaints claim relief based on violations of
the Song-Beverly Act, a statute that prohibits and/or limits the recording, transmission, communication and/or distribution of personal information.
Accordingly, the complaints fall within the Violation of Statutes Exclusion.”). Hartford also raised an exclusion for “[p]ersonal and advertising injury”
arising out of the violation of a person’s right of privacy created by any state or federal act.” Id. at ¶8. The last docket entry indicates that the parties
reached a global settlement and the case is dismissed. Docket minute entry # 57 (July 17, 2012).
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
121. See note 116, supra.
122. Sony Summary Judgment Motion, supra note 115, at 14, 19 (“In prior proceedings before this court, Zurich and Mitsui have argued that coverage for
the Data Privacy Litigation is barred by the Internet Business Exclusion. This provision excludes coverage for ‘an insured whose business is [among
other things] ... (3) An Internet search, access, content or service provider.’”).
123. See CG 24 13 04 13 (2012) (“With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not
apply”).
124. CG 21 060514 (2013).
125. ISO Commercial Lines Forms Filing CL-2013-0DBFR, at p. 8.
126. Id. at p. 3.
127. 2013 WL 3354571 (S.D.Ohio July 3, 2013) (Ohio law).
128.One action alleged than the defendant “operated a call center, and that [its] employees allegedly recorded various telephone conversations
between Hyundai customers and … customer service representatives without obtaining the customers’ consent, and that these recordings were then
distributed internally … for training and quality control purposes.” Id. at *1. The other action similarly alleged that the defendant “operated a call
center and allegedly recorded various telephone conversations between Hyundai customers and Hyundai customer service representatives without
obtaining the customers’ consent.” Id.
129. The exclusion in the primary policies stated that “[t]his insurance does not apply to ‘Personal and advertising injury’ arising directly or indirectly out of
any action or omission that violates or is alleged to violate ... [a]ny federal, state or local statute, ordinance or regulation [other than certain irrelevant
exceptions] that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or
distribution of material or information.” Id. at *4.
130.Id. at *2.
131. Id. at *1.
132. The excess policies included a different exclusion for “liabilities arising out of communications ‘in which the recipient has not specifically requested
the communication’ and ‘to communications which are made or allegedly made in violation of ... [a]ny statute, ordinance or regulation, other than the
TCPA or CAN–Spam Act of 2003, which prohibits or limits the sending, transmitting, communicating or distribution of material or information.’” Id.
at *4.
133. Id. at *2.
134. Id. at *8.
135. Id.
136.Id. The court also found inapplicable the “prior publication,” “professional services,” “contractual liability” and “criminal act” exclusions.
137.Id. at *13.
138. ISO Form CG 00 01 04 13 (2012), Section V, §14.g.
139. The current ISO form states that “[t]his insurance does not apply to”:
l. Unauthorized Use Of Another’s Name Or Product
“Personal and advertising injury” arising out of the unauthorized use of another’s name or product in your e-mail address, domain name or metatag,
or any other similar tactics tomislead another’s potential customers.
CG 24 13 04 13 (2012), Section I, Coverage B, §2.l. Insurers also typically raise the “knowing violation of rights” exclusion:
a. Knowing Violation Of Rights Of Another
“Personal and advertising injury” caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and
would inflict “personal and advertising injury.”
CG 24 13 04 13 (2012), Section I, Coverage B, §2.a.
140. 506 Fed.Appx. 970 (11th Cir. 2013) (Florida law).
141. See id. at 972.
142. Id. at 973.
143. See id.
144. See id.
145. Id. at 974.
146. Id.
147. Id. at 976.
148. Id.
149. Id.
150. Id. at 978.
151. Id. at 978-79. Compare CollegeSource, Inc. v. Travelers Indem. Co. of Connecticut, 507 Fed.Appx. 718, 720 (9th Cir. 2013.) (“The only reasonable
reading of the complaint’s allegation (that CollegeSource used AcademyOne’s domain name in its own domain name in a way likely to cause
confusion in the marketplace) is that it claims injury from an activity that (1) is “similar to” the unauthorized use of another’s name or product in one’s
domain name, and (2) would mislead customers.”).
152. ISO Form CG 00 01 07 98 (1997), Section V, §1.
153. ISO Form CG 00 01 10 01 (2000), Section V, §1.
154. ISO Form CG 00 01 01 96 (1994), Section V, §1. The coverage agreement in the 1996 and prior forms states that the insured “will pay those sums
that the insured becomes legally obligated to pay as damages because of … ‘advertising injury’ …caused by an offense committed in the course
of advertising your goods, products or services.” Id., Section I, Covergae B §1. Prior to 1986, this coverage was offered under a “Broad Form
Endorsement” that defined “advertising injury” as “injury arising out of an offense committed during the policy period occurring in the course of the
named insured’s advertising activities, if such injury arises out of libel, slander, defamation, violation of right of privacy, piracy, unfair competition, or
infringement of copyright, title or slogan.”
155. Compare Sentex Sys., Inc. v. Hartford Acc. & Indem. Co., 93 F.3d 578 (9th Cir. 1998) (“Hartford’s principal contention is that the district court erred
… because ‘advertising injury,’ defined in part in the policy as arising out of the ‘misappropriation of advertising ideas,”‘ includes only alleged
wrongdoing that involves the text, words, or form of an advertisement. This policy’s language … does not limit itself to the misappropriation
of an actual advertising text. It is concerned with ‘ideas,’ a broader term.”) and Liberty Corporate Capital Ltd. v. Security Safe Outlet, Inc., --F.Supp.2d ----, 2013 WL 1311231, at *12 (E.D.Ky. Mar. 27, 2013) (Kentucky law) (finding that “email ‘blasts’ would appear to constitute a notice that is
broadcast to a specific market segment about [the insured]’s goods, products or services for the purpose of attracting customers, and, accordingly,
potentially fall within the Policy’s definition of an ‘advertisement,’” but ruling that, although the plaintiff’s “claim for misappropriation of trade secrets
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
[wa]s potentially covered as a ‘personal or advertising injury’ under the Policy,” a policy breach of contract exclusion precluded coverage) with Oglio
Entm’t Group, Inc. v. Hartford Cas. Ins. Co., 132 Cal.Rptr.3d 754, 763 and n.7 (Cal. Ct. App. 2011) (“There is no description of any advertisement used
by [the insured], or any allegation that [the insured] used an advertisement that copied an advertisement or advertising idea of [the claimant]. This
is especially clear, given that the policy defines advertisement as the widespread dissemination of information or images with the purpose of selling
a product[.] … Under earlier Hartford policy language that provided coverage for ‘misappropriation of advertising ideas or style of doing business,’
and which did not define ‘advertising,’ [the claimant] might have had a better argument.”) and Union Pump Co. v. Centrifugal Tech., Inc., 2009 WL
3015076, at **6-7 (W.D.La. Sept. 18, 2009) (Louisiana law) (finding no coverage for claims alleging “the unauthorized and wrongful use, and ultimately,
the destruction of its design drawings, autocad drawings, and pump models” where the policy defined “advertisement” where the court found that
“no evidence was presented during the course of the trial that [the insureds] directly engaged in any act that would be consistent with advertisement”
and “even if the Defendants had engaged in advertisement, such advertisement would fall within the exclusion contained in the policy [for “injuries
caused by the insured with knowledge that the act would violate the rights of another”]”).
Importantly, courts have found that even patent infringement may be covered if the patented concept is an advertising method. See, e.g., DISH
Network Corp. v. Arch Specialty Insurance Co., 659 F.3d 1010, 1022 (10th Cir. 2011) (Colorado law) (holding that the insurer had a duty to defend
claims alleging that the insured had infringed one or more claims in each of 23 patents by “making, using, offering to sell, and/or selling…automated
telephone systems, including without limitation the DISH Network customer service telephone system, that allow [DISH’s] customers to perform
pay-per-view ordering and customer service functions over the telephone” because the complaint “allege[d] that Dish misappropriated a product:
it allegedly used, made, sold, or offered for sale a telephone system patented by RAKTL” and “may be read to allege actions that misappropriated
patented advertising ideas, insofar as the product at issue was designed expressly for product promotion and dissemination of advertising
information”); Hyundai Motor Am. v. Nat’l Union Fire Ins. Co., 600 F.3d 1092, 1100-03 (9th Cir. 2010) (California law) (holding that the insurer had a duty
to defend claims alleging patent infringement resulting from certain features on its website, including a “build your own vehicle” (“BYO”) feature
and a parts catalogue feature” because the underlying claims alleged a “misappropriation of advertising ideas” because they “allege[d] violation of
a method patent involving advertising ideas” and “there [wa]s a direct causal connection between the advertisement (i.e., the use of the BYO feature
on the website) and the advertising injury (i.e., the patent infringement)”).
About the Author
Roberta D. Anderson is a partner in the Pittsburgh office of K&L Gates LLP, a law firm that regularly represents
policyholders in insurance coverage disputes. The opinions expressed in this article are those of the author, and should
not be construed as necessarily reflecting the views of her law firm, or the firm’s clients, or as an endorsement by the law
firm or the law firm’s clients of any legal position described herein. Ms. Anderson can be reached at Roberta.Anderson@
klgates.com.
This article was published in the February 2014 Insurance Coverage Law Report.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
For more information, or to begin your free trial:
• Call: 1-800-543-0874
• Email: customerservice@SummitProNets.com
• Online: www.fcandslegal.com
FC&S Legal guarantees you instant access to the most authoritative and comprehensive
insurance coverage law information available today.
This powerful, up-to-the-minute online resource enables you to stay apprised
of the latest developments through your desktop, laptop, tablet, or smart phone
—whenever and wherever you need it.
NOTE: The content posted to this account from FC&S Legal: The Insurance Coverage Law Information Center is current to the date of its initial
publication. There may have been further developments of the issues discussed since the original publication.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding
that the publisher is not engaged in rendering legal, accounting or other professional service. If legal advice is required, the services of a competent
professional person should be sought.
Copyright © 2014 The National Underwriter Company. All Rights Reserved.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com