PART II of II A Policyholder’s Guide to Insurance Coverage for “Cyber” Events
By Micah Skidmore, Haynes and Boone LLP
III. “Traditional” Coverage as an Alternative to a Dedicated “Cyber” Policy
Insurance policies are as varied as the risks they address, from ordinary commercial general liability coverage to more exotic coverages such as political risk insurance or warranty and indemnity contracts. However, with respect to the risks commonly associated with a “cyber event,” three traditional coverage types are relevant: liability insurance, property insurance, and crime/fidelity insurance.
As it relates to “cyber” claims, liability coverage may include not only general liability coverage, but directors and officers (D&O) liability or professional liability/errors and omissions (E&O) coverage. Commercial general liability (CGL) insurance typically contains two principal coverage parts, A and B. Coverage A insures sums that the insureds become legally obligated to pay as damages because of “bodily injury” or “property damage” caused by an “occurrence” during the policy period. Coverage B typically insures sums that the insureds become legally obligated to pay as damages because of “personal and advertising injury” caused by various enumerated “offenses” committed during the policy period, including: false arrest or imprisonment; malicious prosecution; wrongful eviction; slander; libel; business disparagement; publication that violates a person’s right of privacy; use of another’s advertising idea in an advertisement; or infringing on another’s copyright, trade dress, or slogan. Both Coverage A and Coverage B usually also provide the insurer with the right and duty to defend suits seeking covered damages.
Because either “bodily injury” or “property damage” is required to trigger Coverage A, claims involving “cyber” related damages have historically prompted disputes over whether the insured’s liability arises out of “property damage,” which is defined as “physical injury to tangible property” and “loss of use of tangible property that is not physically injured.” Those courts finding coverage for “cyber” related liability under Coverage A, usually in cases involving data loss or business interruption, have typically done so by tying the insured’s liability to some piece of tangible property, for example, finding that the insured was responsible for causing the loss of use of some physical computer component or data storage medium.1 Those courts that have refused coverage for “cyber” related damages under Coverage A have focused instead on the absence of any physical injury to tangible property from the mere loss of data.2
In 2001, the standard Insurance Services Office Inc. (ISO) CGL form was revised to clarify that “electronic data is not tangible property.” In 2004, the standard ISO CGL form was revised again to include an “electronic data” exclusion applying under Coverage A to “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data,” such as, “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”3 Therefore, for “occurrences” of “property damage” taking place since 2004, those insured under the standard CGL form may not have general liability coverage under Coverage A for suits involving loss or damage to data alone. However, to the extent that a third-party “cyber” claim may allege loss of use of, or even damage to, hardware or other computer equipment, as opposed to “data,” policyholders and parties generally should be sensitive to the requirement of “physical injury” or “loss of use of tangible property” in characterizing a “cyber” event or other occurrence. This holds true whether circumstances require investigating a loss, making an insurance claim, or pursuing liability claims against a third party.
Under Coverage B, instead of “bodily injury” or “property damage,” “personal and advertising injury” is required to trigger coverage. “Personal and advertising injury” is generally defined under the current ISO CGL form to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” For those policyholders involved in a data breach that results in the “publication” or disclosure of customers’, employees’, or other parties’ private, personally identifiable information, Coverage B may apply.4 Although, under the 2001 ISO CGL form, and in forms promulgated since then, coverage does not apply to “personal and advertising injury” committed by an insured whose business is (1) advertising, broadcasting, publishing, or telecasting; (2) designing or determining content of websites for others; or (3) an internet search, access, content, or service provider. Moreover, a separate, long-standing exclusion applies to “personal and advertising injury” arising out of oral or written publication of material whose first publication took place before the beginning of the policy period. Nevertheless, again, whether pursuing coverage or third-party claims, individuals and businesses should be aware of the coverage afforded for certain privacy violations under Coverage B, including the “publication” of personally identifiable information (PII), within many ordinary general liability insurance policies.
To the extent that coverage is not afforded under either Coverage A or Coverage B of a traditional general liability insurance policy, when faced with a “cyber” liability claim, insureds should also review and consider the potential coverage available under D&O and E&O policies. D&O insurance generally provides coverage for loss resulting from claims first made during the policy period for covered wrongful acts. Although, for public companies, “D&O” coverage for the insured organization’s liability (as opposed to reimbursement of indemnification paid to individual insureds) is limited to “securities claims.” For nonpublic companies, however, D&O coverage may provide a source of recovery for some “cyber” related liability. At a minimum, to the extent that a “cyber” breach event results in follow-on litigation, including shareholder derivative litigation against insured officers or directors, D&O coverage would ordinarily respond to such claims. Likewise, E&O coverage generally insures the covered organization and insured persons against loss resulting from a claim first made during the policy period for covered wrongful acts committed in rendering or failing to render defined professional services. So long as the “cyber” liability at issue has the appropriate nexus with the insured(s)’ professional services, E&O coverage may provide another alternative avenue for policyholders facing “cyber” related claims.
Commercial Property Insurance
Commercial property insurance generally comes in two varieties—“all risk” and “named peril” insurance. “All risk” policies will cover the insured against “all risks” of “direct physical loss or damage” to covered property occurring during the policy period. “Named peril” coverage also insures against “direct physical loss or damage” to insured property, but only if caused by specific enumerated hazards, such as fire, theft, and hail. Whether denominated as an “all risk” or “named peril” policy, the benefit of commercial property coverage to an insured involved in a cyber breach depends on the insured’s ability to demonstrate “direct physical loss or damage.”
Historically, the circumstances that may constitute “direct physical loss or damage” are quite broad. For example, otherwise “undamaged” property may nonetheless be covered when rendered useless by contamination or even proximity to other damage.5 In the context of “cyber” related loss, coverage depends on the insured’s ability to demonstrate loss of a tangible, physical object, such as computer or other piece of hardware,6 as opposed to the loss of intangible information.7 In some cases, a “cyber” breach may result in actual destruction of physical property.8 More commonly, however, insureds seeking to recover lost profits from a service interruption may need to demonstrate, not only a loss of data, but an externally caused loss of use of tangible hardware.
Crime or fidelity coverage refers to the body of insurance that protects insured organizations against direct loss from theft of money, securities, and other “tangible” property, including employee theft of the employer’s or a client’s property. Such policies often expressly make allowance for: (1) loss of covered property from “computer fraud,” for example, the transfer of money, securities or other tangible property from the insured’s premises to an outside person or place; and (2) costs incurred to restore or replace certain data or programs, which have become lost because of a virus or vandalism.
While crime and fidelity insurance usually excludes coverage for the loss of intellectual property and there may not be coverage for the theft of PII or other intangible data from a “cyber” attack,9 policyholders faced with a “cyber” breach should not overlook the potential for recovery under such policies. For example, even some quasi third-party liabilities directly resulting from the theft of customer information may be insured under a crime policy.10 But, to the extent that crime/fidelity coverage is triggered upon the insured’s discovery of the subject loss, in order to take advantage of the coverage available, insureds should be vigilant in providing notice as required by the policy’s terms.11
Part I of this article was published in the BNA Insights section of last week’s issue of the Privacy & Security Law Report (12 PVLR 1475, 9/2/13).
Micah E. Skidmore is a partner in the Insurance Coverage Group at Haynes and Boone LLP. Skidmore represents corporate policyholders in significant insurance coverage disputes, including assistance in recovering defense costs, settlements, judgments, and other losses under various types of insurance policies. In addition to representing clients in general business litigation matters, Skidmore also advises clients oninsurance and indemnity issues in corporate transactions, including mergers, acquisitions, and real estate transactions.
©2013 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.