The Role of Commercial General Liability and Cyber Risk Insurance Policies in Mitigating Against the Risk of Data Privacy Breaches
By Rebecca N. Shwayri, Carlton Fields
Companies, organizations, and individuals throughout the world reap significant benefits of having access to the internet. Since the 1990s, the cyberworld has continued to develop and open up a plethora of new businesses and markets for consumer goods and services. The advent of these new opportunities has created new types of security risks that were not present before. While companies may have worried about security in the traditional brick-and-mortar sense, the internet gives criminals an entirely new way to commit fraud on a company and its customers. Cybercrime now ranks as one of the top four economic crimes in the world.
1 One in ten companies that were the victim of cybercrime suffered losses in excess of $5 million for the incident.2 In 2010, computer hackers were able to access approximately 16 million confidential records through more than 662 security breaches.3 Sony Computer Networks is facing a series of class action lawsuits due to the breach of its PlayStation Network in which hackers were able to obtain personal information on more than 100 million subscribers.4
The patchwork quilt of state and federal privacy laws creates additional sources of liability for businesses where a business may inadvertently disclose personal information of a consumer in violation of the law. Clearly, cybercrime, data security breaches, and privacy law violations pose significant risks to companies in terms of class action lawsuits, lost revenue, and loss of reputation.
Many companies may believe that they have protection for data security and privacy breaches through their Commercial General Liability (CGL) Policies. In some circumstances, courts have found that a CGL policy may provide coverage for a data security or privacy breach. However, other courts have reached an opposite conclusion. This article will analyze the circumstances in which a CGL policy may provide coverage for a breach. These circumstances are dependent upon the specific language of the policy and the state law at issue in the case. Given some of the grey areas that are often presented by an interpretive analysis of a CGL, it is often wise for a company facing a potential data breach to consider purchasing cyber risk insurance coverage to protect the company from large losses. This article will also consider the propriety of cyber risk insurance for large scale breaches.
Coverage Options Under a CGL Policy
Companies seeking coverage for data security or privacy breaches under CGL policies will attempt to pursue coverage under either the “personal and advertising injury” provision or the “property damage” provision of the policy. Coverage for a “personal injury” typically includes insurance coverage for publishing material that violates an individual’s right to privacy.5 “Advertising injury” refers to those injuries arising out of an oral or written publication that violates an individual’s right to privacy.6 CGL policies also provide coverage for “property damage” which is typically defined as the loss of use of tangible property that is not physically injured.7
Coverage for Data Breaches
Under the “Personal and Advertising Injury” ProvisionThe language contained within the policy and the interpretive analysis conducted by the court under state law will often impact whether the policy provides coverage for a data security or privacy breach. With respect to the “personal and advertising injury” provision of an insurance policy, courts differ on whether data privacy breaches are covered by the CGL. In Netscape Communications Corp. v. Federal Insurance Co., the U.S. Court of Appeals for the Ninth Circuit determined that the insurance policy covered complaints alleging that AOL had intercepted and internally disseminated private online communications.8 The court concluded that “the claims against AOL were ‘personal injury offenses’ and within the policy’s coverage.”9 While the claims against AOL were not traditional breach of privacy claims, the appellate court reasoned that coverage provisions should be broadly construed. Notably, the appellate court found that publication to a third party was not necessary where the policy covered claims made to “any” person or organization.
The Netscape decision demonstrates how a broader interpretation of the term “publication” combined with broad policy language can result in coverage for a data privacy breach. Similarly, in Zurich American Insurance Co. v. Fieldstone Mortgage Co., the U.S. District Court for the District of Maryland found that illicit access to a consumer credit report that was sent to the consumer was covered under a CGL policy where the policy provided coverage for “publication, in any manner … violat[ing] a person’s right of privacy.”10 Because the policy failed to define “publication,” the court gave the word its “customary, ordinary and accepted meaning.”11 Employing the dictionary definition, the court stated that publication included the “printing and mailing of written solicitations.”12 Despite the insurer’s contrary assertions, the district court found that the majority of case law assessing “publication” in the advertising-injury context indicated that “publication need not be to a third party.”13 Thus, a “publication” could be found even where the complainant was sent his own information because the term “any manner” necessarily included sending the complainant his own information.
Netscape and Zurich hinged on broad interpretations of broad definitions of the term “publication” in the CGL policies. Contrary to Netscape and Zurich, in Creative Hospitality Ventures Inc. v. United States Liability Insurance Company, the U.S. Court of Appeals for the Eleventh Circuit applied a narrower interpretation to the term “publication” in finding that the CGL policy did not provide coverage.14 In that case, the Eleventh Circuit considered whether printing the expiration date and last five digits of a customer’s credit card on a customer’s receipt constituted a “publication” covered under the personal and advertising injury provision of insured’s CGL policy, when the insured printed this information in an allegedly willful or negligent violation of the Fair and Accurate Credit Transactions Act.
The Netscape decision demonstrates how a broader interpretation of the term “publication” combined with broad policy language can result in coverage for a data privacy breach.
The Eleventh Circuit found that receipts that do not publicly broadcast or disseminate credit card information, and instead only provide the information to the transaction-initiating customer, did not constitute “publication” under the insured’s personal and advertising injury CGL provision. Florida law has adopted the plain meaning of publication: “‘communication (as of news or information) to the public: public announcement’ … ‘to place before the public (as through a mass medium): DISSEMINATE.’”15 The appellate court reasoned that because the business did not publicly disseminate the customer’s information contained on the receipt, the business did not truly publish the information as per the policy’s meaning of “publication.” Therefore, the underlying class action complaint against the businesses did not fall within the CGL policy’s personal and advertising injury provision.
Furthermore, the Eleventh Circuit also found that the phrase “in any manner” does not change the meaning of “publication” or make it ambiguous. Rather, the phrase merely expands the policy’s publication categories (e.g., email, handwritten letters, and possibly blast-faxes). Thus, the appellate court rejected the plaintiffs’ assertion that “publication, in any manner,” is an ambiguous phrase that should be interpreted in their favor.
The Creative Hospitality decision offers an interpretation of “publication, in any manner” that differs from the Zurich decision. The U.S. District Court for the District of Maryland held in Zurich that publication “in any manner” expanded the publication definition so that third party dissemination was not required. In contrast, the Eleventh Circuit in Creative Hospitality held that “in any manner” modified the types of publication covered (email, handwritten letters, etc.). Given the fact that courts can reach different results even where the policy language is similar, businesses considering using only the CGL policy to cover a privacy breach may need to carefully consider the language of the policy and the applicable state law.
Coverage for Data Breaches Under the “Property Damage” Provision
While the “personal and advertising injury” provision within the CGL provides coverage for oral or written publications that violate a person’s privacy rights, the “property damage” provision is intended to protect against the loss of tangible property. While harm to computer software and performance issues may appear to be intangible, some courts have found that damage to software, data, and computer performance more generally is covered under the CGL. In Eyeblaster Inc. v. Federal Insurance Co., the U.S. Court of Appeals for the Eight Circuit concluded that the underlying complaint for loss of computer use fell within the scope of the CGL policy’s property-damage provision under the policy’s second definition of property damage: “loss of use of tangible property that is not physically injured.”16 The claimant alleged his computer, software, and data were damaged after he visited the insured’s website.17 The insurer’s failure to define “tangible property” led the appellate court to apply the term’s plain meaning, which the court held to include computers.18 Additionally, the underlying complaint repeatedly alleged the complainant’s loss of use of his computer.19 The appellate court held that computer freezes, pop-up ads, hijacked browsers, random error messages, slowed performance and crashes, and ads based on past internet surfing habits constituted property damage sufficient for coverage under the CGL policy.20
Inapposite to Eyeblaster, in America Online Inc. v. St. Paul Mercury Insurance Co., the U.S. Court of Appeals for the Fourth Circuit concluded that the CGL policy did not cover computer data loss under the property damage provision.21 The appellate court disagreed with AOL’s argument that computer data loss, as alleged by the underlying class action, constituted tangible and physical property damage.22 Applying Virginia law, the court gave “tangible” its ordinary meaning: “capable of being touched: able to be perceived as materially existent esp. by the sense of touch: palpable, tactile.”23 Similarly, the court defined tangible property as “having physical substance apparent to the senses.”24 Thus, “physical damage” would require a physical scar or scratch that prohibits the hard drive—the physical property—from properly recording data and information.
Despite how data corruption may alter the data’s physical arrangement on the hard drive, data loss and damage do not affect the hard drive’s physical capabilities or properties.25 In explaining that data are not tangible property, the appellate court compared software corruption of a hard drive with losing the combination to a combination lock.26 When this information is lost, the lock becomes useless, but it is not physically damaged.27 Retrieving the combination makes the lock useful once again.28 Similarly, when software corrupts a hard drive, the computer becomes useless until the software is reconfigured.29 But there is no physical damage to the machine.30 Thus, “[i]t is not damage to the physical components of the computer or lock, i.e., to those components that have ‘physical substance apparent to the senses.’”31 Therefore, data loss and damage—alleged ubiquitously in the class action’s complaint—did not constitute damage to physical property. Following this assessment, the appellate court concluded that AOL’s property-damage policy did not provide AOL with coverage for the underlying complainants’ class-action suit.32
The existence of coverage under the property damage provision of the CGL in Eyeblaster and AOL hinged on whether the court characterized the damage as physical damage to a computer or simply data loss. In Eyeblaster, the court found that the performance-related losses that affected computer use constituted tangible losses. In AOL, the court was addressing mere data loss which the court found did not fall under the CGL policy.
Cyber Risk Insurance Coverage
The case law demonstrates that coverage for data security and privacy breaches is a highly specific question involving state law considerations and the language of the CGL policy. While there may be circumstances in which a CGL policy could cover a data security breach, it is certainly as plausible for a court to find that the breach is not covered by the CGL policy. Given some of the uncertainty presented by CGL policies, it may be worthwhile for companies facing significant data breaches to consider purchasing cyber risk insurance coverage to supplement their CGL coverage. Cyber risk insurance policies are designed to address the problem of information risk.
Cyber risk insurance policies can vary in the type of coverage provided. For example, some policies are designed to provide liability protection while other policies may cover first-party coverage for property damage, data theft, and other electronic losses.33 Cyber risk insurance policies may also provide coverage for costs incurred to notify the affected individuals of a data breach, credit monitoring for customers, costs of defense in litigation, and fines.34 In addition, some cyber risk insurance policies may cover costs related to hiring a forensics examiner, public relations costs, and even the costs incurred in setting up a call center. In an era when there is some uncertainty as to whether a CGL policy will cover the losses associated with a security breach, companies facing the prospect of significant damages as a result of such breaches should weigh the costs and benefits of cyber risk insurance and, if appropriate, select a policy that prioritizes their coverage needs against the risks of the cyberworld.
Rebecca N. Shwayri is a business litigator, information technology lawyer, and privacy attorney at Carlton Fields in Tampa, Fla. Shwayri has experience litigating complex commercial litigation and contract cases, e-discovery issues, and data privacy and security issues under state and federal law. Shwayri is a first responder to data privacy breaches and advises clients on the steps to take to minimize risks and liabilities after a data privacy breach. She can be reached at email@example.com.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
© 2012 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.