The consequences of a data breach can be far-reaching. While the initial issues in the wake of a breach often involve investigation into the cause of the breach and sending notification to those affected (both of which are covered by most cyber insurance policies), coverage for certain types of third-party claims stemming from cyber breaches may be available under Commercial General Liability (“CGL”) insurance policies.
CGL insurance policies provide coverage for claims of “Bodily Injury,” “Property Damage,” and “Personal and Advertising Injury.” Bodily Injury and Property Damage claims are covered under Coverage A of CGL policies, while Personal and Advertising Injury claims are covered under Coverage B. This blog post briefly summarizes the major issues policyholders encounter when seeking coverage for Personal and Advertising Injury (Coverage B) under CGL policies that arise out of a cyber incident.
With respect to Coverage B, the 2012 standard ISO form CGL policy language provides coverage for “those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury’ to which this insurance applies . . . [and] is caused by an offense arising out of your business[.]” Covg. B §§ 1(a)-(b). The policy defines “personal and advertising injury,” in relevant part, as “injury, including consequential ‘bodily injury’, arising out of one or more of the following offenses . . . e. Oral or written publication, in any manner, of material that violates a person’s right of privacy . . . .”
Following a cyber breach, third parties often assert claims for violations of their right to privacy, which should be covered under subsection E of the “personal and advertising injury” definition of a CGL policy. However, insurers frequently argue that a cyber breach resulting in the access of someone’s personal information falls outside the scope of coverage because no “publication” occurred. Carriers typically focus on two main issues to defeat coverage: (1) whether there has been widespread disclosure of the personal information and (2) whether the claim requires that the insured actually publish the personal information (instead of merely preventing the publishing of the information). Caselaw in this area is scant.
A frequently-cited case on this issue is Zurich American Insurance Co. v. Sony Corp. of America, No. 651982/2011, 2014 WL 8382554 (N.Y. Sup. Feb. 21, 2014). There, the New York Supreme Court considered whether class action suits for damages stemming from the Sony Playstation data breach were covered under Coverage B of Sony’s CGL policy. The court held that there was a “publication” of information when the hack occurred. However, the court also determined that the CGL policy required the policyholder to publish the information. Because the hackers were the publishers of the personal information, the court determined that no coverage existed under Coverage B of the CGL policy. Sony appealed, but the case settled before the appellate court issued its decision.
In a more recent case, Innovak International, Inc. v. Hanover Insurance Co., 280 F. Supp. 3d 1340 (M.D. Fla. 2017), the District Court for the Middle District of Florida held that claims stemming from a data breach did not fall within the CGL policy’s definition of “personal and advertising injury” because there was no publication of data. There, the insurer argued that that no publication occurred because the personal information was not publicly disseminated and that, alternatively, the insured did not publish any of the information stolen in the data breach. Analyzing the policy under South Carolina law, the court found that the policy required publication by the insured for coverage to apply.
As a final note, some CGL policies contain exclusions for claims under the Personal and Advertising Injury coverage that “aris[e] out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” See ISO Form CG 21 06 05 14. If your policy has this exclusion, request that it be removed.
While the body of caselaw on the application of Personal and Advertising Injury coverage to cyber claims is still developing, it is clear that coverage will hinge on the specific facts of each case. Ensuring that your company has broad cyber coverage for third-party claims arising from cyber breaches is vital, as is evaluating your CGL and cyber coverages in conjunction with each other to ensure that no gaps exist.