I have several times discussed the need for cyber insurance that will actually cover reasonable claims; a need that still seems to exist. The case of Hub Parking Technology USA v. Illinois National Insurance Company (https://www.law360.com/articles/1170778/parking-tech-co-says-aig-must-defend-it-in-privacy-row) that was brought in Pennsylvania District Court in June of this year illustrates this problem. Hub bought security and privacy insurance that was intended to cover security breaches and disclosure of personal data in violation of privacy rules. Hub was then sued in underlying litigation for printing parking receipts at the Cleveland Airport that showed eight digits of credit card numbers instead of the standard last four digits permitted under various state statutes and case law. When Hub submitted the claim to its cyber insurer, the cyber insurer rejected the claim based on its conclusion that there had been no loss of privacy or security information, as well as on several exclusions, such as those for contractually assumed liability and intentional acts. Although the insurer may have had a legitimate complaint that there really was no damage from this alleged violation (and the plaintiffs had not alleged that anyone suffered actual damage or identity theft arising from the parking receipts at issue; they rather relied on an FTC study showing that similar incidents have caused actual damage, so that the potential for damage existed), that should not have prevented the insurer from providing at least a defense.
But instead of defending Hub, the insurer drafted two denial letters setting forth the weak excuses that the underlying complaints contained no allegations of a security breach or a loss of privacy, based on the lack of custody by Hub of the data and of direct complaints from the consumers (Hub was brought into the pending consumer class action against the parking company, SP, through a third-party complaint by SP against Hub, the provider of the receipts at issue). Any reader of the complaints could easily have concluded that they alleged both a breach of the security of the credit card numbers and a loss of privacy and confidential data on the part of customers whose cards had eight numbers exposed. But rather than applying this common‑sense reading and simply honoring the policies it had issued by providing a defense because the complaints alleged potentially covered conduct, the insurer crafted a series of hyper‑technical excuses including, as mentioned above, the contract and intentional act exclusions.
This insurer conduct again highlights the need for cyber policies—and cyber insurers—that actually pay when there is a cyber breach. According to the pleadings and allegations in the third-party complaint against Hub, Hub did not intentionally fail to comply with the rules about credit cards receipts, it simply forgot and failed to execute on meeting the requirement in its contract. That is what companies buy insurance for: an accidental failure to do something. Of course, the class-action complaint alleged intentional misconduct, but Hub’s notice denied intentional wrongdoing and alleged that the failure had been negligent at best; moreover, SP’s third-party complaint against Hub alleged negligent violations of the contract between SP and Hub. Under those circumstances, this appears to be a basic case where at least the duty to defend is obvious, but the insurer nonetheless tried to avoid providing the required defense.
Real cyber insurance is needed to cover the numerous instances where lawsuits occur even though no one suffers any monetary harm. A recent lawsuit filed against the University of Chicago for cooperating in a research project using deidentified medical data to seek a cure for cancer (https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing-lawsuit.html) also illustrates the baseless nature of many of these cases, which still have to be defended by insureds—and hence their insurers who have a duty to defend. The GDPR fines of 185M pounds imposed on British Airways (https://www.nytimes.com/2019/07/08/business/british-airways-data-breach-fine.html?register=email&auth=register-email) and of over 200m pounds imposed on Marriott Intl. (https://www.wsj.com/articles/marriott-faces-123-million-fine-over-starwood-data-breach-11562682484) even though no one suffered any monetary harm from the hacking also demonstrate that policyholders can be subject to significant fines even when there is no actual monetary damage. Similarly, Equifax has recently announced that it is subject to a fine of $650m for its data breach even though, according to the NYT, security experts cannot point to any actual fraud against Equifax customers or to the appearance of customer data on sites where such data is normally traded. (https://www.nytimes.com/2019/07/22/business/equifax-settlement.html) Many cyber policies exclude fines by governmental agencies, and it seems insureds should seek coverage for this type of regulatory activity that seems inevitable. Insurance against the new spate of biometric and location data lawsuits would also seem necessary.
The recent announcement by Lloyd’s that its members need to clarify whether policies cover cyber incursions shows the need for clarity in cyber insurance policies. Lloyd’s apparently fears that vague CGL and property policies might be construed to cover cyber losses and encourages a simple explanation of what is covered. It might be equally smart for Lloyd’s to clarify what is covered cyber policies so that insureds can buy policies that will cover likely breaches. Doing so should help the insureds as much as would a certified set of software protections against cyber incursions that would, as discussed in a previous blog, improve the certainty of coverage, as contemplated by the Cyber Catalyst project.
So far these policies seem more illusion than actual coverage.