why buy cyber and privacy liability when you have …that the insurer “will pay those sums that...
TRANSCRIPT
Why Buy Cyber and Privacy Liability When You Have a Perfectly Good Commercial General Liability Program?July 2014 • Lockton® Companies
L O C K T O N C O M P A N I E S
ROBERTA D. ANDERSONInsurance Coverage and Cyber Law
and Cyber Security PartnerK&L Gates LLP
MICHAL GNATEKVice President
Aerospace & Defense202.414.2662
Cyber and Privacy Liability insurance programs have grown in popularity and market share over the past decade as insureds and insurers alike grapple with the mercurial risks associated with interconnected business and supply chain dependency, a dramatic escalation of increasingly sophisticated cyber attacks, and a proliferation of data privacy laws and regulations.
An industry known for embracing paper and shunning change, the property and casualty insurance market struggles to keep pace with the modern business world, which is full of personally owned mobile and other portable devices, and concepts such as advanced persistent threats (APTs), the “Internet of Things”and the “cloud.” While insurance companies are known for creating bespoke policies to address new risks not initially contemplated within the confines of traditional property and liability policies (see Y2K, Environmental Legal Liability, and Employment Practices Liability), insureds are within their right to see how those current programs address twenty-first-century risks.
If only one of Target, Snapchat, Facebook, Google, Twitter, Yahoo!, Adobe, and so on and so forth, had suffered a serious data breach within the last few months that would be sufficiently troubling. Yet data breaches have become so ubiquitous that a single week (if not
2
a day) without one hitting the headlines seems almost strange. By now every organization should appreciate that—no matter how robust and sophisticated its network security is—it remains a vulnerable target for cybersecurity breaches and the host of negative consequences that typically follow, including class action lawsuits (so far, dozens of suits have been filed against Target), substantial breach notification costs, and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers, and public relations efforts, as well as potential regulatory investigations, fines, and penalties. Insurance can play a critical role in addressing cybersecurity risks. But the time to consider insurance coverage for data breaches and other cybersecurity risks is before an organization becomes the next Target.
This paper will briefly look at how an organization’s Commercial General Liability—specifically, the Personal and Advertising Injury coverage—may currently addresses Privacy risks. An important distinction for
purposes of this paper in this regard is the difference between “Cybersecurity” or “Network Security Liability” and “Privacy.” Although there can be substantial overlap between and among these concepts as they typically are understood in the industry, this paper will focus on those risks associated purely with Privacy risks, or the “unauthorized access, collection, use or disclosure of personal information.”1 Therefore, we will not be covering those issues related to Cyber Liability or “breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.”2 This paper will also not be addressing the recent first-party bodily injury, property damage, and business interruption coverage associated with the damage attributable to unauthorized access of operational technology (SCADA systems).
The time to consider insurance coverage for data breaches and other
cybersecurity risks is before an organization becomes the next Target.
1International Association of Privacy Professionals, https://www.privacyassociation.org 2Ibid.
July 2014 • Lockton Companies
3
We will first summarize and set forth the current industry standard form key coverage grant, definitions, and exclusions. We will then discuss the recent Sony decision and the new 2014 industry form exclusionary endorsements targeted at eliminating coverage for data breaches under standard-form CGL coverage.
Current Standard Form CGL Coverage
The Coverage B “Personal And Advertising Injury Liability” coverage section of the current standard-form Insurance Services Office, Inc. (ISO)3 CGL policy states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’4 which is caused by an offense arising out of [the insured’s] business.”5 “Personal and advertising injury” is defined in the ISO standard-form policy to include a list of specifically enumerated offenses, which include the “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”6 The policy further states that the insurer “will have the right and duty to defend the insured against any ‘suit.’”7 The CGL Coverage B can indemnify and provide a defense against a wide variety of claims, including claims alleging violation of privacy rights, such as data breach cases.
Coverage Grant
The “Personal And Advertising Injury” Coverage Grant
reads as follows in the current standard form CGL
policy:
COVERAGE B—PERSONAL AND ADVERTISING
INJURY LIABILITY
1. Insuring Agreement
a. We will pay those sums that the insured becomes
legally obligated to pay as damages because of
“personal and advertising injury” to which this
insurance applies. We will have the right and duty
to defend the insured against any “suit” seeking
those damages. However, we will have no duty
to defend the insured against any “suit” seeking
damages for “personal and advertising injury” to
which this insurance does not apply. We may, at
our discretion, investigate any offense and settle
any claim or “suit” that may result. But:
(1) The amount we will pay for damages is limited as
described in Section III—Limits Of Insurance; and
(2) Our right and duty to defend end when we
have used up the applicable limit of insurance in
the payment of judgments or settlements under
Coverages A or B or medical expenses under
Coverage C.
No other obligation or liability to pay sums or perform
acts or services is covered unless explicitly provided
for under Supplementary Payments—Coverages A
and B.
b. This insurance applies to “personal and advertising
injury” caused by an offense arising out of your
business but only if the offense was committed in
the “coverage territory” during the policy period.Coverage disputes have generally focused on
whether there has been a “publication” that violates
the claimant’s “right of privacy”—both terms are left
undefined in standard-form ISO policies.
4
Coverage disputes have generally focused on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies. Courts generally (although certainly not universally) have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations, including, for example, in respect of claims alleging violations of the Telephone Consumer Protection Act (TCPA),8 claims alleging violations of the Fair Credit Reporting Act (FCRA),9 claims alleging violations of the Fair and Accurate Credit Transactions Act (FACTA),10
claims alleging violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act,11 claims alleging violations of the California Confidentiality of Medical Information Act (CMIA),12 and claims alleging violations of the California Lanterman-Petris-Short Act.13 Courts have found in favor of coverage in data breach cases,14 although the recent decision in Zurich American Insurance Co. v. Sony Corp. of America et al.15 highlights the issues that insureds may face in obtaining coverage for data breaches under CGL policies.
We set forth in more detail the key “Personal And Advertising Injury Liability” coverage terms, including the coverage grant, key definition, and certain noteworthy potential exclusions that currently are in the main standard industry form.
“Personal And Advertising Injury” Definition
The key definition—“Personal and advertising injury”
reads as follows in the current standard form CGL
policy:
SECTION V—DEFINITIONS
*****
14. “Personal and advertising injury” means injury,
including consequential “bodily injury,” arising out
of one or more of the following offenses:
a. False arrest, detention or imprisonment;
b. Malicious prosecution;
c. The wrongful eviction from, wrongful entry into,
or invasion of the right of private occupancy
of a room, dwelling, or premises that a person
occupies, committed by or on behalf of its owner,
landlord, or lessor;
d. Oral or written publication, in any manner,
of material that slanders or libels a person
or organization or disparages a person’s or
organization’s goods, products or services;
e. Oral or written publication, in any manner, of
material that violates a person’s right of privacy;
f. The use of another’s advertising idea in your
“advertisement”; or
g. Infringing upon another’s copyright, trade dress
or slogan in your “advertisement”.
July 2014 • Lockton Companies
5
Zurich v. Sony
Arguably the most visible legal case surrounding the applicability of the CGL Personal and Advertising Injury coverage to claims alleging data breach came about because of Sony’s massive 2011 PlayStation data breach. Zurich American and Mitsui Sumitomo had issued primary CGL policies to Sony. In April 2011, hackers broke into Sony networks and stole personal and financial information of more than 100 million users.
Sony was named as a defendant in numerous class actions immediately following the breach. Mitsui denied coverage and Zurich responded by filing a declaratory relief action seeking a declaration that Zurich had no duty to defend.
At issue in the case is whether Sony or the hackers were responsible for the actual “publication” of the personally identifiable information (PII). A New York court recently held that there was no coverage, essentially because it was the perpetrators of the breach who ultimately “published” the private information, rather than Sony itself. Legal experts have argued both in favor of and against the court’s decision, arguing, among other things, that the trigger for the Personal and Advertising Injury coverage must be an affirmative act by Sony or conversely, that coverage is triggered to the extent Sony has liability.
The case is currently under appeal and its final decision will potentially be an indicator of how insurers and courts will view data breach coverage under the Personal and Advertising Injury coverage.
New ISO CGL Exclusions
Last Fall, ISO filed a number of data breach exclusionary
endorsements for use with its standard-form
primary, excess, and umbrella CGL policies. The new
endorsements became effective in most states in May
2014.
The language applicable to Coverage B, Personal And
Advertising Injury reads:
This insurance does not apply to:
Access Or Disclosure Of Confidential Or Personal
Information
“Personal and advertising injury” arising out of any
access to or disclosure of any person’s or organization’s
confidential or personal information, including patents,
trade secrets, processing methods, customer lists,
financial information, credit card information, health
information, or any other type of nonpublic information.
This exclusion applies even if damages are claimed for
notification costs, credit monitoring expenses, forensic
expenses, public relations expenses, or any other loss,
cost, or expense incurred by you or others arising
out of any access to or disclosure of any person’s or
organization’s confidential or personal information.
Even before the recent 2014 data breach exclusions
were introduced, as part of its April 2013 revisions to
the CGL policy forms, ISO introduced an endorsement,
entitled “Amendment Of Personal And Advertising Injury
Definition,” which entirely eliminates the key definition
(i.e., “[o]ral or written publication, in any manner, of
material that violates a person’s right of privacy”) that
is the “hook” for the data breach coverage under CGL
Coverage B (found at Paragraph 14.e of the Definitions
section of Coverage B). The endorsement states:
With respect to Coverage B Personal And Advertising
Injury Liability, Paragraph 14.e. of the Definitions section
does not apply.
6
Noteworthy Potential Exclusions
The ISO standard form 2001 and later policies contain three
exclusions expressly relating to internet activities:
2. Exclusions
This insurance does not apply to:
*****
j. Insureds In Media And Internet Type Businesses
“Personal and advertising injury” committed by an insured
whose business is:
(1) Advertising, broadcasting, publishing, or telecasting;
(2) Designing or determining content of web sites for
others; or
(3) An Internet search, access, content, or service provider.
However, this exclusion does not apply to Paragraphs 14.a.,
b. and c. of “personal and advertising injury” under the
Definitions section.
For the purposes of this exclusion, the placing of frames,
borders, or links, or advertising, for you or others anywhere
on the Internet, is not by itself, considered the business of
advertising, broadcasting, publishing, or telecasting.
k. Electronic Chat Rooms Or Bulletin Boards
“Personal and advertising injury” arising out of an electronic
chat room or bulletin board the insured hosts, owns, or over
which the insured exercises control.
l. Unauthorized Use Of Another’s Name Or Product
“Personal and advertising injury” arising out of the
unauthorized use of another’s name or product in your e-mail
address, domain name, or metatag, or any other similar
tactics to mislead another’s potential customers.
Insurers have argued that exclusions that are the same as
or similar to the first exclusion bar coverage for data breach
claims alleging statutory violations. For example, in Hartford
Casualty Insurance Company v. Corcino & Associates et al.,
the insurer denied coverage for a hospital data breach that
compromised the records of nearly 20,000 patients under an
exclusion for Personal and advertising injury “[a] rising out
of the violation of a person’s right to privacy created by any
state or federal act.” At the moment, there are approximately
48 out of 50 states in the U.S.A. that have their own privacy
regulations and statutes. A claim alleging violation of these
or any other privacy regulation could be viewed as potentially
subject to that exclusion.
In addition, 2007 and later ISO forms contain an exclusion
for privacy-related laws, including the TCPA, which is
applicable to Coverage B. The current 2013 industry form
contains the following exclusion:
2. Exclusions
This insurance does not apply to:
*****
p. Recording And Distribution Of Material Or Information
In Violation Of Law
“Personal and advertising injury” arising directly or indirectly
out of any action or omission that violates or is alleged
to violate:
(1) The Telephone Consumer Protection Act (TCPA),
including any amendment of or addition to such law;
(2) The CAN-SPAM Act of 2003, including any amendment
of or addition to such law;
(3) The Fair Credit Reporting Act (FCRA), and any
amendment of or addition to such law, including the Fair
and Accurate Credit Transactions Act (FACTA); or
(4) Any federal, state or local statute, ordinance or
regulation, other than the TCPA, CAN-SPAM Act of
2003 or FCRA and their amendments and additions,
that addresses, prohibits, or limits the printing,
dissemination, disposal, collecting, recording, sending,
transmitting, communicating, or distribution of material
or information.
July 2014 • Lockton Companies
7
In the meantime, however, the decision underscores the difficulties that insureds can face in pursing data breach coverage under their traditional CGL policies.
Although this endorsement appears to have quietly flown in under the radar, it in reality is even more sweeping than the 2014 data breach exclusionary endorsements because it entirely eliminates coverage in the first instance.
Conclusion
Over the years, the Commercial General Liability policy has been the proverbial “catch all” for claims subsequently determined to be outside the intent and scope of the underwriters. Past examples have included Pollution Liability, Asbestos, Employment Practices Liability, and Professional Liability. Cyber and Privacy Liability may well be heading in the same direction. Insurers are stating publicly that this exposure was never contemplated when the policy language was drafted. And, of course, cybersecurity and privacy liability has recently risen to potentially catastrophic levels of potential liability (e.g., Target). Insurers therefore are increasingly seeking to separately insure the risk, subject to separate underwriting criteria.
In the end, before a cybersecurity or privacy incident, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure to cyber and privacy risks, their risk tolerance, the sufficiency of their existing insurance coverage, and the potential role of specialized cyber risk coverage.
3ISO is an insurance industry organization whose role is to develop standard
insurance policy forms and to have those forms approved by state insurance
commissioners. 4ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a. 5Id. §1.b. 6Id. §14.e. 7Id. Section I, Coverage B, §1.a. 8See, e.g., Owners Ins. Co. v. European Auto Works, Inc., 695 F.3d 814 (8th Cir.
2012); Park University Enterprises, Inc. v. American Cas. Co. Of Reading, PA, 442
F.3d 1239 (10th Cir. 2006) (Kansas law); Columbia Cas. Co. v. HIAR Holding, L.L.C.
--- S.W.3d ----, 2013 WL 4080770 (Mo. Aug. 13, 2013). 9See, e.g., Pietras v. Sentry Ins. Co., 2007 WL 715759 (N.D.Ill. Mar. 6, 2007). 10See, e.g., Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 655 F.Supp.2d 1316
(S.D.Fla. 2009). 11See, e.g., Netscape Commc’ns Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th
Cir. 2009). 12See, e.g., LensCrafters, Inc. v. Liberty Mut. Fire Ins. Co., 2005 WL 146896
(N.D.Cal. Jan. 20, 2005). 13See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D.Cal.
Oct. 7, 2013). 14See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D.Cal.
Oct. 7, 2013). 15Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014)
Our Mission
To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management
Our Goal
To be the best place to do business and to work
www.lockton.com
© 2014 Lockton, Inc. All rights reserved. Images © 2014 Thinkstock. All rights reserved.