Data Crisis: Commercial Insurance in an Era of Cyber Risk
I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.
-Former FBI Director Robert S. Mueller, III
1. Understanding Cyber Risk
A. Practical Risk and Exposure
There are a number of practical risks and exposures that companies face associated with a data breach. For example, companies must notify consumers of the breach, as required by various state laws; provide identity monitoring services for consumers whose information has been compromised; conduct cyber-forensics to determine the source and extent of the breach; retain consultants to manage public relations; economic losses from lost customers due to damage to the brand's integrity; fines and penalties from state and federal administrative agencies; legal costs to defend lawsuits arising out of the breach; and potential decreases in stock value. As such, managing data security and preparing for a potential data breach are of critical importance to all companies.
B. Claims Asserted by Data Breach Plaintiffs
In addition to breach of contract and negligence, plaintiffs typically assert claims under various state-level data-breach and consumer-fraud statutes. They request damages for things like credit-monitoring services, and in some cases, for the emotional harm caused by having their privacy compromised.
Plaintiffs are also asserting claims that allege potential harm, such as the anticipated costs of maintaining good credit and preserving the integrity of one's identity. In addition, many of these cases rely on state consumer-protection laws. [See e.g., In re Target Corp., supra, 2014 WL 7192478.]
C. Derivative Suits Arising Out of Data Breach
Over the past few years, the shareholders of several major companies have instituted proceedings against directors and officers for damages to the company resulting from a data breach. For instance, shareholders have filed at least two derivative actions against the directors and officers of Target. [See generally, Complaint, Kulla, et al. v. Steinhafel, et al., No. 0:2014-cv-00203 (D. Minn. 2014); Complaint, Collier, et al. v. Steinhafel, et al., No. 0:2014-cv-00266 (N.D. Cal. 2014).]
D. Administrative Actions for Data Breach
The Federal Trade Commission ("FTC") has brought actions against companies, and the Securities and Exchange Commission ("SEC") suggested that the SEC would soon begin examining the cybersecurity protocols for publicly traded companies. The SEC may consider lax cybersecurity standards an insufficient disclosure to investors, potentially exposing the company to an enforcement action.
Attorneys General have also begun campaigns against companies that are perceived to have lax cybersecurity. For instance, the Indiana Attorney General filed suit against Wellpoint, Inc. for alleged violations of the Indiana Disclosure of Security Breach Act following a breach in October 2009. [See generally, Indiana v. Wellpoint, Inc., No. 49D06-1010-PL-47381 (Sup'r. Ct. 2011).]
2. Legal and Regulatory Developments in Data Breach and Privacy Law
A. Federal Laws and Regulations Related to Cybersecurity
Over 50 federal statutes either directly or indirectly regulate cybersecurity. Some statutes focus on preventing data breach. For instance, Title II of the Health Insurance Portability and Accountability Act requires healthcare entities to implement various safeguards to protect patients' private medical information. The Gramm–Leach–Bliley Act requires financial institutions to implement comparable safeguards for financial data.
Meanwhile, other statutes have taken the approach of either criminalizing cyber-attacks or defining them as a form of terrorism. For instance, among other things, the Computer Fraud and Abuse Act ("CFAA") criminalizes circumventing passwords (i.e., hacking) as well as trafficking in passwords. The Electronic Communications Privacy Act of 1986 prohibits unauthorized electronic eavesdropping.
B. State-Level Efforts to Curb Cyber-Attacks
A majority of state laws (47 states have enacted statutes) focus on privacy issues, such as procedures for maintaining and disposing of confidential records. However, other laws have taken the approach of trying to expose companies that have lax cybersecurity procedures.
The California Data Breach Act requires any business with personal information about California residents to implement and maintain "reasonable security procedures and practices ... to protect the personal information from unauthorized access, destruction, use, modification or disclosure." The Notice of Security Breach Act ("NSBA") requires companies that maintain personal information of California citizens, including names, social security numbers, driver’s license numbers, credit card numbers or other financial information, to disclose the details of any security breach that they suffer.
The Confidentiality of Medical Information Act ("CMIA") requires that companies obtain authorization prior to disclosing "individually identifiable information" regarding a patient's medical history, physical or mental condition, or treatment. CMIA creates a private cause of action for patients whose information is disclosed. For negligent disclosure in violation of CMIA, plaintiffs can recover actual and/or statutory damages.
3. Potential Insurance Coverage for Cyber Risks under Traditional or "Legacy" Policies
Data breaches may trigger coverage under a wide array of traditional or “legacy” policies. These include policies for Commercial General Liability (“CGL”) and Directors and Officers Liability (“D&O).
A. Coverage under CGL Policies
(1) Coverage A - "Bodily Injury" and "Property Damage" Liability for Data Breach
In the standard CGL form issued by the Insurance Services Office, Inc. ("ISO"), Coverage A defines the scope of insurance that is provided for "bodily injury" or "property damage":
We will pay those sums that the insured becomes legally obligated to pay as damages because of "bodily injury" or "property damage" to which this insurance applies.
a. The Definition of "Property Damage"
Since at least 1985, the standard CGL form promulgated by ISO defined “property damage” to include: (1) "physical damage to tangible property, including all resulting loss of use of that property"; and (2) "loss of use of tangible property that is not physically injured."
i. Physical Damage to Tangible Physical Property
The use of the word "tangible" would seem to eliminate data breach claims from that theory of "property damage." However, as recognized by the seminal insurance treatise Couch on Insurance, this issue has not been satisfactorily resolved. [See, 9 Couch on Ins. § 126:40]. A seeming majority of cases hold that data is not tangible property. [See e.g., America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 95–96 (4th Cir.2003).] Thus, while destruction of a medium containing electronic data (e.g., a CD) could constitute "property damage", destruction of the data itself could not.
Yet, other courts have found that damage to or destruction of data does constitute tangible property. [See e.g., Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W.3d 16, 23–24 (Tex. App. Tyler 2003).] As a result, such claims can trigger coverage under policies that insure against "property damage." Further, recall that in a standard CGL policy, the insuring agreement for Coverage A recites:
We will pay those sums that the insured becomes legally obligated to pay as damages because of "bodily injury" or "property damage" to which this insurance applies.
(Emphasis added.) This language was significant for the court in Nationwide Ins. Co. v. Hentz, No. 11-CV-618-JPG-PMF, 2012 WL 734193, at *4 (S.D. Ill. Mar. 6, 2012) aff'd sub nom. Nationwide Ins. Co. v. Cent. Laborers' Pension Fund, 704 F.3d 522 (7th Cir. 2013). There, the court said: "even an underlying suit for intangible, economic damages may trigger coverage so long as it results from covered property damage." [Id. citing Wausau Underwriters Ins. Co. v. United Plastics Grp., 512 F.3d 953, 958 (7th Cir.2008) (claimant's business losses were consequential damages payable under policy as damages “because of property damage”).]
ii. Loss of Use
In the context of cyber incidents, the provision of insurance for "loss of use" could increase the scope of potential coverage. First, we are in the midst of a paradigm shift from localized storage of data to cloud computing. This makes a nearly infinite volume of data more accessible to hackers than ever before. As set forth in the discussion of tangibility above, it is relatively unsettled whether or not a loss of data can establish coverage for "property damage." [See also, Nationwide Ins. Co. v. Hentz, supra, 2012 WL 734193, at *4 (stating that intangible losses occurring "because of" covered "property damage" will trigger coverage).]
Since 2001, ISO has made several revisions to its standard CGL forms that significantly reduce the scope of potential coverage. The CGL form issued by ISO in 2001 amended the definition of "property damage" to include the following limitation:
For the purposes of this insurance, electronic data is not tangible property.
As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.
b. Exclusion to Coverage A That May Apply to Data Breach
In 2004, ISO added the following exclusion to the CGL form:
This insurance does not apply to:
p. Electronic Data
Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.
As used in this exclusion, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.
(2) Coverage under Coverage B for "Personal and Advertising Injury"
Standard CGL policies define "personal and advertising injury" as "injury, including consequential 'bodily injury', arising out of one or more" specifically enumerated offenses. Coverage for "personal and advertising injury" is generally limited to those specifically enumerated offenses. [See e.g., Lindsey v. Admiral Ins. Co., 804 F. Supp. 47, 51-52 (N.D. Cal. 1992).]
In the context of data breach, the most likely offense to trigger coverage for "personal and advertising injury" is subparagraph e, which recites:
Oral or written publication, in any manner, of material that violates a person's right of privacy[.]
a. Issues Regarding Publication
Some courts have held that publication requires dissemination to the public that is sufficiently widespread to consider the information "generally known." [See e.g., Whole Enchilada v. Travelers Property Cas. Co. of America, 581 F. Supp. 2d 677, 697 (W.D. Pa. 2008) (per the dictionary definition of "publish," insured's alleged violations of the Fair and Accurate Credit Transactions Act by printing more than the last five digits of credit cards on receipts was not sufficiently widespread or public to constitute "publication").]
Yet, other courts have found that "publication" merely requires that the material was made accessible to a third party. [See e.g., Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 1:13-CV-917 GBL, 2014 WL 3887797, at *4 (E.D. Va. 2014) ("[E]xposing material to the online searching of a patient's name does constitute a 'publication' of electronic material, satisfying the Policies' first prerequisite to coverage.").]
A related issue that has been addressed by some courts is whether the publication must occur at the direction of the insured. For instance, consider the widely publicized hacking of the Sony PlayStation Network in April 2011. Hackers stole personally-identifiable information for over 77 million users, exposing Sony to 58 different class-action complaints. [See generally, Complaint, Exhibit A, Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. 2011).]
In the coverage action between Sony and its CGL insurers, the Court found that the "publication" requirement had not been established because it required "some kind of act or conduct by the policyholder" and Coverage B offenses "cannot be expanded to include third party acts." [See, Zurich American Ins. v. Sony Corp. of America, 2014 WL 3253541 (N.Y.Sup. 2014). But see, e.g., Netscape Communications Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th Cir. 2009) (reaching the opposite conclusion).]
b. The Right of Privacy
The issue of whether a data breach involves a violation of a person's "right of privacy" has been addressed in very few cases. Most courts summarily conclude that it does. This is supported by precedent addressing the issue outside of the context of data breach. [See e.g., Big 5 Sporting Goods v. Zurich American Ins., 957 F.Supp.2d 1135 (C.D.Cal. 2013) (collecting customers’ ZIP codes in connection with credit card transactions is a violation of privacy rights).]
However, a few courts have held that the mere loss or theft of personal identification information alone does not constitute a violation of a person's "right of privacy." For instance, in Galaria v. Nationwide Mutual Ins., the court was presented with the question of whether the theft of plaintiffs' personally identifiable information from the insured's computer network fit within Coverage B. [See generally, Galaria v. Nationwide Mutual Ins., 998 F. Supp. 2d 646 (S.D. Ohio 2014).]
(3) Endorsements that Limit or Exclude Coverage for Cyber Liability
ISO recently issued a new endorsement entitled “Amendment Of Personal And Advertising Injury Definition" (Form No. CG 24 13 04 13). The endorsement states that with respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e does not apply. In other words, policies including this endorsement do not define “personal and advertising injury” to include “injury… arising out of… [o]ral or written publication, in any manner, of material that violates a person’s right of privacy."
Another endorsement entitled the "Electronic Data and Cyber Risk Exclusion" (AGL 04 13 06 11) effectively eliminates all Coverage A and B claims arising out of data breach. In relevant part, it provides:
The following is added to SECTION I – COVERAGES, COVERAGES A AND B, Paragraph 2. Exclusions:
Electronic Data And Cyber Risk
We will not pay for “bodily injury” or “property damage”, directly or indirectly arising out of, caused by, contributed to or resulting from any:
(1) Functioning, nonfunctioning, improperly functioning, availability or unavailability of:
(a) The internet or similar facility; or
(b) Any intranet or private network or similar facility; or
(c) Any website, bulletin board, chat room, search engine, portal or similar third party application service.
(2) Alteration, corruption, destruction, distortion, erasure, theft or other loss of or damage to data, software, information repository, microchip, integrated system or similar device in any computer equipment or non-computer equipment or any kind of programming or instruction set; or
(3) Loss of use or functionality, whether partial or entire, of data, coding, program, software, any computer or computer system or other device dependent upon any microchip or embedded logic and any ensuing inability or failure of any insured to conduct business.
Yet another new endorsement is Form No. CG 21 06 05 14, entitled "Access or Disclosure of Confidential Information Exclusion." This exclusion eliminates coverage for "Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability."
B. Coverage under D&O and Fiduciary Liability Policies
Corporate directors and officers owe fiduciary duties to the corporation and its shareholders. If a data breach is foreseeable and material to the ongoing health of the corporation, the failure to prevent and deal with it appropriately may form the basis of a derivate suit.
D&O coverage is typically written on a claims-made basis. It provides coverage for losses arising from claims against a director or officer during the policy period for alleged wrongful acts or omissions. Typically, there are two components of D&O coverage:
1.Executive liability coverage reimbursing a director or officer for losses resulting from his or her alleged wrongful acts or omissions, and
2.Corporate reimbursement coverage to cover any costs incurred by the corporation in the defense and indemnity of directors and officers that are subjected to claims for alleged wrongful acts or omissions.
Data breach is not expressly excluded in standard D&O policies.
4. New Policies for Cyberinsurance
The term "cyberinsurance" refers to a wide variety of insurance products that provide coverage for cyber risks. Cyberinsurance policies provide a variety of coverage options for both first-party loss and third-party liability. Some offer protection for data breach, privacy violations and crisis management. Others may cover the cost of data restoration and even regulatory liability stemming from state or federal administrative actions.
New cyberinsurance policies have a variety of options that can be tailored to each insured. The general areas of coverage that may be afforded by particular cyberinsurance coverage include:
•Legal Fees: Costs to hire counsel to handle all of the legal issues that follow a breach, including representing the company in state and private lawsuits, responding to governmental inquiries, and providing the requisite notifications to consumers.
•Investigation and Restoration: Expenses to hire cyber-forensics consultants to investigate the source and extent of a breach, and if necessary, to restore lost data.
•Public Relations: Retaining public relations consultants to restore an insured's reputation after a breach.
•Business Interruption: Costs attributable to lost income where an insured is unable to conduct business due to a breach.
•Credit Monitoring Services for Consumers.
•Cyber-Extortion: The reasonable and necessary costs to respond credible cyber-threats made by third parties, including the amount of any necessary ransom.
•Privacy Liability: Third-party claims for loss or disclosure of confidential information.
•Internet Media Liability: Defamation, infringement of copyright, infringement or dilution of trademark, title, slogan, trade name, trade dress, service mark, or service name.
•Network Security Liability: Liability arising out of an insured negligently administering networks or failing to prevent cyberattacks.
•Internet Professional Liability: Liability unique to insureds that provide web-based technology services.
•First-Party Property Coverage: Including devices and network infrastructure.
•Electronic Theft Reimbursement.
Cyberinsurance exclusions may include: (1) loss arising out of design defects; (2) loss arising out of incompatible software; (3) contractual liability; (4) consequential damages; (5) loss resulting from the use of certain specified software; and (6) loss arising out of regular wear and tear on equipment or cable lines.
Linda Wendell Hsu is the managing partner of Selman Breitman’s San Francisco office. She specializes in insurance coverage and bad faith litigation, handling all first and third-party coverage issues and litigating both declaratory relief and bad faith actions. Linda is licensed to practice law in California, Washington State, and the District of Columbia.
Jon Jekel is an associate in Selman Breitman’s San Francisco office. He specializes in business formation, intellectual property litigation and insurance coverage. Jon is licensed to practice in California.