Introduction: Insurance Products for Cyber Risks
Media reports of cyber intrusions, data thefts and computer system malfunctions involving large, high-profile companies such as Sony PlayStation, Citigroup and Lockheed’s Security Vendor, RSA, have led a rapidly growing number of companies to consider the necessity of insurance coverage for technology and cyber privacy risks. As these businesses become more reliant on electronic communication and data storage, they are also developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. Consequently, prospective policyholders are becoming more cognizant of the necessity for insurance covering these exposures.
There is significant uncertainty, however, about the nature and scope of the insurance products available to cover a company’s technology and cyber privacy risks. The lack of familiarity with insurance products extends not only to businesses that use technology incidental to their business operations, but also, surprisingly, to large companies which develop, market and sell technology products. While businesses and their insurance brokers typically are knowledgeable about insurance policies covering traditional general and professional liability exposures, today’s online society introduces new exposures, many of which are not covered under traditional general and professional liability policy forms.
Given (1) the multitude of different insurance products now offered in the global market that purportedly extend coverage to cyber risks, and (2) the business communities’ lack of familiarity with this emerging insurance, policyholders’ reliance on the insurance brokerage community is heightened. As such, it has become increasingly important for insurance brokers to develop a sophisticated understanding of these products, perform a thorough analysis of a policyholder’s insurance needs, and work with underwriters to obtain and tailor insurance policies to meet those needs.
To illustrate, many policyholders may be surprised to learn that a standard CGL policy likely would not apply to a technology or cyber privacy claim, notwithstanding that the form typically includes coverage for “property damage” and “personal and advertising injury.” As such, insurance brokers must be proactive in recognizing the limitations of a CGL policy for their clients’ business operations, and recommend comprehensive multi-line insurance programs to properly address their clients’ cyber/technology insurance needs. This article highlights some of the issues that may arise from the application of conventional insurance coverage in respect of cyber risks.
Evolving Risks in the Age of E-Commerce
A typical CGL policy defines “property damage” as “physical injury to tangible property, including all resulting loss of use of that property.” Although this definition would apply to traditional property damage losses (such as those arising from fires, impaired property and the like), many policyholders and brokersmight incorrectly assume that it also extends to technology and cyber privacy losses involving intangible property, such as electronic data. Such an interpretation, however, may be regarded as contrary to the plain and ordinary meaning of the policy language, which specifies that “property damage” is premised upon ” physicalinjury to tangible property.”
This misconception perhaps is based upon the intuition of policyholders and brokers that traditional policy forms should adapt to protect against evolving risks. While this assumption may seem reasonable to policyholders, it is not one ratified either by policy drafters or the courts, as will be discussed more fully below.
Prior to the widespread use of technology and paperless systems, the disclosure of confidential information and destruction or theft of client or employee records would, generally speaking, have involved paper documents – that is to say, “tangible” property – and thereby possibly would have been covered by a CGL and/or fidelity policy. At the same time, prior to the advent of the internet and the widespread use of computers, the possibility that a company might be damaged by the electronic “equivalent” of a data theft or computer breakdown was largely unimaginable, and surely not contemplated by underwriters, brokers or their policyholders. Thus, CGL policies were not drafted with the thought that such risks would exist – or be covered.
Oddly, it is sheer coincidence that a typical CGL policy specifically carves out intangible property damage from its definition of “property damage.” Indeed, ISO’s addition of the word “tangible” to its standard CGL form in 1966 was in response to efforts by policyholders to obtain coverage for rights, obligations, and other forms of economic loss. Prior to 1966, “property damage” was defined as “injury to or destruction to property.” The 1966 definition, which defined “property damage” as “injury to or destruction of tangible property” was “misleadingly simple.” Laurie Vasichek, Liability Coverage for “Damage Because of Property Damage” Under the Comprehensive General Liability Policy, 68 Minn. L. Rev. 795, 801 (1984).
In view of this and other criticisms of the 1966 revision, ISO further clarified the definition in 1973 so as to require “physical injury to tangible propertyLike the 1966 amendment, this change was designed to limit coverage to the intended categories of loss, and to preclude coverage for diminution in value and other intangible losses. It nonetheless remains that CGL policies were not drafted in contemplation of cyber losses and were not rated to address their potential breadth, as the scope of a cyber loss can easily exceed the loss resulting from a typical property damage claim.
In the course of a data breach, a large quantity of data can be remotely accessed, duplicated, and disseminated within a fraction of a second; certainly far more permanent damage can be done in a nano-second than in the case of a defective product or a natural catastrophe involving traditional brick and mortar property damage. Moreover, if stolen personal or confidential corporate information is circulated on the Internet, the harm becomes both permanent and widespread.
The potential implications of this loss extend far beyond the scope of traditional tangible property damage. Cyber breach remediation requires time, intelligence and a significantly more advanced means of reparation, if any such repairs are even achievable when it comes to personal and confidential corporate information.
Cyber Risks as “Property Damage”
Beginning in 2001, during the early emergence of electronic commerce, some CGL policy forms began to specifically exclude electronic data from their definition of “property damage” in an effort to further limit the scope of coverage. In such policies, “electronic data” is generally defined as the “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software.”
Some policyholders have elected to test this principle, arguing that “property damage” includes damage to computer software, information and data. The results in most cases were not favorable to policyholders. For example, in America Online, Inc. v. St. Paul Mercury Insurance Co., 347 F.3d 89, 96 (4th Cir. 2003), the Fourth Circuit properly recognized that data, web pages and computer systems do not constitute tangible property because they are not capable of being touched, held or sensed by the human mind. As such, they were not “property damage,” as that term is used in a CGL policy.
The Eighth Circuit concurred with this proposition, holding in Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797, 802 (8th Cir. 2010), that a “complaint would have had to make a claim for physical injury to the hardware in order for [the policyholder] to have coverage for ‘physical injury to tangible property’” under a general liability policy’s “property damage” coverage. Despite the inherent logic of these appellate decisions, one trial court, in dicta, has endorsed an expansive definition of “property damage,” that arguably extends beyond its plain and ordinary meaning.
In Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185, 2000 WL 726789 (D. Ariz. Apr. 18, 2000), the court considered whether a first-party property policy covered losses incurred after a power outage rendered the computer systems inoperable. The court rationalized that the physical attributes of “bytes,” as well as the particles and atoms that comprise a hard drive, constituted “tangible” property in order to justify, arguably, its result-oriented conclusion that the corruption of data constituted “physical damage,” as required by the policy. The Ingram Micro court rationalized its construct by hypothesizing that “[a]t a time when computer technology dominates our professional as well as our personal lives . . . ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.” Though the policy insured against “direct physical loss or damage,” the court conflated the phrases “physical damage” and “property damage” and held that the loss of programming information and network configurations ” does allege property damage.”
The Ingram Micro decision is frequently cited by policyholder counsel seeking to argue away the limitations of a CGL policy, despite the fact that the issues are presented in the context of an all-risks property policy.
Cyber Risks under Endorsements
Notwithstanding the “property damage” jurisprudence, certain CGL policy forms may expand the scope of their traditional coverages to include certain data losses. Because traditional CGL policies typically do not provide property coverage for technology and cyber privacy risks, insurance companies are marketing specific policies and endorsements with specialized forms of coverage. For example, ISO form endorsements are available for use with CGL policies that provide coverage for loss of, and loss of use of, electronic data resulting from physical injury to tangible property. Insurers may also offer technology stretch, computers and media, and technology services coverage endorsements in combination with CGL policies. Cyber Risks as “Personal and Advertising Injury”
The foregoing is not intended to suggest that a standard CGL policy may never apply to a cyber privacy claim. Indeed, many general liability policies include “personal and advertising injury” coverage which, in some cases, may subsume certain portions of a cyber privacy event. The term “personal injury and advertising injury” typically is defined to include a list of enumerated offenses such as injury arising out of the infringement of another’s copyright and the oral or written publication of material that slanders a person or organization, or violates a person’s right to privacy.
In Netscape Communications Corp. v. Federal Insurance Co., 343 Fed. Appx. 271, 272 (9th Cir. 2009), the Ninth Circuit held that a CGL insurer providing “personal and advertising injury” coverage had a duty to defend where AOL was alleged to have intercepted and disseminated private online communications. The Netscape court found such claims implicated a person’s right to privacy and thereby potentially triggered the policy’s “personal and advertising injury” coverage section.
In Zurich American Insurance Company v. Fieldstone Mortgage Company, No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007), the court found that Zurich had a duty to defend against claims brought by individuals who received prescreened offers based on information contained in their consumer credit reports, allegedly in violation of the Fair Credit Reporting Act. The court held that even though the solicitations were not divulged to a third party and did not contain protected information, the solicitations constituted “publication” of material violating a person’s right to privacy, in the context of an “advertising injury” policy provision.
Beyond the question of whether a CGL insurer has a duty to defend, or even a duty to indemnify, a technology and/or cyber privacy claim, another problematic issue that may arise in such cases is that of overlapping coverage. Where a policyholder has obtained multiple policies covering multiple types of exposures and risks, a CGL policy’s coverage may overlap and converge with those provided by other insurance products, including, for example, (i) pure cyber and technology forms; (ii) third-party professional liability and directors and officers liability policies; and (iii) first-party and business interruption certificates. Issues then posed may include:
•the extent to which damages are covered under each form (i.e., in the third-party context, damage to hardware may be covered under a CGL form policy while corresponding corruption of software may be covered under a technology policy);
•the manner in which defense costs should be allocated between the policies;
•the implications of “other insurance” clauses; and
•the scope of an insurer’s duty to defend and/or pay defense costs under a pure indemnity policy.
In short, virtually all modern businesses rely, in some manner, on technology. They can-and should-take all reasonable steps to ensure that they have virtually seamless insurance coverage by working with sophisticated insurance brokers well-versed in the myriad policies and forms available to cover technology and cyber privacy risks. Just as our economy is quickly evolving, so too are the types of insurance products and coverage available to meet a policyholder’s changing needs. Understanding the components of these new-age policies is critical, and prudent business executives should devote the necessary time and resources to identify a sophisticated insurance broker who can assess a company’s vulnerabilities and ensure that the necessary insurance products are purchased.
At the same time, brokers need to have a deep and rich understanding of the available products – and their limitations – in order to explain to their clients – in writing – which products best meet their needs, and why CGL insurance alone may be insufficient (including the fact that electronic data may be specifically excluded). Having written such policies, and having worked with many brokers and underwriters, we can assure readers that the exercise will not be easy. But it certainly will be worth it in the end.
Leave a Reply
You must be logged in to post a comment.