As many of us have been saying since the advent of cyber insurance coverage, cyber policies potentially cover privacy risks and exposures, not commercial general liability policies, be it under a property damage or a personal/advertising injury insuring agreement.
In other words, policyholders and their brokers would be mistaken if they deluded themselves into thinking that a standard base CGL policy’s personal injury/advertising injury coverage applies to a typical cyber breach where personally identifiable information is extracted.
On February 21, Judge Jeffrey K. Oing of the New York Supreme Court, Manhattan Commercial Division ratified this maxim by denying personal injury coverage to Sony for the 2011 breach and theft of personal information from its PS3 gaming platform, among other databases. Zurich American Insurance Company v. Sony Corporation of America, Index No. 651982/2011 (N.Y. Supreme, filed 7/20/2011). See complaint here.
According to Law360, (subscription required), Judge Oing issued a bench order following oral argument that PI/AI coverage potentially applies only if the policyholder actively participated in the unlawful conduct and does not extend to the misconduct of an unauthorized third-party. To hold otherwise, the Court said, would be to unlawfully expand a CGL policy’s coverage beyond its intended scope.
Judge Oing reportedly stated that the CGL policy before him “requires policyholders to commit the acts, it does not extend to third parties” under New York law. Where, as in the case before him, an unauthorized intruder publishes the stolen PII, there is no PI/AI offense committed by the affected policyholder.
And, of course, this is both commercially and logically sensible. What Sony effectively was trying to accomplish was to convert claims for negligent cybersecurity into a potentially insurable personal injury claim. Of course, the flip side of such a creative argument is to suggest that the policyholder somehow may have been complicit in the improper publication of PII. We obviously know that is not what Sony was arguing (or what actually happened); nonetheless, entrepreneurial plaintiffs’ attorneys would be more than happy to champion such a theme in underlying litigation had Judge Oing endorsed that argument. Plaintiffs’ counsel might not be right. But that’s not necessarily the point in class action litigation.
Judge Oing’s decision is consistent with other courts’ decisions holding that PI/AI coverage is potentially triggered only where the policyholder “published” personal information. See, e.g., Butts v, Royal Vendors, Inc., 202 W. VA. 448 (1998) (PI/AI coverage potentially applies only where the policyholder itself violated a person’s privacy rights, not where a third party did so).
While insurers and policyholders likely will continue to seek judicial determinations on the scope of AI/PI coverage, both constituencies should agree on the commercial implications of Judge Oing’s decision. It’s exponentially cheaper to buy dedicated cyber insurance and avoid future coverage disputes over PI/AI insuring agreements than continue to engage in expensive coverage litigation, whether the claim is predicated on a business’s alleged failure to “prevent” unauthorized access, employee negligence or another type of Wrongful Act .
Judge Oing’s decision further supports the proposition that Claims arising from the vast majority of unauthorized cybersecurity incidents would not be covered under a CGL policy’s AI/PI coverage unless the policyholder itself “published” the PII.
Following this commendable logic, any potential coverage for a privacy-based Claim would fall within the purview of a monoline cyber insurance policy providing crisis management coverage. The premium charged for such a product is modest relative to the costs of coverage litigation, much less the expense of managing a cyber incident. Response costs alone could be infinite multiples of those that a policyholder would pay to implement an appropriate cybersecurity avoidance and response plan. Which, of course, includes appropriate insurance with sufficient limits of liability.
I’m sure readers are getting tired of hearing me say it. But, unfortunately, the word is not spreading fast enough. Its up to brokers in particular to understand what is and what isn’t covered under a traditional CGL insurance policy and, as appropriate, look for other solutions to protect their clients against the rapidly-evolving cyber-related risks and exposures. Until they do, coverage disputes like Sony will continue to be litigated – as will the growing number of E&O claims against unsophisticated brokers.