Coming soon to a CGL policy near you: ISO’s new data breach exclusions ‎

By Roberta Anderson on March 21, 2014

policylanguageThe 2014 Polar Vortex may be over, but it isn’t sunny skies ahead this Spring for insureds facing data breaches.  And serious breaches hit the headlines every day. They are ubiquitous.

Most organizations suffering a data breach of any consequence inevitably will incur significant costs, including for forensic investigation to figure out what happened, breach notification to potentially impacted individuals, credit monitoring and public relations efforts, among other crisis management activities. Companies may also face lawsuits and regulatory investigation.

The recent Target breach is a tale unto its own. Since the breach, over 70 putative class actions have been filed against Target. Its directors and officers face shareholder derivative litigation alleging a 10 percent-plus drop in share price. Its executives testified on February 4th before the Senate Judiciary Committee.  Financial institutions are now pursuing Target for reimbursement of their costs for issuing replacement credit and debit cards and compensating customers whose accounts were used fraudulently. It goes on and on.

Currently, there could, and there should, be significant coverage for data breaches under a company’s commercial general liability (CGL) policies. The current Insurance Services Office, Inc. (ISO) [1] standard-form CGL policy, Coverage B (“Personal And Advertising Injury Liability”), states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” [2] which is defined to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” [3] Considering this language, courts have appropriately upheld coverage for data breaches and other claims alleging violation of various privacy rights in a variety of settings. [4]

Nevertheless, a New York trial court judge recently let Sony’s CGL insurers, Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co., off the hook for Sony’s massive 2011 PlayStation data breach. With all respect to the New York trial court, this one should have been a clear Sony victory. [5]  The Sony decision underscores the issues that insureds face even where there is a good claim for CGL coverage.

More troublingly, last Fall, ISO filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective this May 2014, and already have been accepted in at least 40 states. By way of example, one of the endorsements, entitled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.[6]

ISO states that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.” [7]  While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.” [8]  The scope of this exclusion ultimately will be determined by judicial review.

Even before the recent data breach exclusions were introduced, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, entitled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply. [9]

Although this endorsement appears to have quietly flown in under the radar, it is in fact even more sweeping than the 2014 data breach exclusionary endorsements because it entirely eliminates in the first instance the key definition that is the “hook” for the data breach coverage under the CGL Coverage B.

Although it may take some time for the new (or similar) exclusions to make their way into CGL policies, and the full reach of the exclusions remains unclear until judicially tested, they provide another reason for companies to carefully consider specialty “cyber” insurance products. “Cyber” policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

***

[1]     ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.

[2]       ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[3]       Id. §14.e.

[4]      See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527, at *2 (C.D. Cal. Oct. 7, 2013) (upholding coverage in a data breach case for statutory damages of $1000 per person under the CMIA and statutory damages of up to $10,000 per person under the California Lanterman-Petris-Short Act under a policy that covered damages that the insured was “legally obligated to pay as damages because of … electronic publication of material that violates a person’s right of privacy”).

[5]       See Roberta D. Anderson, Five Reasons Why The Sony Data Breach Coverage Decision Is Wrong, K&L Gates LLP Insurance Coverage Alert (Mar. 10, 2014), available at http://www.klgates.com/five-reasons-why-the-sony-data-breach-coverage-decision-is-wrong-03-10-2014/ .

[6]       CG 21 07 05 14 (2013).  “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”  Id.

[7]       ISO Commercial Lines Forms Filing CL-2013-0DBFR, at p. 8.

[8]      Id. at p. 3.

[9]       See CG 24 13 04 13 (2012) (“With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply”).

Roberta Anderson is a partner in the Pittsburgh office of K&L Gates LLP. She has represented insureds in connection with a broad spectrum of insurance issues and disputes arising under many kinds of insurance coverages, including general liability, commercial property, business interruption, data privacy and “cyber”-liability, directors and officers (D&O), errors and omissions (E&O), and employment practices liability. In addition to assisting clients in maximizing their current insurance assets, Anderson provides strategic advice on complex underwriting and risk management issues, including the drafting and negotiation of data privacy, cyber liability, technology E&O, and D&O insurance coverage. Anderson can be reached at [email protected] or 412.355.6222.