Data Breach Damage—is it covered by the traditional CGL policy?
Overland Park, KS by Brian Boos -
The risk of confidential data breach is no longer a problem only for the likes of Sony and Anthem. Today, cyber breach incidents affect small businesses too; and, big or small, the resulting financial loss can be staggering.
According to a 2014 study by NetDiligence—a global cyber risk management firm—the median cost for claims paid and legal defense of data breach claims was $144,000 and $283,300, respectively. And this doesn’t account for data retrieval —a whopping expense of nearly $20 per record. (The study found that the median number of records lost or compromised is 3,500.)
Insurers and insureds alike often assume damages from a data breach are covered by commercial general liability (“CGL”) insurance. Indeed, the U.S. Courts of Appeals for the Eighth and Tenth Circuits have found such coverage for computer, cyber and privacy risks. See, e.g., Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010) (CGL policy which covered loss of use covered a third-party claim where the claimant’s computer was irreparably damaged after visiting the insured’s website); see also, Park Univ. Enterprises, Inc. v. Am. Cas. Co. of Reading, PA, 442 F.3d 1239 (10th Cir. 2006) (insurer owed defense against claims for loss of privacy damages stemming from unsolicited fax advertisements; thus, the policy’s advertising injury coverage applied). However, in spite of these decisions, the assumption that CGL coverage exists may be more questionable now than ever.
Just last year, similar coverage claims were rejected in the high profile case of Zurich American Ins. Co. v. Sony Corp. of Am., et al. (Index No. 651982/2011) (N.Y. Sup. Ct., Feb 21, 2014). There, after the personal and financial information of 75M+ customers was compromised by online hackers, Sony sought CGL coverage from Zurich. But Zurich argued that the data breach didn’t qualify as “bodily injury” or “property damage,” so it should not be covered by CGL. The New York Supreme Court agreed with Zurich and found that coverage was not afforded under any CGL policy provision.
Furthermore, insurance companies are responding to CGL cyber breach claims with sweeping exclusions and instead offering more narrowly focused insurance products such as: (1) Reputational Risk Coverage; (2) Data Loss or Corruption Coverage; and (3) Third-Party Privacy Claims Coverage. Of course, these relatively new products are and remain untested by courts and litigants. So, whether you’re an insurer grappling with coverage determination issues or an insured facing a data breach claim, it’s important to have experienced insurance counsel to help guide you whenever deep coverage analysis is called for.
For more information on this subject or to talk with a member of our Insurance Practice Group, please contact Karl Kuckelman or Tim Finnerty.