Why Buy Cyber and Privacy Liability When You Have a Perfectly Good Commercial General Liability Program? July 2014 • Lockton ® Companies Cyber and Privacy Liability insurance programs have grown MICHAL GNATEK Vice President Aerospace & Defense 202.414.2662 mgnatek@lockton.com in popularity and market share over the past decade as insureds and insurers alike grapple with the mercurial risks associated with interconnected business and supply chain dependency, a dramatic escalation of increasingly sophisticated cyber attacks, and a proliferation of data ROBERTA D. ANDERSON Insurance Coverage and Cyber Law and Cyber Security Partner K&L Gates LLP privacy laws and regulations. An industry known for embracing paper and shunning change, the property and casualty insurance market struggles to keep pace with the modern business world, which is full of personally owned mobile and other portable devices, and concepts such as advanced persistent threats (APTs), the “Internet of Things”and the “cloud.” While insurance companies are known for creating bespoke policies to address new risks not initially contemplated within the confines of traditional property and liability policies (see Y2K, Environmental Legal Liability, and Employment Practices Liability), insureds are within their right to see how those current programs address twenty-first-century risks. If only one of Target, Snapchat, Facebook, Google, Twitter, Yahoo!, Adobe, and so on and so forth, had suffered a serious data breach within the last few months that would be sufficiently troubling. Yet data breaches have become so ubiquitous that a single week (if not L O C K T O N C O M P A N I E S The time to consider insurance coverage for data breaches and other cybersecurity risks is before an organization becomes the next Target. days) without one hitting the headlines seems almost purposes of this paper in this regard is the difference strange. By now every organization should appreciate between “Cybersecurity” or “Network Security Liability” that—no matter how robust and sophisticated its and “Privacy.” Although there can be substantial network security is—it remains a vulnerable target overlap between and among these concepts as they for cybersecurity breaches and the host of negative typically are understood in the industry, this paper will consequences that typically follow, including class focus on those risks associated purely with Privacy action lawsuits (so far, dozens of suits have been filed risks, or the “unauthorized access, collection, use or against Target), substantial breach notification costs, disclosure of personal information.”1 Therefore, we and other “crisis management” expenses, including will not be covering those issues related to Cyber forensic investigation, credit monitoring, call centers, and Liability or “breach-related expenses, including forensic public relations efforts, as well as potential regulatory investigations, outside counsel fees, crisis management investigations, fines, and penalties. Insurance can play services, public relations experts, breach notification, a critical role in addressing cybersecurity risks. But the and call center costs.”2 This paper will also not be time to consider insurance coverage for data breaches addressing the recent first-party bodily injury, property and other cybersecurity risks is before an organization damage, and business interruption coverage associated becomes the next Target. with the damage attributable to unauthorized access of operational technology (SCADA systems). This paper will briefly look at how an organization’s Commercial General Liability—specifically, the Personal and Advertising Injury coverage—may currently addresses Privacy risks. An important distinction for 2 1 International Association of Privacy Professionals, https://www.privacyassociation.org 2 Ibid. July 2014 • Lockton Companies Coverage Grant The “Personal And Advertising Injury” Coverage Grant We will first summarize and set forth the current industry reads as follows in the current standard form CGL standard form key coverage grant, definitions, and policy: exclusions. We will then discuss the recent Sony decision COVERAGE B—PERSONAL AND ADVERTISING and the new 2014 industry form exclusionary endorsements INJURY LIABILITY targeted at eliminating coverage for data breaches under 1. Insuring Agreement standard-form CGL coverage. a. We will pay those sums that the insured becomes Current Standard Form CGL Coverage legally obligated to pay as damages because of “personal and advertising injury” to which this The Coverage B “Personal And Advertising Injury insurance applies. We will have the right and duty Liability” coverage section of the current standard-form to defend the insured against any “suit” seeking Insurance Services Office, Inc. (ISO)3 CGL policy states those damages. However, we will have no duty to defend the insured against any “suit” seeking that the insurer “will pay those sums that the insured damages for “personal and advertising injury” to becomes legally obligated to pay as damages because of which this insurance does not apply. We may, at ‘personal and advertising injury,’4 which is caused by an our discretion, investigate any offense and settle offense arising out of [the insured’s] business.” “Personal 5 any claim or “suit” that may result. But: and advertising injury” is defined in the ISO standard- (1) The amount we will pay for damages is limited as form policy to include a list of specifically enumerated described in Section III—Limits Of Insurance; and offenses, which include the “offense” of “[o]ral or written (2) Our right and duty to defend end when we publication, in any manner, of material that violates a have used up the applicable limit of insurance in person’s right of privacy.”6 The policy further states that the the payment of judgments or settlements under insurer “will have the right and duty to defend the insured Coverages A or B or medical expenses under against any ‘suit.’” The CGL Coverage B can indemnify Coverage C. and provide a defense against a wide variety of claims, No other obligation or liability to pay sums or perform including claims alleging violation of privacy rights, such as acts or services is covered unless explicitly provided data breach cases. for under Supplementary Payments—Coverages A 7 and B. b. This insurance applies to “personal and advertising injury” caused by an offense arising out of your business but only if the offense was committed in Coverage disputes have generally focused on the “coverage territory” during the policy period. whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies. 3 “Personal And Advertising Injury” Definition The key definition—“Personal and advertising injury” Coverage disputes have generally focused on whether reads as follows in the current standard form CGL there has been a “publication” that violates the claimant’s policy: “right of privacy”—both terms are left undefined in SECTION V—DEFINITIONS standard-form ISO policies. Courts generally (although ***** certainly not universally) have construed the language favorably to insureds and have found coverage for a wide 14.“ Personal and advertising injury” means injury, variety of claims alleging breach of privacy laws and including consequential “bodily injury,” arising out regulations, including, for example, in respect of claims of one or more of the following offenses: alleging violations of the Telephone Consumer Protection a. False arrest, detention or imprisonment; Act (TCPA),8 claims alleging violations of the Fair Credit b. Malicious prosecution; Reporting Act (FCRA),9 claims alleging violations of the c. The wrongful eviction from, wrongful entry into, Fair and Accurate Credit Transactions Act (FACTA),10 or invasion of the right of private occupancy claims alleging violations of the Electronic Communications of a room, dwelling, or premises that a person Privacy Act and the Computer Fraud and Abuse Act,11 occupies, committed by or on behalf of its owner, claims alleging violations of the California Confidentiality landlord, or lessor; of Medical Information Act (CMIA),12 and claims alleging d. Oral or written publication, in any manner, violations of the California Lanterman-Petris-Short Act.13 of material that slanders or libels a person Courts have found in favor of coverage in data breach or organization or disparages a person’s or cases,14 although the recent decision in Zurich American organization’s goods, products or services; Insurance Co. v. Sony Corp. of America et al.15 highlights the e. Oral or written publication, in any manner, of issues that insureds may face in obtaining coverage for data material that violates a person’s right of privacy; breaches under CGL policies. f. The use of another’s advertising idea in your We set forth in more detail the key “Personal And “advertisement”; or Advertising Injury Liability” coverage terms, including the g. Infringing upon another’s copyright, trade dress coverage grant, key definition, and certain noteworthy or slogan in your “advertisement”. potential exclusions that currently are in the main standard industry form. 4 July 2014 • Lockton Companies New ISO CGL Exclusions Last Fall, ISO filed a number of data breach exclusionary Zurich v. Sony endorsements for use with its standard-form Arguably the most visible legal case surrounding the endorsements became effective in most states in May primary, excess, and umbrella CGL policies. The new applicability of the CGL Personal and Advertising 2014. Injury coverage to claims alleging data breach came The language applicable to Coverage B, Personal And about because of Sony’s massive 2011 PlayStation data Advertising Injury reads: breach. Zurich American and Mitsui Sumitomo had This insurance does not apply to: issued primary CGL policies to Sony. In April 2011, hackers broke into Sony networks and stole personal Access Or Disclosure Of Confidential Or Personal and financial information of more than 100 million Information users. “Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s Sony was named as a defendant in numerous class confidential or personal information, including patents, actions immediately following the breach. Mitsui trade secrets, processing methods, customer lists, financial information, credit card information, health denied coverage and Zurich responded by filing a information, or any other type of nonpublic information. declaratory relief action seeking a declaration that This exclusion applies even if damages are claimed for Zurich had no duty to defend. notification costs, credit monitoring expenses, forensic expenses, public relations expenses, or any other loss, At issue in the case is whether Sony or the hackers cost, or expense incurred by you or others arising were responsible for the actual “publication” of the out of any access to or disclosure of any person’s or personally identifiable information (PII). A New organization’s confidential or personal information. York court recently held that there was no coverage, Even before the recent 2014 data breach exclusions essentially because it was the perpetrators of the were introduced, as part of its April 2013 revisions to breach who ultimately “published” the private the CGL policy forms, ISO introduced an endorsement, information, rather than Sony itself. Legal experts entitled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key definition have argued both in favor of and against the court’s (i.e., “[o]ral or written publication, in any manner, of decision, arguing, among other things, that the trigger material that violates a person’s right of privacy”) that for the Personal and Advertising Injury coverage is the “hook” for the data breach coverage under CGL must be an affirmative act by Sony or conversely, that Coverage B (found at Paragraph 14.e of the Definitions coverage is triggered to the extent Sony has liability. section of Coverage B). The endorsement states: With respect to Coverage B Personal And Advertising The case is currently under appeal and its final Injury Liability, Paragraph 14.e. of the Definitions section decision will potentially be an indicator of how does not apply. insurers and courts will view data breach coverage under the Personal and Advertising Injury coverage. 5 Noteworthy Potential Exclusions Casualty Insurance Company v. Corcino & Associates et al ., the insurer denied coverage for a hospital data breach that The ISO standard form 2001 and later policies contain three compromised the records of nearly 20,000 patients under an exclusions expressly relating to internet activities: exclusion for Personal and advertising injury “[a] rising out of the violation of a person’s right to privacy created by any 2. Exclusions state or federal act.” At the moment, there are approximately 48 out of 50 states in the U.S.A. that have their own privacy This insurance does not apply to: regulations and statutes. A claim alleging violation of these ***** or any other privacy regulation could be viewed as potentially subject to that exclusion. j. Insureds In Media And Internet Type Businesses In addition, 2007 and later ISO forms contain an exclusion “Personal and advertising injury” committed by an insured for privacy-related laws, including the TCPA, which is whose business is: applicable to Coverage B. The current 2013 industry form (1) Advertising, broadcasting, publishing, or telecasting; contains the following exclusion: (2) Designing or determining content of web sites for 2. Exclusions others; or This insurance does not apply to: (3) An Internet search, access, content, or service provider. ***** However, this exclusion does not apply to Paragraphs 14.a., p. Recording And Distribution Of Material Or Information b. and c. of “personal and advertising injury” under the In Violation Of Law Definitions section. “Personal and advertising injury” arising directly or indirectly For the purposes of this exclusion, the placing of frames, out of any action or omission that violates or is alleged borders, or links, or advertising, for you or others anywhere to violate: on the Internet, is not by itself, considered the business of advertising, broadcasting, publishing, or telecasting. (1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; k. Electronic Chat Rooms Or Bulletin Boards (2) The CAN-SPAM Act of 2003, including any amendment “Personal and advertising injury” arising out of an electronic of or addition to such law; chat room or bulletin board the insured hosts, owns, or over which the insured exercises control. (3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair l. Unauthorized Use Of Another’s Name Or Product and Accurate Credit Transactions Act (FACTA); or “Personal and advertising injury” arising out of the unauthorized use of another’s name or product in your e-mail address, domain name, or metatag, or any other similar (4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, tactics to mislead another’s potential customers. that addresses, prohibits, or limits the printing, Insurers have argued that exclusions that are the same as dissemination, disposal, collecting, recording, sending, or similar to the first exclusion bar coverage for data breach transmitting, communicating, or distribution of material claims alleging statutory violations. For example, in Hartford or information. 6 July 2014 • Lockton Companies In the meantime, however, the decision underscores the difficulties that insureds can face in pursing data breach coverage under their traditional CGL policies. Although this endorsement appears to have quietly flown in under the radar, it in reality is even more sweeping than the 2014 data breach exclusionary endorsements because it entirely eliminates coverage in the first instance. Conclusion Over the years, the Commercial General Liability policy has been the proverbial “catch all” for claims subsequently determined to be outside the intent and scope of the underwriters. Past examples have included Pollution Liability, Asbestos, Employment Practices Liability, and Professional Liability. Cyber and Privacy Liability may well be heading in the same direction. Insurers are stating publicly that this exposure was never contemplated when the policy language was drafted. And, of course, cybersecurity and privacy liability has recently risen to ISO is an insurance industry organization whose role is to develop standard 3 insurance policy forms and to have those forms approved by state insurance potentially catastrophic levels of potential liability (e.g., commissioners. Target). Insurers therefore are increasingly seeking to ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a. 4 Id. §1.b. 5 separately insure the risk, subject to separate underwriting Id. §14.e. 6 criteria. Id. Section I, Coverage B, §1.a. 7 See, e.g., Owners Ins. Co. v. European Auto Works, Inc., 695 F.3d 814 (8th Cir. 8 2012); Park University Enterprises, Inc. v. American Cas. Co. Of Reading, PA, 442 In the end, before a cybersecurity or privacy incident, F.3d 1239 (10th Cir. 2006) (Kansas law); Columbia Cas. Co. v. HIAR Holding, L.L.C. --- S.W.3d ----, 2013 WL 4080770 (Mo. Aug. 13, 2013). companies should take the opportunity to carefully See, e.g., Pietras v. Sentry Ins. Co., 2007 WL 715759 (N.D.Ill. Mar. 6, 2007). 9 evaluate and address their risk profile, potential exposure See, e.g., Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 655 F.Supp.2d 1316 10 (S.D.Fla. 2009). to cyber and privacy risks, their risk tolerance, the See, e.g., Netscape Commc’ns Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th 11 sufficiency of their existing insurance coverage, and the Cir. 2009). potential role of specialized cyber risk coverage. (N.D.Cal. Jan. 20, 2005). See, e.g., LensCrafters, Inc. v. Liberty Mut. Fire Ins. Co., 2005 WL 146896 12 See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D.Cal. 13 Oct. 7, 2013). See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D.Cal. 14 Oct. 7, 2013). Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014) 15 7 Our Mission To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management Our Goal To be the best place to do business and to work www.lockton.com © 2014 Lockton, Inc. All rights reserved. Images © 2014 Thinkstock. All rights reserved.
© Copyright 2024