Why Buy Cyber and Privacy Liability Commercial General Liability Program?

Why Buy Cyber and Privacy Liability
When You Have a Perfectly Good
Commercial General Liability
Program?
July 2014 • Lockton ® Companies
Cyber and Privacy Liability insurance programs have grown
MICHAL GNATEK
Vice President
Aerospace & Defense
202.414.2662
mgnatek@lockton.com
in popularity and market share over the past decade as
insureds and insurers alike grapple with the mercurial
risks associated with interconnected business and supply
chain dependency, a dramatic escalation of increasingly
sophisticated cyber attacks, and a proliferation of data
ROBERTA D. ANDERSON
Insurance Coverage and Cyber Law
and Cyber Security Partner
K&L Gates LLP
privacy laws and regulations.
An industry known for embracing paper and shunning change,
the property and casualty insurance market struggles to keep pace
with the modern business world, which is full of personally owned
mobile and other portable devices, and concepts such as advanced
persistent threats (APTs), the “Internet of Things”and the “cloud.”
While insurance companies are known for creating bespoke
policies to address new risks not initially contemplated within the
confines of traditional property and liability policies (see Y2K,
Environmental Legal Liability, and Employment Practices Liability),
insureds are within their right to see how those current programs
address twenty-first-century risks.
If only one of Target, Snapchat, Facebook, Google, Twitter, Yahoo!,
Adobe, and so on and so forth, had suffered a serious data breach
within the last few months that would be sufficiently troubling. Yet
data breaches have become so ubiquitous that a single week (if not
L
O
C
K
T
O
N
C
O
M
P
A
N
I
E
S
The time to consider insurance coverage for data breaches and other
cybersecurity risks is before an organization becomes the next Target.
days) without one hitting the headlines seems almost
purposes of this paper in this regard is the difference
strange. By now every organization should appreciate
between “Cybersecurity” or “Network Security Liability”
that—no matter how robust and sophisticated its
and “Privacy.” Although there can be substantial
network security is—it remains a vulnerable target
overlap between and among these concepts as they
for cybersecurity breaches and the host of negative
typically are understood in the industry, this paper will
consequences that typically follow, including class
focus on those risks associated purely with Privacy
action lawsuits (so far, dozens of suits have been filed
risks, or the “unauthorized access, collection, use or
against Target), substantial breach notification costs,
disclosure of personal information.”1 Therefore, we
and other “crisis management” expenses, including
will not be covering those issues related to Cyber
forensic investigation, credit monitoring, call centers, and
Liability or “breach-related expenses, including forensic
public relations efforts, as well as potential regulatory
investigations, outside counsel fees, crisis management
investigations, fines, and penalties. Insurance can play
services, public relations experts, breach notification,
a critical role in addressing cybersecurity risks. But the
and call center costs.”2 This paper will also not be
time to consider insurance coverage for data breaches
addressing the recent first-party bodily injury, property
and other cybersecurity risks is before an organization
damage, and business interruption coverage associated
becomes the next Target.
with the damage attributable to unauthorized access of
operational technology (SCADA systems).
This paper will briefly look at how an organization’s
Commercial General Liability—specifically, the Personal
and Advertising Injury coverage—may currently
addresses Privacy risks. An important distinction for
2
1
International Association of Privacy Professionals,
https://www.privacyassociation.org
2
Ibid.
July 2014 • Lockton Companies
Coverage Grant
The “Personal And Advertising Injury” Coverage Grant
We will first summarize and set forth the current industry
reads as follows in the current standard form CGL
standard form key coverage grant, definitions, and
policy:
exclusions. We will then discuss the recent Sony decision
COVERAGE B—PERSONAL AND ADVERTISING
and the new 2014 industry form exclusionary endorsements
INJURY LIABILITY
targeted at eliminating coverage for data breaches under
1. Insuring Agreement
standard-form CGL coverage.
a. We will pay those sums that the insured becomes
Current Standard Form CGL Coverage
legally obligated to pay as damages because of
“personal and advertising injury” to which this
The Coverage B “Personal And Advertising Injury
insurance applies. We will have the right and duty
Liability” coverage section of the current standard-form
to defend the insured against any “suit” seeking
Insurance Services Office, Inc. (ISO)3 CGL policy states
those damages. However, we will have no duty
to defend the insured against any “suit” seeking
that the insurer “will pay those sums that the insured
damages for “personal and advertising injury” to
becomes legally obligated to pay as damages because of
which this insurance does not apply. We may, at
‘personal and advertising injury,’4 which is caused by an
our discretion, investigate any offense and settle
offense arising out of [the insured’s] business.” “Personal
5
any claim or “suit” that may result. But:
and advertising injury” is defined in the ISO standard-
(1) The amount we will pay for damages is limited as
form policy to include a list of specifically enumerated
described in Section III—Limits Of Insurance; and
offenses, which include the “offense” of “[o]ral or written
(2) Our right and duty to defend end when we
publication, in any manner, of material that violates a
have used up the applicable limit of insurance in
person’s right of privacy.”6 The policy further states that the
the payment of judgments or settlements under
insurer “will have the right and duty to defend the insured
Coverages A or B or medical expenses under
against any ‘suit.’” The CGL Coverage B can indemnify
Coverage C.
and provide a defense against a wide variety of claims,
No other obligation or liability to pay sums or perform
including claims alleging violation of privacy rights, such as
acts or services is covered unless explicitly provided
data breach cases.
for under Supplementary Payments—Coverages A
7
and B.
b. This insurance applies to “personal and advertising
injury” caused by an offense arising out of your
business but only if the offense was committed in
Coverage disputes have generally focused on
the “coverage territory” during the policy period.
whether there has been a “publication” that violates
the claimant’s “right of privacy”—both terms are left
undefined in standard-form ISO policies.
3
“Personal And Advertising Injury”
Definition
The key definition—“Personal and advertising injury”
Coverage disputes have generally focused on whether
reads as follows in the current standard form CGL
there has been a “publication” that violates the claimant’s
policy:
“right of privacy”—both terms are left undefined in
SECTION V—DEFINITIONS
standard-form ISO policies. Courts generally (although
*****
certainly not universally) have construed the language
favorably to insureds and have found coverage for a wide
14.“ Personal and advertising injury” means injury,
variety of claims alleging breach of privacy laws and
including consequential “bodily injury,” arising out
regulations, including, for example, in respect of claims
of one or more of the following offenses:
alleging violations of the Telephone Consumer Protection
a. False arrest, detention or imprisonment;
Act (TCPA),8 claims alleging violations of the Fair Credit
b. Malicious prosecution;
Reporting Act (FCRA),9 claims alleging violations of the
c. The wrongful eviction from, wrongful entry into,
Fair and Accurate Credit Transactions Act (FACTA),10
or invasion of the right of private occupancy
claims alleging violations of the Electronic Communications
of a room, dwelling, or premises that a person
Privacy Act and the Computer Fraud and Abuse Act,11
occupies, committed by or on behalf of its owner,
claims alleging violations of the California Confidentiality
landlord, or lessor;
of Medical Information Act (CMIA),12 and claims alleging
d. Oral or written publication, in any manner,
violations of the California Lanterman-Petris-Short Act.13
of material that slanders or libels a person
Courts have found in favor of coverage in data breach
or organization or disparages a person’s or
cases,14 although the recent decision in Zurich American
organization’s goods, products or services;
Insurance Co. v. Sony Corp. of America et al.15 highlights the
e. Oral or written publication, in any manner, of
issues that insureds may face in obtaining coverage for data
material that violates a person’s right of privacy;
breaches under CGL policies.
f. The use of another’s advertising idea in your
We set forth in more detail the key “Personal And
“advertisement”; or
Advertising Injury Liability” coverage terms, including the
g. Infringing upon another’s copyright, trade dress
coverage grant, key definition, and certain noteworthy
or slogan in your “advertisement”.
potential exclusions that currently are in the main standard
industry form.
4
July 2014 • Lockton Companies
New ISO CGL Exclusions
Last Fall, ISO filed a number of data breach exclusionary
Zurich v. Sony
endorsements for use with its standard-form
Arguably the most visible legal case surrounding the
endorsements became effective in most states in May
primary, excess, and umbrella CGL policies. The new
applicability of the CGL Personal and Advertising
2014.
Injury coverage to claims alleging data breach came
The language applicable to Coverage B, Personal And
about because of Sony’s massive 2011 PlayStation data
Advertising Injury reads:
breach. Zurich American and Mitsui Sumitomo had
This insurance does not apply to:
issued primary CGL policies to Sony. In April 2011,
hackers broke into Sony networks and stole personal
Access Or Disclosure Of Confidential Or Personal
and financial information of more than 100 million
Information
users.
“Personal and advertising injury” arising out of any
access to or disclosure of any person’s or organization’s
Sony was named as a defendant in numerous class
confidential or personal information, including patents,
actions immediately following the breach. Mitsui
trade secrets, processing methods, customer lists,
financial information, credit card information, health
denied coverage and Zurich responded by filing a
information, or any other type of nonpublic information.
declaratory relief action seeking a declaration that
This exclusion applies even if damages are claimed for
Zurich had no duty to defend.
notification costs, credit monitoring expenses, forensic
expenses, public relations expenses, or any other loss,
At issue in the case is whether Sony or the hackers
cost, or expense incurred by you or others arising
were responsible for the actual “publication” of the
out of any access to or disclosure of any person’s or
personally identifiable information (PII). A New
organization’s confidential or personal information.
York court recently held that there was no coverage,
Even before the recent 2014 data breach exclusions
essentially because it was the perpetrators of the
were introduced, as part of its April 2013 revisions to
breach who ultimately “published” the private
the CGL policy forms, ISO introduced an endorsement,
information, rather than Sony itself. Legal experts
entitled “Amendment Of Personal And Advertising Injury
Definition,” which entirely eliminates the key definition
have argued both in favor of and against the court’s
(i.e., “[o]ral or written publication, in any manner, of
decision, arguing, among other things, that the trigger
material that violates a person’s right of privacy”) that
for the Personal and Advertising Injury coverage
is the “hook” for the data breach coverage under CGL
must be an affirmative act by Sony or conversely, that
Coverage B (found at Paragraph 14.e of the Definitions
coverage is triggered to the extent Sony has liability.
section of Coverage B). The endorsement states:
With respect to Coverage B Personal And Advertising
The case is currently under appeal and its final
Injury Liability, Paragraph 14.e. of the Definitions section
decision will potentially be an indicator of how
does not apply.
insurers and courts will view data breach coverage
under the Personal and Advertising Injury coverage.
5
Noteworthy Potential Exclusions
Casualty Insurance Company v. Corcino & Associates et al .,
the insurer denied coverage for a hospital data breach that
The ISO standard form 2001 and later policies contain three
compromised the records of nearly 20,000 patients under an
exclusions expressly relating to internet activities:
exclusion for Personal and advertising injury “[a] rising out
of the violation of a person’s right to privacy created by any
2. Exclusions
state or federal act.” At the moment, there are approximately
48 out of 50 states in the U.S.A. that have their own privacy
This insurance does not apply to:
regulations and statutes. A claim alleging violation of these
*****
or any other privacy regulation could be viewed as potentially
subject to that exclusion.
j. Insureds In Media And Internet Type Businesses
In addition, 2007 and later ISO forms contain an exclusion
“Personal and advertising injury” committed by an insured
for privacy-related laws, including the TCPA, which is
whose business is:
applicable to Coverage B. The current 2013 industry form
(1) Advertising, broadcasting, publishing, or telecasting;
contains the following exclusion:
(2) Designing or determining content of web sites for
2. Exclusions
others; or
This insurance does not apply to:
(3) An Internet search, access, content, or service provider.
*****
However, this exclusion does not apply to Paragraphs 14.a.,
p. Recording And Distribution Of Material Or Information
b. and c. of “personal and advertising injury” under the
In Violation Of Law
Definitions section.
“Personal and advertising injury” arising directly or indirectly
For the purposes of this exclusion, the placing of frames,
out of any action or omission that violates or is alleged
borders, or links, or advertising, for you or others anywhere
to violate:
on the Internet, is not by itself, considered the business of
advertising, broadcasting, publishing, or telecasting.
(1) The Telephone Consumer Protection Act (TCPA),
including any amendment of or addition to such law;
k. Electronic Chat Rooms Or Bulletin Boards
(2) The CAN-SPAM Act of 2003, including any amendment
“Personal and advertising injury” arising out of an electronic
of or addition to such law;
chat room or bulletin board the insured hosts, owns, or over
which the insured exercises control.
(3) The Fair Credit Reporting Act (FCRA), and any
amendment of or addition to such law, including the Fair
l. Unauthorized Use Of Another’s Name Or Product
and Accurate Credit Transactions Act (FACTA); or
“Personal and advertising injury” arising out of the
unauthorized use of another’s name or product in your e-mail
address, domain name, or metatag, or any other similar
(4) Any federal, state or local statute, ordinance or
regulation, other than the TCPA, CAN-SPAM Act of
2003 or FCRA and their amendments and additions,
tactics to mislead another’s potential customers.
that addresses, prohibits, or limits the printing,
Insurers have argued that exclusions that are the same as
dissemination, disposal, collecting, recording, sending,
or similar to the first exclusion bar coverage for data breach
transmitting, communicating, or distribution of material
claims alleging statutory violations. For example, in Hartford
or information.
6
July 2014 • Lockton Companies
In the meantime, however, the decision underscores the
difficulties that insureds can face in pursing data breach
coverage under their traditional CGL policies.
Although this endorsement appears to have quietly flown
in under the radar, it in reality is even more sweeping than
the 2014 data breach exclusionary endorsements because it
entirely eliminates coverage in the first instance.
Conclusion
Over the years, the Commercial General Liability policy
has been the proverbial “catch all” for claims subsequently
determined to be outside the intent and scope of the
underwriters. Past examples have included Pollution
Liability, Asbestos, Employment Practices Liability, and
Professional Liability. Cyber and Privacy Liability may
well be heading in the same direction. Insurers are stating
publicly that this exposure was never contemplated
when the policy language was drafted. And, of course,
cybersecurity and privacy liability has recently risen to
ISO is an insurance industry organization whose role is to develop standard
3
insurance policy forms and to have those forms approved by state insurance
potentially catastrophic levels of potential liability (e.g.,
commissioners.
Target). Insurers therefore are increasingly seeking to
ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.
4
Id. §1.b.
5
separately insure the risk, subject to separate underwriting
Id. §14.e.
6
criteria.
Id. Section I, Coverage B, §1.a.
7
See, e.g., Owners Ins. Co. v. European Auto Works, Inc., 695 F.3d 814 (8th Cir.
8
2012); Park University Enterprises, Inc. v. American Cas. Co. Of Reading, PA, 442
In the end, before a cybersecurity or privacy incident,
F.3d 1239 (10th Cir. 2006) (Kansas law); Columbia Cas. Co. v. HIAR Holding, L.L.C.
--- S.W.3d ----, 2013 WL 4080770 (Mo. Aug. 13, 2013).
companies should take the opportunity to carefully
See, e.g., Pietras v. Sentry Ins. Co., 2007 WL 715759 (N.D.Ill. Mar. 6, 2007).
9
evaluate and address their risk profile, potential exposure
See, e.g., Creative Hosp. Ventures, Inc. v. U.S. Liab. Ins. Co., 655 F.Supp.2d 1316
10
(S.D.Fla. 2009).
to cyber and privacy risks, their risk tolerance, the
See, e.g., Netscape Commc’ns Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th
11
sufficiency of their existing insurance coverage, and the
Cir. 2009).
potential role of specialized cyber risk coverage.
(N.D.Cal. Jan. 20, 2005).
See, e.g., LensCrafters, Inc. v. Liberty Mut. Fire Ins. Co., 2005 WL 146896
12
See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D.Cal.
13
Oct. 7, 2013).
See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs., 2013 WL 5687527 (C.D.Cal.
14
Oct. 7, 2013).
Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014)
15
7
Our Mission
To be the worldwide value and service leader in
insurance brokerage, employee benefits, and risk management
Our Goal
To be the best place to do business and to work
www.lockton.com
© 2014 Lockton, Inc. All rights reserved.
Images © 2014 Thinkstock. All rights reserved.