Insights
Publications

Data Security Breach Liability: Is Your Business Covered?

9/26/2016 Articles

Insurers and their policyholders have been playing a game of tug-of-war over whether lawsuits arising out of data security breaches trigger a duty to defend under commercial general liability (CGL) insurance policies. The insurers seemed to have some momentum in arguing that a data security breach does not involve the "publication" required by CGL policies' "personal and advertising injury" coverage grant. But policyholders have won a couple of significant victories on this point, including the most recent one. Policyholders should not allow success in those battles to lull them into believing that they've won the tug-of-war, though. The outcome of any coverage dispute in this area is highly fact-dependent, and many insurers are adding exclusions to their policies to eliminate the possibility of coverage for these claims altogether.

 

Most CGL policies cover damages for "personal and advertising injury" arising out of any one of a number of defined "offenses." The offense most often at issue in litigation arising out of a data security breach is the "oral or written publication, in any manner, of material that violates a person's right of privacy."

 

You might think that a data security breach that results in the posting of someone's private information on the internet would fall within this formulation. And you would be right, in some instances. The two cases in which courts have found a duty to defend involved facts of this type.

 

In Hartford Casualty Insurance v. Corcino (Oct. 7, 2013, C.D. Cal.), an employment applicant was given private medical records and instructed to perform operations on the data as part of the job interview. Later, 20,000 of the private medical records found their way onto the internet. A lawsuit alleging violation of privacy claims naturally ensued, as did a coverage lawsuit over whether a CGL insurer had to defend the prospective employer in the underlying litigation. It was effectively undisputed that the prospective employer had caused a "publication" of the records by providing them to the applicant, even though the applicant, not the employer, posted them on the internet. And the court ruled that an exclusion barring coverage for statutory liability did not eliminate the insurer's duty to defend, because the plaintiffs also asserted common law privacy violation claims. The court held that the insurer had a duty to defend.

 

The U.S. Court of Appeals for the Fourth Circuit most recently addressed this issue, and was the first federal circuit court to rule that similar facts supported the conclusion that there was a "publication." In (Fourth Circuit, April 11, 2016), the policyholder Travelers Indemnity v. Portal Healthcare Solutions allegedly allowed private medical records to remain on an unsecured server and available for viewing by anyone through the internet for more than four months. The general liability policy covered damages because of injury arising from the "electronic publication of material that … gives unreasonable publicity to a person's private life" or "discloses information about a person's private life." The district court ruled that the insurer had a duty to defend, rejecting the insurer's argument that, to qualify as a "publication," the policyholder must have intended to communicate the data to third parties and that there must be some proof that third parties viewed it. The Fourth Circuit agreed, finding that, like a book on the shelf of a bookstore, no one need actually read it for there to be a "publication."

 

But courts facing facts with less clarity as to who had access to the stolen data have found that there is no duty to defend. In perhaps the most widely followed of decisions in this area, a New York state trial court judge ruled that there was no "publication" where a hacker stole data, and there was no evidence that the hacker distributed the information more broadly. Zurich American Insurance v. Sony (Supreme Court of the State of New York, App. Div., 1st Dept). The question in that case was essentially whether violation of privacy offense coverage applies to the allegedly negligent failure to protect a person's private information that results in its disclosure by a third party. The insurer argued that the insured had to commit an affirmative act in furtherance of the disclosure. The insured countered that "publication in any manner" encompassed a policyholder's negligent failure to protect data from a hacker. The court agreed with the insurer, reasoning that "in any manner" only applies to the means by which, not the party by whom, the publication is made.

 

Highlighting the fact-specific nature of this issue, the Connecticut Supreme Court ruled that an insurer did not have a duty to defend a policyholder in an action arising out of the loss of tapes containing data. Recall Total Info. Management v. Federal Insurance, 317 Conn. 46, (2015). That case involved an unusual scenario in which physical tapes containing data fell out of a truck while being transported. The tapes were never recovered; it was unclear who got hold of them, and rare technology was required to access the data on the tapes. The court affirmed the lower courts' rulings that the loss of the tapes, without more and particularly in light of the fact that the data on the tapes was inaccessible without special technology, did not constitute a "publication."

 

To head off policyholders' attempts to get a defense in data breach litigation, insurers have started adding exclusions to their policies that bar coverage for events involving the loss of data. One ISO endorsement (Form CG 21 06 05 14) eliminates coverage for damages "arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information." In some instances, this exclusion will include an exception that restores limited coverage for certain events resulting in "bodily injury." However, the exclusion purports to eliminate coverage for which the policyholders argued in the cases described above.

 

Policyholders should always consider the potential for coverage under their CGL policies if they suffer a data security breach. However, as the cases described above demonstrate, coverage is highly fact-dependent and subject to interpretation by the courts even in the absence of a data-related exclusion. The addition of such an exclusion narrows the policyholder's options.

 

As a result, policyholders should carefully consider their insurance programs and the unique risks that their businesses face in light of their own computer systems, third-party computer systems on which they rely and the data they collect and/or hold. They should consider whether technology errors and omissions liability or cyberinsurance would more effectively address their risks. With the help of their insurance brokers and counsel, companies can negotiate and tailor those policies to their risks and exposures relating to computer systems, personally identifiable information and confidential third-party business information. Some businesses may choose to rely exclusively on their CGL policies for protection against data breach lawsuits. But that decision should be made deliberately after understanding all the risks and options.

 

Reprinted with permission from the September 26, 2016 issue of Corporate Counsel. © 2016 ALM Media Properties, LLC. Further duplication without permission is prohibited.  All rights reserved. 

Firm Highlights

Publication

Disputes Between Shareholders May Not Be Governed by Fiduciary Duties but Could Be Covered by Insurance

(As published in Private Company Director ) Disputes regarding ownership interests often arise in the context of closely held corporations, particularly when directors, officers, or majority shareholders sell or acquire ownership interests in the...

Read More
Event

AI and Privacy: What Every Company Needs to Do Today

Sushila Chanana and Benjamin Buchwalter will discuss "AI and Privacy: What Every Company Needs to Do Today' at the ACC 2024 Privacy Summit.  This session will introduce basics of AI governance, such as ownership...

Read More
Publication

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More
Publication

Insurance Market Crushes Wineries and Wine Country Homeowners

We keep hearing about how difficult it is for winery and vineyard owners to get property insurance these days, both for their homes and their wine businesses in California’s wildfire-prone areas. Those who have...

Read More
Publication

Reporting Dispute Claims Within Closely Held Wineries

Many wineries operate as closely held companies, meaning they’re owned by an individual or small group of shareholders, who are often members of the same family. Disputes regarding ownership interests can arise, particularly when directors...

Read More
News

Farella Braun + Martel Earns 2024 Best Law Firms® Rankings

Read More
Publication

Regulatory Changes Underway To Address Dwindling California Property Insurance Market

We keep hearing about how difficult it is for our clients to get property insurance these days, both for homes and businesses in Northern California’s wildfire-prone areas. Which, of course, is most of Northern...

Read More
Publication

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part Two)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, Peter J. Georgiton, and J. Mark Hart Part 1 of our two-part article addressed the circumstances in which an insurer can directly pursue malpractice claims against...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part One)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, PeterJ. Georgiton, and John Mark Hart When an insurer accepts an insured’s tender and agrees to provide a defense, it is often an afterthought as to whether...

Read More