Data Security Breach Liability: Is Your Business Covered?
Insurers and their policyholders have been playing a game of tug-of-war over whether lawsuits arising out of data security breaches trigger a duty to defend under commercial general liability (CGL) insurance policies. The insurers seemed to have some momentum in arguing that a data security breach does not involve the "publication" required by CGL policies' "personal and advertising injury" coverage grant. But policyholders have won a couple of significant victories on this point, including the most recent one. Policyholders should not allow success in those battles to lull them into believing that they've won the tug-of-war, though. The outcome of any coverage dispute in this area is highly fact-dependent, and many insurers are adding exclusions to their policies to eliminate the possibility of coverage for these claims altogether.
Most CGL policies cover damages for "personal and advertising injury" arising out of any one of a number of defined "offenses." The offense most often at issue in litigation arising out of a data security breach is the "oral or written publication, in any manner, of material that violates a person's right of privacy."
You might think that a data security breach that results in the posting of someone's private information on the internet would fall within this formulation. And you would be right, in some instances. The two cases in which courts have found a duty to defend involved facts of this type.
In Hartford Casualty Insurance v. Corcino (Oct. 7, 2013, C.D. Cal.), an employment applicant was given private medical records and instructed to perform operations on the data as part of the job interview. Later, 20,000 of the private medical records found their way onto the internet. A lawsuit alleging violation of privacy claims naturally ensued, as did a coverage lawsuit over whether a CGL insurer had to defend the prospective employer in the underlying litigation. It was effectively undisputed that the prospective employer had caused a "publication" of the records by providing them to the applicant, even though the applicant, not the employer, posted them on the internet. And the court ruled that an exclusion barring coverage for statutory liability did not eliminate the insurer's duty to defend, because the plaintiffs also asserted common law privacy violation claims. The court held that the insurer had a duty to defend.
The U.S. Court of Appeals for the Fourth Circuit most recently addressed this issue, and was the first federal circuit court to rule that similar facts supported the conclusion that there was a "publication." In (Fourth Circuit, April 11, 2016), the policyholder Travelers Indemnity v. Portal Healthcare Solutions allegedly allowed private medical records to remain on an unsecured server and available for viewing by anyone through the internet for more than four months. The general liability policy covered damages because of injury arising from the "electronic publication of material that … gives unreasonable publicity to a person's private life" or "discloses information about a person's private life." The district court ruled that the insurer had a duty to defend, rejecting the insurer's argument that, to qualify as a "publication," the policyholder must have intended to communicate the data to third parties and that there must be some proof that third parties viewed it. The Fourth Circuit agreed, finding that, like a book on the shelf of a bookstore, no one need actually read it for there to be a "publication."
But courts facing facts with less clarity as to who had access to the stolen data have found that there is no duty to defend. In perhaps the most widely followed of decisions in this area, a New York state trial court judge ruled that there was no "publication" where a hacker stole data, and there was no evidence that the hacker distributed the information more broadly. Zurich American Insurance v. Sony (Supreme Court of the State of New York, App. Div., 1st Dept). The question in that case was essentially whether violation of privacy offense coverage applies to the allegedly negligent failure to protect a person's private information that results in its disclosure by a third party. The insurer argued that the insured had to commit an affirmative act in furtherance of the disclosure. The insured countered that "publication in any manner" encompassed a policyholder's negligent failure to protect data from a hacker. The court agreed with the insurer, reasoning that "in any manner" only applies to the means by which, not the party by whom, the publication is made.
Highlighting the fact-specific nature of this issue, the Connecticut Supreme Court ruled that an insurer did not have a duty to defend a policyholder in an action arising out of the loss of tapes containing data. Recall Total Info. Management v. Federal Insurance, 317 Conn. 46, (2015). That case involved an unusual scenario in which physical tapes containing data fell out of a truck while being transported. The tapes were never recovered; it was unclear who got hold of them, and rare technology was required to access the data on the tapes. The court affirmed the lower courts' rulings that the loss of the tapes, without more and particularly in light of the fact that the data on the tapes was inaccessible without special technology, did not constitute a "publication."
To head off policyholders' attempts to get a defense in data breach litigation, insurers have started adding exclusions to their policies that bar coverage for events involving the loss of data. One ISO endorsement (Form CG 21 06 05 14) eliminates coverage for damages "arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information." In some instances, this exclusion will include an exception that restores limited coverage for certain events resulting in "bodily injury." However, the exclusion purports to eliminate coverage for which the policyholders argued in the cases described above.
Policyholders should always consider the potential for coverage under their CGL policies if they suffer a data security breach. However, as the cases described above demonstrate, coverage is highly fact-dependent and subject to interpretation by the courts even in the absence of a data-related exclusion. The addition of such an exclusion narrows the policyholder's options.
As a result, policyholders should carefully consider their insurance programs and the unique risks that their businesses face in light of their own computer systems, third-party computer systems on which they rely and the data they collect and/or hold. They should consider whether technology errors and omissions liability or cyberinsurance would more effectively address their risks. With the help of their insurance brokers and counsel, companies can negotiate and tailor those policies to their risks and exposures relating to computer systems, personally identifiable information and confidential third-party business information. Some businesses may choose to rely exclusively on their CGL policies for protection against data breach lawsuits. But that decision should be made deliberately after understanding all the risks and options.
Reprinted with permission from the September 26, 2016 issue of Corporate Counsel. © 2016 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.