I am sure you have all heard or read about some large scale “cyber attacks” over the past several years. Whether it be the attack on Target where numerous individuals’ personal data was “hacked” several years ago, or the more recent attacks on health insurers such as Primera Blue Cross and Anthem, in each situation hackers gained access to a business’ computer network and may have obtained consumers’ names, dates of birth, Social Security numbers, mailing and email addresses, phone numbers and/or bank account information. Although the news generally reports on the large scale cyber attacks, the threat of cyber attacks is something that small businesses face as well. In essence, any business that stores consumer or client data can face the potential of being “hacked.”
While there are many technological ways a business can try to protect itself against the risk of cyber attacks, such as hiring a firm specializing in data security to put safeguards in place, one thing that any business can do to protect itself is to make sure it has insurance coverage that protects against such risks. Although a relatively new product, insurance companies have begun to offer cyber insurance policies. Unfortunately, as a relatively new insurance product, insurers are still working out the kinks with their policy language. Some of the stand-alone cyber insurance policies I have reviewed exclude coverage for losses covered by traditional policies such claims relating to bodily injury and property damage. When these policies cover such losses and claims, the scope of the coverage is often limited and/or subject to sub-limits. So what should insured businesses do when a cyber attack triggers a traditional loss (i.e., where the cause of loss is a cyber attack that causes: (1) a third party to sue an insured, or (2) property damage)?
In addition to purchasing cyber insurance policies, insured businesses should also try to look to their “traditional” insurance policies to see if they provide any coverage for cyber attacks (such as property, general liability and errors and omissions liability insurance policies). I raise this issue with a caveat: some insurers issuing traditional policies have begun to add language to new policies that seeks to eliminate coverage for cyber attacks. As an example, as of May 1, 2014, the Insurance Services Office, Inc. (ISO) began using a new endorsement that excludes data breach liability. The endorsement, entitled “Exclusion-Access or Disclosure of Confidential or Personal Information and Data-related liability-with limited bodily injury exception,” means that insurers using ISO form CGL policies issued after May 1, 2014 will not cover claims arising from a breach of data that leads to confidential or personal information leaks.1 However, not all insurers use ISO forms, and insurers’ practices in this ever changing landscape are far from uniform. Consequently, it is important to treat each insurance policy differently, and to read each policy carefully.
CGL policies have traditionally covered claims arising from the “publication of material that violates a person’s right of privacy.” This coverage is found in the privacy clause, which is part of the Personal and Advertising Injury section of standard CGL forms. In this context, (and even when there is no cyber exclusion in the policy) insurers nonetheless have tried to deny claims. Insurers have tried to argue that the phrase “publication in any manner” is limited to certain types of disclosures involving affirmative statements to the public at large. Insurers have also argued that the disclosure of private data in a cyber attack is a publication by the hackers, not by the policyholder, and therefore coverage under the privacy clause is not triggered. Moreover, as the number of cyber attacks and cyber insurance policies being issued has increased, some insurers have begun routinely denying claims for data breach claims under CGL policies, taking the position that these policies were “not meant to cover” such claims.
A recent decision by the 4th Circuit Court of Appeals in Travelers Indemnity Company of America v. Portal Healthcare Solutions,2 demonstrates how certain CGL policies may still provide coverage for cyber attacks. This decision highlights why insured businesses should try to make “cyber claims” under traditional insurance policies if their policy lends itself to a reasonable interpretation there might be coverage. In Portal Healthcare, the 4th Circuit found that a CGL policy covered the cost of defending data breach claims that allege the disclosure of private information. The case involved allegations against Portal Healthcare for negligently allowing confidential patient medical data to be posted on the Internet, where it could be accessed by a simple Internet search. The CGL policies provided coverage for “electronic publication of material that … gives unreasonable publicity to a person’s private life (or) discloses information about a person’s private life.”
The trial court ruled that private patient information was “published” when it became accessible to unauthorized third parties via the Internet. The court held it did not matter whether the policyholder intended to make the material public or whether anyone actually viewed it. The 4th Circuit Court of Appeals adopted and agreed with the trial court’s analysis and held that Travelers had a duty to defend its policyholder under the CGL policy at issue.
The Travelers case could affect how policyholder data breach claims are analyzed (especially for those CGL insurance policies that have yet to incorporate data breach exclusions) by the courts. While the Travelers case is a win for policyholders, and although some traditional insurance policies may provide coverage for cyber claims, insured business would be smart to review the cyber insurance options that are available on the market to make sure they have the right coverage (based on the individual business’ needs) in place.
1 For further discussion on the 2014 ISO exclusion see Commercial General Liability Policies – Now Cyber Liability Stands Alone.
2 Travelers Indem. Co. of Am. v. Portal Healthcare Sols., L.L.C., No. 14-1944, 2016 WL 1399517, at *1 (4th Cir. Apr. 11, 2016).