• Atlanta
• Boston
• Dallas
• Ft. Lauderdale
• London
• Minneapolis
• New York
• Oakland
• Philadelphia
• Washington, DC

By José M. Umbert
To view this article in PDF format, please click here. 

Although specific cyber risk insurance policies are becoming increasingly common, claims related to data breaches continue to be submitted under commercial general liability policies. Some recent decisions addressing these claims provide helpful guidance for practitioners in this area.

It is well known that over the last few years, there has been a significant increase of data breaches, that is, incidents compromising the security of data stored electronically by an organization. This has been accompanied by the development and growth of specialty cyber insurance products specifically designed to address these, and other, cyber-related risks confronting businesses today.

Notwithstanding the expansion of cyber risk insurance, policyholders continue to submit claims arising out of data breaches under their traditional CGL policies. This is due to a variety of reasons, including that the agreed-upon limits of liability under the insured’s cyber risk policy turn out to be insufficient to cover the losses resulting from the data breach; an exclusion or other provision precludes or limits coverage for the particular claim; or the company simply did not purchase cyber liability coverage.

Therefore, CGL policies continue to play a significant role in ascertaining the scope of coverage available for third-party claims arising out of data breaches. Indeed, some recent, high-profile coverage disputes in this area have involved claims brought by large corporate policyholders seeking coverage under the “personal and advertising injury” provisions of their CGL policies for the class action and other claims brought against them after computer hackers stole their customers’ personal information.

In analyzing the legal issues involved in these types of claims, several recent court decisions involving claims brought under a CGL policy for the insured’s alleged liability for the loss or misappropriation of the claimant’s electronic data may be relevant to practitioners as this is often the basis of at least some of the claims asserted against companies affected by a data breach.

A critical issue in these cases is whether the third-party claims against the insured involve physical injury to, or loss of use of, “tangible property” so as to trigger coverage under the “property damage” section of the CGL policy. Several recent decisions have concluded that electronic data, such as a third party’s customers’ email addresses, employees’ personal information and even electronic funds in a bank account, do not constitute tangible property and therefore fall outside the scope of this coverage grant.[1] Some of the CGL policies at issue in these decisions expressly excluded electronic data from the definition of “property damage.”

However, in contrast, another court held that where the loss alleged in the underlying lawsuit involves the medium on which data was stored (in that case, a CD-ROM containing third parties’ personal information), there is a potentially covered claim for “property damage” under a CGL policy.[2]

It should be noted that even if the coverage for “property damage” is potentially triggered, other provisions in the policy may apply to limit or preclude coverage. Indeed, in this same case, the Seventh Circuit affirmed summary judgment for the insurer on the ground that the exclusion for property “in care of” the insured applied to the insured’s loss of the CD-ROM, thus barring any recovery under the insured’s CGL policy.[3]

Policyholders may also seek coverage for data-breach losses under the “personal or advertising injury” coverage parts of standard CGL policies. With respect to a claim against an insured for loss or disclosure of third parties’ personal information, the relevant insuring clause is the coverage grant for alleged injuries arising out of the “publication of material that violates a person’s right of privacy.”

Coverage for such claims may depend on the interpretation given to the term “publication” in the relevant jurisdiction. As recent decisions show, in some states, a “publication” requires dissemination of the personal information to the general public,[4] and in others, there must be a communication to a third party.[5]

Other courts, however, have taken a more expansive view of the term “publication.” The choice-of-law issue may thus be outcome-determinative in these types of claims.

Case law involving liability insurance coverage for claims arising out of electronic data breaches continues to develop. The decisions mentioned in this article signal some important issues and trends, which practitioners in this area need to consider when analyzing these types of claims.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] See Liberty Corporate Capital Ltd. v. Security Safe Outlet Inc. (E.D. Ky. Mar. 27, 2013); Recall Total Info. Mgmt., Inc. v. Federal Ins. Co. (Conn. Super. Ct. Jan. 17, 2012); Carlon Co. v. Delaget, LLC (W.D. Wis. May 21, 2012).

[2] Nationwide Ins. Co. v. Hentz (S.D. Ill. Mar. 6, 2012).

[3] Nationwide Ins. Co. v. Central Laborers’ Pension Fund, 704 F.3d 522, 525-26 (7th Cir. 2013).

[4] Creative Hospitality Ventures, Inc. v. U.S. Liab. Ins. Co., 444 Fed.Appx. 370, 375-76 (11th Cir. 2011) (applying Florida law).

[5] Recall Total, 2012 WL 469988 at *6-7.