Experts are cautioning both insurance buyers and sellers not to overreact to the recent federal court decision finding data breach defense coverage under a commercial general liability (CGL) policy.
Buyers would be mistaken to think the ruling means that they do not need a cyber policy if they have a CGL policy and insurers might want to think twice before narrowing their general liability language to guard against cyber claims when the marketplace is clamoring for broader coverage.
The April 12 decision in Travelers Indemnity vs. Portal Healthcare Solutions by the U.S. Court of Appeals for the Fourth Circuit presented a particular set of facts that may not apply to other carriers’ CGL policies or to other insureds’ situations.
Travelers had argued that its 2012 and 2013 CGL policies did not require it to defend its insured, Portal Healthcare Solutions, which was being sued over a data breach by patients of a New York hospital that had hired it to secure its data.
The 2012 and 2013 policies — under Coverage Part B Personal and Advertising Injury — obligated Travelers to pay if Portal became legally obligated to pay damages because of an advertising or website injury arising from the “electronic publication of material that… gives unreasonable publicity to a person’s private life” or … discloses information about a person’s private life.”
The insurer had argued that there was no personal injury or publication as defined by the policies because release of the records was not intentional and they were not viewed by a third party. But the court said an unintentional publication is still publication. The court also said the definition of publication does not hinge on third party access.
In a recent interview with Insurance Journal, Stephanie Snyder, senior vice president for Aon Risk Solutions, said that the Travelers ruling turned on defining publication in a digital age and was not all that surprising.
“The private healthcare information was viewed as being published. When information is published it really does fall under a CGL advertising injury personal injury type of coverage and it really comes down to the definition of what is published information,” said Snyder.
Whereas some CGL policies might have an explicit exclusion for this type of injury, this Travelers policy did not, she noted.
Snyder said the other noteworthy aspect of the decision is that it only said defense costs would be covered. “So you’re not talking about any of the expense costs,” she said, citing public relations, notification, credit monitoring and computer forensics costs that might be picked up by a cyber policy. “None of those are taken into account by this particular ruling.
She said she was not necessarily surprised by the ruling. “We’ve seen other litigation going back where everyone’s trying to force coverage into a CGL in the case where they don’t buy a cyber policy,” she said. “But where we are starting to see cyber policies become more the norm, I think these types of cases will fall by the wayside.”
Christopher Keegan, cyber and technology risk practice leader with broker Beecher Carlson, agrees that whether there is coverage comes down to the particular set of facts. However, “when you’ve got a word like publishing in the policy, if you can find some element of publishing there, then the courts are going to pick it up and interpret it in a way that’s going to help the insured. That’s a good thing, I think,” he said.
He said a case like this makes people take notice of an issue and forces underwriters to consider if they are covering things in a CGL, for instance, that they did not intend to cover. “It highlights it for us and brings it to our attention in a way that’s like, ‘OK, we know this exists. What are we going to do about it?'” he told Insurance Journal.
He said cases like this are likely to arise where insureds have not bought a cyber policy and seek to leverage whatever policies they do have to find coverage. “They’re trying to take advantage of less-clear wording in those policies. Once you get lawyers involved in the process, that’s what happens,” he said.
In these cases, he said, the businesses are really inviting litigation because they are going to “get some pushback” from underwriters who had no intention of covering what they claim.
Keegan suggests that this is when the broker has to advise his clients: “Do you really want that situation? Or in the midst of a breach wouldn’t you rather have an insurer that’s going to be saying, ‘Hey, we’re standing behind you. We’re going to provide some of the services that are provided under the cyber policy,’ and have the underwriters be on your side rather than litigating those issues?”
Keegan suggested that even this case is not yet finished because it will take some time for this to work its way through the legal system and states before everyone can understand exactly what its application is.
Beyond Data Breach
Linda Kornfeld, an insurance recovery lawyer at Kasowitz Benson Torres & Freidman in Los Angeles, put a different spin on the case, claiming it goes beyond its data breach context.
“This a positive decision for policyholders in not just the data breach context, but also with respect to other claims involving privacy issues, such as blast fax and zip code cases,” she said in a statement. Kornfeld said the decision is in line with other cases where “courts have broadly interpreted the publication language, finding that the undefined term is ambiguous and should be interpreted in the policyholder’s favor.”
She said that while there was no evidence that anyone actually accessed personal information in this case, the potential to do so existed had someone run the right Google search. “According to the court, that possibility, even if it never became a reality, was enough to trigger the defense duty,” Kornfeld said.
While buyers need to understand what is covered and what isn’t, insurers do as well. Keegan believes the case offers a lesson for insurers to “make sure that they understand what the exposures are and how to explain them” for their own benefit.
That process is evolving. ISO has developed exclusions carriers can use to say, “We want to take this risk” or, “We don’t want to take this risk.”
“But there’s a long way to go,” he said, adding that many insurers are only now looking at cyber exposures and aggregations. “It’s not that easy,” he said. “You’ve got to anticipate all of the things that are going to happen.”
While underwriters may want to be more precise in explaining what is covered and not covered under certain policies, perhaps even insert a full exclusion in a general liability policy, carriers have other factors to weigh, including the competitive marketplace with attentive brokers and customers.
Keegan said carriers and brokers are competing with one another for clients and at some point a carrier that is pulling back on a wholesale basis is going to lose business to its competitors.
For example, putting in a full exclusion could leave a hole that even a cyber policy won’t fill. “You can imagine what insureds are going to think about when someone says, ‘We’re removing coverage for you and we’re not giving you an option to actually fill the gap,'” he said.
He said brokers and others in the marketplace want to “push for broader coverage and where there’s some interpretation involved in policies.” Keeping coverage open to certain risks is advantageous to sellers and their buyer clients.
Calling All Policies
It’s not only general liability policies that are being challenged by cyber.
Any number of different policies cover cyber risk in some way, shape, or form. “As a result of that, we’re finding situations where two or three policies may respond to a particular situation,” said Keegan.
For Joshua Gold, an insurance recovery attorney with Anderson Kill in New York who specializes in cyber, Keegan’s point is the main takeaway from the Travelers ruling: Policyholders need to look to all of their policies for coverage, not just to general liability or even just to cyber.
“The case is an important reminder that non-cyber-specific insurance policies may provide vital insurance protection for cyber-related claims,” he said.
He also said the ruling offers hope that defense costs for cyber claims will be found in general liability policies and contends that could be significant.
“There’s always an issue with these type of claims that you are going to attract a class action lawsuit so just getting the defense component of that can be hugely valuable,” he said. “This can be a big deal.”
Gold agrees that the Travelers ruling is noteworthy for what it says constitutes “publication” of data in a breach of privacy. The court found that publication occurs upon disclosure of the medical data, does not need to be intended, and does not require proof that any actual third-party saw the data.
“It’s a good development for policyholders but I would not put all of my eggs in that basket,” he said, stressing that most businesses need multiple policies and need to understand all of their exclusions.
“Buyers should know before a claim where their coverage for cyber is,” he said and this requires looking at all policies.
Gold said his firm has secured coverage for businesses for claims under various traditional policies including property, crime, general liability, business owners, errors and omissions, and directors and officers.
As for how insurers may react to the Travelers ruling, Gold agrees with Keegan that the marketplace will have its say although reactions will vary.
“My guess is that underwriters will all do their own thing on this,” Gold said. While some will be “completely spooked” by the Travelers decision and narrow their offering, other underwriters will realize it’s a competitive marketplace and they might be able to offer a broker and client something better. “So like everything it’s always hard to generalize but I am quite sure there will be very different reactions,” he said.
While most businesses should buy a cyber policy, they should not assume then that they are completely covered if they do, Gold said.
“A lot of cyber policies have tons and tons of exclusions and can be confusing so I don’t think you can just rely n the cyber policy either,” he said.
Los Angeles policyholder attorney Kornfeld wonders how long traditional policies may be of help in cyber situations.
“As a policyholder, I would not rely upon this ruling as a substitute to purchasing cyber coverage because the industry is working hard, through exclusions and other language, to push data breach and cyber risks away from the traditional coverages, such as GL policies like that at issue in this decision, and toward cyber specific coverages,” she wrote.
Richard Caplan, with the national law firm LeClairRyan’s Atlanta office, echoed the caution that cyber policies themselves are not a panacea. He said a lot can hinge on the meaning of certain key words and phrases in a policy.
Some who buy cyber insurance assume it covers all first-party costs in the event of an incident – like investigation, notification and credit monitoring. But it only covers third party claims or lawsuits.
“If your cyber coverage only kicks in when a third party makes a claim, then practically speaking you may not have any coverage at all,” he warns. “For now, perhaps the most important thing to do is make sure you do not fall into the category of someone who thinks they are covered when they are not.”
In recent testimony on Capitol Hill before a House homeland security subcommittee, Adam Hamm, North Dakota insurance commissioner, cautioned lawmakers and the public about cyber coverage.
Speaking on behalf of the National Association of Insurance Commissioners (NAIC) prior to the Travelers ruling, Hamm said many businesses probably do not realize that most standard commercial lines policies do not cover many cyber risks and thus they need a special cybersecurity policy. But they need to know that cyber policies differ and the market is far from being standardized, he said.
“Commercial insurance policies are contracts between two or more parties, subject to a certain amount of customization, so if you’ve seen one cybersecurity policy, you’ve seen exactly one cybersecurity policy,” Hamm said.
“All these nuances mean securing a cybersecurity policy is not as simple as pulling something off the shelf and walking to the cash register. Insurers writing this coverage are justifiably interested in the risk management techniques applied by the policyholder to protect its network and its assets. The more an insurer knows about a business’s operations, structures, risks, history of cyber attacks, and security culture, the better it will be able to design a product that meets the client’s need and satisfies regulators,” Hamm said.