Evolving Considerations for Insurance and Cyber Risks

In a recent decision, a New York judge held that a commercial general liability (CGL) policy did not provide coverage for an online data breach where hackers stole the personal information of millions of users. The case remains subject to appeal but highlights the limitations of CGL policies for new cyber risks and the need for companies to evaluate their exposure to data breaches and cyber liability.

Recent high-profile data breaches including the Sony hacking and the Target credit card breach have drawn significant attention to issues of cybersecurity and consumer protection.

Internet and network technologies have improved companies’ abilities to conduct business, connect with partners and clients, and process and store data, but the advances have come with risks and cybersecurity has become a significant, though often underappreciated, concern.

In recognition of the “increasing dependence on digital technologies” and “more frequent and severe cyber incidents,” the SEC issued cybersecurity disclosure guidance in 2011 for public companies.

More recently, the White House issued its cybersecurity framework for critical infrastructure, developed by the National Institute of Standards and Technology (NIST).

The guidance from both is voluntary and not directed towards all entities, but it offers beneficial information and direction that is universally applicable. While security measures can help on the front end, insurance remains an important consideration, as recognized by the SEC and NIST, and can mitigate exposure to liability on the back end.

Understanding how insurance applies to cyber risk is becoming increasingly important, especially in light of the ruling in Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982.2011 (N.Y. Sup. Ct. Feb. 24, 2014), which demonstrated that traditional policies may leave gaps for cyber liability.

The case arose in 2011, after hackers breached Sony’s online PlayStation network and stole the personal information of millions of users, and the company turned to its insurer to provide a legal defense and coverage for the claims. Sony thought that its insurer should defend the underlying claims as the CGL policy provided coverage for “personal and advertising injury” which included the “oral or written publication in any manner of material that violates a person’s right to privacy.”

While the judge agreed with Sony that the hackers’ act of “opening the safeguards” and “getting the information out there” constituted “publication” in the broad, legal sense, he did not agree that coverage extended to the hackers’ actions. The judge noted that the phrase “any manner” in the policy referred to the medium of publication, not the actor, and that the coverage grant was limited to the acts of the policyholder, Sony. According to the judge, “[The policy] requires the policyholder to perpetrate or commit the act… It cannot be expanded to include third party acts.” Based on the hackers accessing the information, the judge found no coverage and no duty to defend.

A CGL policy may provide coverage for a data breach under certain circumstances but the applicability of a policy to a cyber liability claim remains highly contingent on the specific facts of the case, including the manner of breach, the actor breaching the system, and other circumstances which can pull the claim within or outside of the policy’s coverage grants and exclusions.

For example, in Hartford Cas. Ins. Co. v. Corcino & Assoc., No. 2:13-CV-03728 (C.D. Cal. Oct. 7, 2013), a federal judge found coverage under a CGL policy where personal medical information was negligently transferred and published online.

However, the factual scenario was distinguishable from that in Sony as the actor was under the control of the insured, and the case focused on a different policy provision.

The relationship between insurance and cyber risk continues to develop and insurers are responding to these claims in part by more explicitly addressing cyber risks in their policies. In the interim, courts will continue to be faced with questions regarding the applicability of general liability policies to data breach claims.

The decision in Sony illustrates the potential limitations of standard liability coverage in dealing with the evolving cyber environment. Companies can use the guidance from the SEC and NIST to frame the issues and establish protective measures, but they should also understand how their general liability insurance, directors and officers liability coverage, and other insurance applies to cyber risks.