ISO Comments on CGL Endorsements for Data Breach Liability Exclusions

July 18, 2014

As data breaches become more prevalent in the workplace, ISO, a member of the Verisk Insurance Solutions group at Verisk Analytics in Jersey City, N.J., has been taking steps to constrain commercial general liability policies based on ISO forms from responding to privacy and data breach claims. Effective May 1, 2014, in many jurisdictions, ISO introduced several endorsements addressing the access or disclosure of confidential or personal information.

Ron Beiderman, assistant vice president, Commercial Casualty at ISO, recently reviewed these new endorsements with Insurance Journal and said that based on some of the feedback ISO has received so far, it appears these revisions have been well received by a number of participating insurers. The following is an edited version of his comments.

Insurance Journal: Could you tell us about ISO’s responses to constrain the commercial general liability policies from responding to privacy and data breach claims? How are they being received by carriers?

Ron Beiderman: In connection with addressing your specific questions, we thought it would be helpful to provide some background for contextual purposes. At the time the ISO Commercial General Policies (CGL) were developed, certain hacking activities or data breaches were not prevalent and, therefore coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.

Ron Beiderman, assistant vice president, Commercial Casualty at ISO

As the exposures to data breaches increased over time, standalone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

For instance, ISO Information Security Protection Policy EC 00 10 contains both first and third party coverage through eight separate insuring agreements which address data breach and other cyber-related exposures.

As a part of our 2013 general multistate revision to our Commercial General Liability program, we introduced an optional endorsement that deletes the invasion of privacy-related offense (Oral or written publication, in any manner, of material that violates a person’s right of privacy) from the definition of personal and advertising injury applicable to Coverage B under the ISO CGL Coverage Form.

Effective May 1, 2014 in many jurisdictions, ISO introduced several endorsements addressing the access or disclosure of confidential or personal information, including the following exclusion endorsements:

CG 21 06 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Bodily Injury Exception) — excludes coverage, under Coverages A and B, for injury or damage arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

The endorsement also provides that the exclusion will apply even if damages are claimed for notification costs, credit monitor expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by the named insured or others with respect to that which is subject to the exclusion. This endorsement also includes a limited bodily injury exception arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.

CG 21 07 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included) — which is very similar to CG 21 06 but does not include the bodily injury exception described above.

CG 21 08 05 14 (Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only) — exclusion with respect to any access to or disclosure of any person’s or organization’s confidential or personal information is limited to personal and advertising injury.

As of June 16, 2014, these endorsements have been made available (including approved where necessary) as part of the ISO filed general liability program in 53 of 54 jurisdictions throughout the country. (Maryland is the only jurisdiction where these endorsements are not yet available.)

Since ISO makes available advisory services to property/casualty insurers and since ISO has no adherence requirements, we cannot say for certain how, if at all, the endorsements are being used in the marketplace. But from some of the feedback we have received to date, it appears that these revisions have been well received by a number of our participating insurers.

IJ: How quickly could these be adopted industry-wide? Do you see similar endorsements in non-standard policies?

Beiderman: ISO makes available advisory services to property/casualty insurers. ISO has no adherence requirements. So while it is up to each insurer to independently determine if and when to adopt ISO revisions, these endorsements have become available for use in just about all jurisdictions.

We make our advisory services available to both admitted and non-admitted insurers. As such, some non-admitted insurers may also decide to use some of these new endorsements as well.

IJ: Some have argued that the insurance industry, including ISO and carriers, may have been slow to respond on this issue. How would you answer that?

Beiderman: We are not aware of such comments in connection with our introduction of CG 21 06 05 14 and, on a broader scale, with respect to standalone cyber liability policies, we think it’s important to keep in mind that ISO has had its E-commerce Coverage Form available for use for almost 10 years.

With respect to our CGL program, it is important to point out that there are many emerging insurance related issues that we monitor regularly, both as they initially appear on the radar and as they develop and evolve over time. Of course, the balance while monitoring such developments is between evaluating potential related enhancements and trying not to respond too quickly to such issues and introduce changes before the related issue is more fully developed. Once such issues are more fully developed, we can more appropriately tailor our response to the issue.

Given that the issues surrounding data breaches are still evolving, as evidenced by the recent high publicity breaches that have occurred within the last six to nine months, we would not agree with any characterization that our introduction of CG 21 06 05 14 was somehow “slow to respond to the issue.”

Related Articles:
Company Data Breach Now Costs $3.5M on Average: Ponemon Study
No Consensus Among States Over Data Breach Laws
N.Y. Court: Zurich Not Obligated to Defend Sony Units in Data Breach Litigation
Target’s Cyber Insurance Softens Blow of Massive Credit Breach

Topics Cyber Carriers

Was this article valuable?

Here are more articles you may enjoy.