The short answer: It all depends and the answer has many variations. Such as… In what’s becoming “very few” cases, the answer could be yes. With new policy exclusions being introduced, the answer is no. In many cases, its not clearly defined and the court will be the decision maker on whether or not a data breach is covered by a (CGL) commercial general liability insurance policy.
It’s interesting that a recent court decision that ruled a CGL insurance policy covered a data breach has not gotten much media attention, nor have there been any articles on the importance of this ruling and how it affects cyber insurance. Indeed, the media chooses to cover only what they’re interested in, however, this one really is of importance. Especially for those CGL policyholders who continue to rely on their commercial general liability insurance policies for cyber and data security liability protection. If your company falls into that category, it’s probably worth reading the “short answer” again that’s shown above. Why would any company want to leave themselves exposed like that?
In this particular recent court decision, the plaintiff (policyholder) received a favorable decision and coverage was found in their CGL insurance policy for their data breach. However, it’s not always going to be this way in the future as more insurance carriers add cyber and data security breach exclusions into their CGL policies. I’m certain that the insurer in this court case (Traveler’s) has already added these exclusions in their CGL policy after learning the hard way due to their specific policy wording (dated 2012 and 2013) that stated under their CGL policy’s Coverage Part B Personal and Advertising Injury — that obligated them (Travelers) to pay if the policyholder became legally obligated to pay damages because of an advertising or website injury arising from the “electronic publication of material that… gives unreasonable publicity to a person’s private life” (the language found in the 2012 policy) or (2) the “electronic publication of material that… discloses information about a person’s private life.”
This is certainly an important decision, being that CGL policies will continue to change from here, with more computer network security and data breach exclusions being added to the CGL policy. In this case. it was the insured’s negligence that caused the PHI to be “published” online, therefore, being that the Travelers CGL policy at that time (I’m sure there is now an exclusion in their CGL policy today that would exclude such a scenario) had very specific coverage wording, and coverage was found under Coverage Part B Personal and Advertising Injury being that the publication was published to the public at large on the internet, and open for viewing 24/7 regardless of whether or not anyone actually saw the data.
According to Insurance Journal, “Travelers had argued that there was no “personal injury” or “publication” as defined by the policies because release of the records was not intentional and they were not viewed by a third party. But the court said an unintentional publication is still publication. The court also said the definition of publication does not hinge on third party access.”
The Data Breach Incident:
A class action was filed in New York in 2013 by patients whose private medical records were exposed on the internet for four months. The two individuals initiating the suit said they searched their names on Google and the first links that appeared were to their private medical records from Glens Falls Hospital in New York where they were patients. (Source: Insurance Journal)
Clearly, the PHI was “published” online, due to the policyholder’s data security negligence, which exposed the PHI of the patients, and while it is not known whether anyone viewed the sensitive information, besides the patients who found their PHI online, that’s not the point. Indeed, it is a data breach, regardless of whether or not anyone besides the patients viewed the PHI online. It was there published in clear text, for anyone to see. And in Traveler’s policy language (in 2012) it nonetheless, was open to the public, attaching unreasonable publicity to the patients’ private lives.
Other CGL Policyholders Were Unsuccessful in their Data Breach Claims
In other unsuccessful court cases that involved a CGL policy, and a data breach, policyholders (Sony and an IBM contractor, Recall Total Management) were not so lucky. This is due to the fact that, for one, Sony was not the party that “published” the PII involved in their data breach incident, it was a third-party (“hackers”) who “published” the data online, therefore Sony’s CGL policy provided no coverage for its data breach under Coverage Part B Personal and Advertising Injury, as in order for there to have been coverage (if there was no exclusion in Zurich’s CGL for cyber and data security breaches), Sony would have had to have been the party to publish the data. In the Recall Total Management incident and court case, no coverage could be found under Coverage Part B Personal and Advertising Injury being that absolutely no data was (“electronically”) published being that the data involved was on lost computer backup tapes. In this case, the data was “stored” on the tapes not published.
These court cases and claims battles should have every company executive asking, “Why would a company gamble with their cyber and data security risks, and take the assumption that their CGL policy will cover them in the event of a data breach?”
In addition, on the flip side, this court decision is writing on the wall for those insurance carriers who are now losing sleep at night being that they have left themselves openly exposed to such risks that they never planned or thought they would have to cover. Who’s the winner? While the quick answer, is the hacker. The more appropriate answer is, that both sides need to protect themselves from cyber and data security related insurance claims that are here to stay and will only get bigger, so that both sides grow stronger and win the race together and not on opposite sides.
Is your Company’s CGL Policy Renewal coming up?
Lastly, for those companies that have relied on their CGL insurance policies for cyber and data breach coverage, it’s time to take a close look at your CGL insurance policy, especially at the time of your policy renewal. Most certainly, when your CGL policy renews, you will have found your policy clearly excludes computer network security and data breaches.
Standalone Cyber Insurance Stands Alone for a Reason!
When your company’s cyber attack or data breach happens, will you be standing alone or will you have a cyber insurance policy to turn to when help is most needed?
For help with your company’s cyber insurance, please complete our cyber insurance quote request form or give us a call.