Originally published on CyberInquirer.
I. INTRODUCTION: INSURANCE PRODUCTS FOR
CYBER RISKS
Increasing reports of cyber intrusions, data theft and computer system malfunctions have led a rapidly-growing number of companies to purchase insurance coverage to protect themselves from technology and cyber privacy risks. Indeed, as our technology-driven economy continues to evolve and businesses become more reliant on electronic communication and data storage, they are developing a heightened awareness that an unauthorized intrusion could endanger their tangible and intangible assets (including their intellectual property) and, in many cases, their reputations and abilities to conduct business. As such, prospective policyholders are becoming more cognizant of the necessity for insurance covering such growing exposures.
Still, there is significant uncertainty about the nature and scope of insurance products which might cover a company's technology and cyber privacy risks, whether the entity is in the technology space or in a vertical that uses technology to run its business operations. While businesses and their insurance brokers typically are knowledgeable about insurance policies covering traditional general and professional liability exposures, today's online-society introduces new dynamics, many of which are not covered under traditional general and professional liability policy forms. The growing number of technology and cyber products offered throughout the global insurance markets highlights the importance of the insurance brokerage community and the value of a sophisticated broker who can perform a thorough analysis of a policyholder's insurance needs, and who can work with underwriters to obtain and tailor insurance policies to meet those needs.
Many policyholders are surprised to learn that a standard CGL policy likely would not apply to a technology or cyber privacy claim, notwithstanding that the form typically includes coverage for "property damage" and "personal and advertising injury." More surprisingly, some insurance brokers are not aware of a CGL policy's limitations or their clients' needs for a comprehensive multi-line insurance program. But, such is the nature of our changing society and a client's evolving insurance needs.
A. Cyber Risks as "Property Damage"
A typical CGL policy defines "property damage" as "physical injury to tangible property, including all resulting loss of use of that property." While it is well- and widely- known that this definition would apply to traditional property damage losses (such as those arising from fires, impaired property and the like) many policyholders and brokers, without due consideration, mistakenly take it for granted that this definition also includes technology and cyber privacy losses involving intangible property such as electronic data. But, that is clearly not the case or the policy's intent. To emphasize this point, and to add a belt to the suspenders, some CGL policy forms specifically exclude electronic data from their definition of "property damage." In such policies, "electronic data" is generally defined as the "information, facts or programs stored as or on, created or used on, or transmitted to or from computer software." Despite this self-evident precept, some policyholders have elected to test this principle, arguing that "property damage" includes damage to computer software, information and data. And in most cases, they have lost.
In the most well-reasoned cases, the results were not surprising. For example, in America Online, Inc. v. St. Paul Mercury Insurance Co., 347 F.3d 89, 96 (4th Cir. 2003), the Fourth Circuit properly recognized that data, web pages and computer systems do not constitute tangible property because they are not capable of being touched, held or sensed by the human mind. As such, they were not "property damage," as that term is used in a CGL policy. The Eighth Circuit concurred with this self-evident proposition, holding in Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797, 802 (8th Cir. 2010), that a "complaint would have had to make a claim for physical injury to the hardware in order for [the policyholder] to have coverage for 'physical injury to tangible property'" under a general liability policy's "property damage" coverage.
Despite the inherent logic of these appellate decisions, one trial court, in dicta, endorsed a distorted view of "property damage," expanding its definition beyond the plain and ordinary language. In Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185, 2000 WL 726789 (D. Ariz. Apr. 18, 2000), the court considered whether a first-party property policy covered losses incurred after a power outage rendered the computer systems inoperable. The court purported to focus on the physical attributes of "bytes," as well as the particles and atoms that comprise a hard drive, in order to justify its result-oriented conclusion that the corruption of data constitutes "physical damage," as required by the policy. The Ingram Micro court rationalized its construct by hypothesizing that "[a]t a time when computer technology dominates our professional as well as our personal lives . . . 'physical damage' is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality." Though the policy insured against "direct physical loss or damage," the court incorrectly conflated the phrases "physical damage" and "property damage" and held that the loss of programming information and network configurations "does allege property damage." The Ingram Micro decision is frequently cited by policyholder counsel seeking to argue away the realities of a CGL policy's limitation, despite the fact that the issues are presented in the context of a property damage policy. Not surprisingly, however, and for good reason, such counsel inevitably do not choose to litigate this issue.
B. Cyber Risks under Endorsements
Notwithstanding the "property damage" jurisprudence and plain old logic, certain CGL policy forms may expand the scope of their traditional coverages to include certain data losses. Because traditional CGL policies typically do not provide property coverage for technology and cyber privacy risks, insurance companies are marketing specific policies and endorsements with specialized forms of coverage. For example, there is an ISO form endorsement for use with CGL policies that provides coverage for loss and loss of use of electronic data resulting from physical injury to tangible property. Insurers also offer technology stretch, computers and media, and technology services coverage endorsements in combination with CGL policies.
C. Cyber Risks as "Personal and Advertising Injury"
Of course, this is not to say that a standard CGL policy may never apply to a cyber privacy claim. Indeed, many general liability policies include "personal and advertising injury" coverage which, in some cases, may subsume to certain portions of a cyber privacy event. The term "personal injury and advertising injury" typically is defined to include a list of enumerated offenses such as injury arising out of the infringement of another's copyright and the oral or written publication of material that slanders a person or organization, or violates a person's right to privacy.
In Netscape Communications Corp. v. Federal Insurance Co., 343 Fed. Appx. 271, 272 (9th Cir. 2009), the Ninth Circuit held that a CGL insurer providing "personal and advertising injury" coverage had a duty to defend where AOL was alleged to have intercepted and disseminated private online communications. The Netscape court found such claims implicated a person's right to privacy and thereby potentially triggered the policy's "personal and advertising injury" coverage section. In addition, in Zurich American Insurance Company v. Fieldstone Mortgage Co, No. CCB-06-2055, 2007 U.S. Dist. LEXIS 81570 (D. Md. Oct. 26, 2007), the court found that Zurich had a duty to defend against claims brought by individuals who received prescreened offers based on information contained in their consumer credit reports, allegedly in violation of the Fair Credit Reporting Act. The court held that even though the solicitations were not divulged to a third party and did not contain protected information, the solicitations constituted "publication" of material violating a person's right to privacy, in the context of an "advertising injury" policy provision.
II. OVERLAPPING COVERAGE
Of course, the question of whether a CGL insurer has a duty to defend, or even a duty to indemnify, a technology and/or cyber privacy claim is not the only one which a policyholder — or a CGL insurer — may face. In many cases where a policyholder has obtained multiple policies covering multiple types of exposures and risks — as a proactive policyholder with a sophisticated insurance broker should — a CGL policy's coverage could overlap and converge with those provided by other insurance products. These include pure cyber and technology forms, third-party professional liability and directors and officers liability policies, and first-party and business interruption certificates. This situation will then present issues such as what damages are covered under what form (i.e., in the third-party context, damage to hardware may be covered under a CGL form policy while corresponding corruption of software may be covered under a technology policy), allocation of defense costs, the implications of "other insurance" clauses, and the scope of an insurer's duty to defend and/or pay defense costs under a pure indemnity policy.
III. CONCLUSION
In short, product-related and service-oriented businesses reliant on technology can — and should — take all reasonable steps to ensure that they have virtually seamless insurance coverage by working with sophisticated insurance brokers well-versed in the myriad policies and forms available to cover technology and cyber privacy risks. Just as our economy is quickly evolving, so too are the types of insurance products and coverage available to meet a policyholder's changing needs. Understanding the components of these new-age policies is critical, and prudent business executives should devote the necessary time and resources to identify a sophisticated insurance broker who can assess a company's vulnerabilities and ensure that the necessary insurance products are purchased. Having written such policies, and having worked with many brokers and underwriters, we can assure readers that the exercise will not be easy. But, it certainly will be worth it in the end.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
