United States: Data Breach Exclusions May Soon Find Their Way Into The Commercial General Liability Policy

Insurance industry reports now are confirming that general liability insurers increasingly are adding data breach exclusions to their policies in an attempt to restrict coverage for privacy risks.

Insurers are incorporating an exclusion developed by the Insurance Services Office, Inc. ("IOS"), an industry trade group that develops standard insurance contract language. The exclusion applies to a variety of damages, including notification costs, credit monitoring expenses and public relations costs associated with data breaches.

The rapid introduction of these exclusions either through renewals or new purchases may force corporate policyholders to review more closely whether they should purchase separate, specialized data breach/privacy insurance, which policies fairly recently entered the market. Those policies, however, are complex in their construction and wording and have not been tested in the courts. As a result, and because data breaches have resulted in large losses when they occur, policyholders likely will face serious disputes about the coverage provided by those policies when claims are made.

So what should corporate policyholders be doing?

1.      Review new policies and renewals very carefully to determine the extent to which data breach/privacy claims are either covered or excluded. While the ISO exclusion is likely to be the provision relied upon by most insurers, variations of that exclusion may be incorporated that alter the scope of coverage provided. For example, the exclusions may vary from industry to industry.

2.      If separate data breach/privacy insurance is being considered, carefully review policy forms and compare the coverage provided by different insurers in the market. These policies differ in their language and coverage, and the policyholder should conduct detailed reviews to determine exactly what coverage is being purchased.

3.      To the extent that a policyholder has an outstanding data breach/privacy claim, the policyholder may be able to argue that the new exclusions are evidence that coverage existed in policies without the exclusions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.