Originally published in Anderson Kill's New Jersey Alert, March 2015

The Comprehensive Environmental Response, Compensation, and Liability Act (also known as CERCLA or Superfund) was passed in 1980, and almost immediately produced a huge wave of environmental litigation. That wave gave rise to an equal if not greater wave of environmental insurance litigation. That insurance litigation wave has now declined.

Numerous mega data breaches demonstrate that the age of cyber litigation is here. The question is whether cyber litigation will produce a wave of cyber insurance litigation. There are two sources of insurance for data breaches and other cyber events — general liability policies and cyber policies.

Traditional general liability policies usually (but not always) provide coverage for "oral or written publication, in any manner, of material that violates a person's right of privacy." Substantial litigation has ensued over whether violations of the Telephone Consumer Protection Act (TCPA or Junk Fax Prevention Act) and other privacy statutes are covered by this provision. New Jersey, specifically, has reached conflicting results in reviewing similar, but distinct policy language. In Myron Corp. v. Atlantic Mutual, Docket No. BER-L-5539-06, 2007 N.J.Super. LEXIS 3012 (Law Div. Jan. 22, 2007), rev'd on other grounds, the court found that the insurance company had to defend the policyholder against a "junk fax" suit, where the policy defined advertising injury to include oral or written publication "that violates a person's right of privacy." In St. Paul Fire & Marine Ins. Co. v. Brother Int'l Corp., 319 Fed. Appx. 121 (3d Cir. 2009), the insurance policy contained unusual language, and defined "advertising injury offense" as "making known to any person or organization covered material that violates a person's right to privacy." The court found that "making known" required an invasion of secrecy and found no coverage. General liability policies have dramatically cut back their privacy coverage, frequently excluding any violation of statute. See Hartford Cas. Ins. Co. v. Corcino & Assocs., Docket No. CV 13-3728, 2013 U.S. Dist. LEXIS 152836 (C.D. Ca. Oct. 7, 2013) ("This insurance does not apply to . . . Personal And Advertising Injury . . . arising out of the violation of a person's right to privacy created by any state or federal act.").

Litigation over this language has now moved to the data breach arena. In Zurich American Insurance Company v. Sony Corporation of America, the parties battled over insurance coverage for the first Zurich data breach. Index No. 651982/2011, 2014 N.Y. Misc. LEXIS 5141 (N.Y. App. Div. Feb. 24, 2014). Sony argued that the data breach was a publication of the data. Zurich countered that publication required an affirmative action by the policyholder. The court agreed with Zurich, and held that a data breach by a third party was not covered by the privacy provision of a general liability policy. The case is currently on appeal. The court in Recall Total Information Management, Inc. v. Federal Insurance Co., 83 A.3d 664 (Conn. App. 2014), cert. granted, 311 Conn. 925, 86 A.3d 469 (2014), involving computer tapes that fell off of a truck, reached the same conclusion — finding there was no publication where there was no evidence that anyone accessed information on the tapes. That case is now pending before the Connecticut Supreme Court.

Many companies are now purchasing cyber insurance. Growth has been about 30% a year, with annual premiums last year of $2 billion. Over 30 insurance companies are now selling cyber insurance. By most accounts, the policies are affordable. Recent data breaches should fuel the corporate appetite for cyber insurance. To speak of "cyber insurance" is a misnomer. No standard policy form exists, and different policies can differ dramatically. Most importantly, nine categories of cyber insurance currently exist, and each company must decide which components it needs. The key coverages include:

  1. coverage against privacy lawsuits by individuals;
  2. coverage against governmental privacy investigations;
  3. cyber-business interruption coverage;
  4. cyber-extortion;
  5. media coverage, such as defamation, trademark and copyright;
  6. network disruption;
  7. crisis response costs;
  8. network loss or damage; and
  9. electronic theft.

It is difficult to predict the evolution of cyber coverage in the next few years. Certainly, companies can expect that hackers will continue to exhibit creativity and find new ways to attack. The insurance industry is responding with new, sweeping cyber exclusions on general liability policies, and a broad array of cyber policies. Sony has heightened concerns over cyber extortion, which is currently covered under many cyber policies. Concern is being expressed over hacker attacks on operating systems, causing physical damage and shutting down systems. Cyber insurance will need to adapt quickly to changes in the cyber landscape to keep customers satisfied and prevent coverage litigation.

Robert D. Chesler is a shareholder in Anderson Kill's Newark office. Mr. Chesler represents policyholders in a broad variety of coverage claims and advises companies with respect to their insurance programs. rchesler@andersonkill.com

Janine M. Stanisz is an attorney in Anderson Kill's Newark office. Ms. Stanisz's practice concentrates on insurance recovery, exclusively on behalf of policyholders as well as in real estate and construction. jstanisz@andersonkill.com

About Anderson Kill

Anderson Kill practices law in the areas of Insurance Recovery, Commercial Litigation, Environmental Law, Estate, Trusts and Tax Services, Corporate and Securities, Antitrust, Banking and Lending, Bankruptcy and Restructuring, Real Estate and Construction, Foreign Investment Recovery, Public Law, Government Affairs, Employment and Labor Law, Captive Insurance, Intellectual Property, Corporate Tax, Hospitality, and Health Reform. Recognized nationwide by Chambers USA for Client Service and Commercial Awareness, and best-known for its work in insurance recovery, the firm represents policyholders only in insurance coverage disputes - with no ties to insurance companies and has no conflicts of interest. Clients include Fortune 1000 companies, small and medium-sized businesses, governmental entities, and nonprofits as well as personal estates. Based in New York City, the firm also has offices in Ventura, CA, Philadelphia, PA, Stamford, CT, Washington, DC, Newark, NJ and Dallas, TX.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.