Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL) policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of insurance coverage for data breaches, court decisions about whether insureds can force their insurance companies to cover costs for data breaches under the broad language of CGLs have been mixed, and little appellate-level authority exists.
On May 18, 2015, the Connecticut Supreme Court unanimously affirmed a state appellate court decision that an IBM contractor was not insured under its CGL for the $6 million in losses it suffered as the result of a data breach of personal identifying information (PII) for over 500,000 IBM employees. The contractor lost computer backup tapes containing the employees’ PII in transit when the tapes fell off of a truck onto the side of the road. After the tapes fell out of the truck, an unknown party took them. There was no evidence that anyone ever accessed the data on the tapes or that the loss of the tapes caused injury to any IBM employee. Nevertheless, IBM took steps to protect its employees from potential identity theft, providing a year of credit monitoring services to the affected employees. IBM sought to recover more than $6 million dollars in costs it incurred for the identity protection services from the contractor, and negotiated a settlement with the contractor for that amount.
The contractor filed a claim under its CGL policy for the $6 million in costs it had reimbursed to IBM. The insurer refused to pay. In subsequent litigation with the contractor, the insurer made two main arguments. First, it argued that it only had the duty to defend against a “suit,” and that the negotiations between the contractor and IBM were not a “suit.” Second, the insurer argued that the loss of the tapes was not an “injury” covered by the policy.
The Connecticut Supreme Court adopted both of the insurer’s arguments, and the decision highlights two key areas for any company considering whether it needs additional insurance coverage for data breaches: what constitutes an “injury” under a CGL, and when an insurer is required to reimburse a company for costs associated with an injury. First, the court held that the loss of the computer tapes was not a “personal injury” under the CGL, because there had been no “publication” of the information stored on the tapes. In other words, because there was no evidence that anyone accessed or used the stolen PII, the court found that the data breach did not constitute a “personal injury” under the policy—even though the contractor spent millions of dollars reimbursing IBM for costs associated with the data breach.
Second, the court found that the CGL policy only required the insurer to reimburse costs stemming from a lawsuit or “other dispute resolution proceeding.” The contractor’s voluntary negotiations with IBM to reimburse it for the cost of data protection services were not a “suit” or “other dispute resolution proceeding” under the policy. Thus, the court reasoned that the insurer was not obligated to cover the contractor’s costs under the CGL policy.
Even with the recent decision from the Connecticut Supreme Court, however, some companies have been able to get compensation from their insurance providers even without appellate-level precedent. Sony recently settled with its insurers in a dispute over whether the insurers would cover data-breach losses under Sony’s CGL. Sony had sought insurance coverage when it was sued by customers after hackers stole confidential data of millions of Sony PlayStation users. Its insurance claim was based on policy language covering costs for “personal advertising injury,” which the policy defined specifically as “oral or written publication in any manner of the material that violates a person’s right to privacy.” The insurers refused to provide coverage, arguing that under the policy and case-law precedent, an insurer would only be obligated to provide coverage if the insured party caused the data to be published. Because third-party hackers, not Sony, stole the data (and arguably “published” it), the insurers claimed they had no duty to provide coverage.
A New York trial court judge ruled from the bench in favor of the insurance companies, concluding that the policy language only covered injuries stemming from publication of data by the insured, not by a third party such as a hacker. Sony appealed the decision, but prior to a decision from the appellate court, the parties settled for undisclosed terms. The settlement seems to suggest that the insurers were not convinced the appellate court would uphold the trial court’s decision.
While some companies have been successful in obtaining coverage for data-breach liability under their CGL, there are no guarantees. As these cases illustrate, insurers may not willingly provide such coverage under CGLs, requiring companies to engage in expensive legal battles with their insurers about coverage while they are simultaneously defending themselves in litigation arising directly from data breaches. As companies continue to experience major—and costly—data breaches at an increased rate, it is imperative for companies to understand exactly what their CGL insurance policy will cover and to consider obtaining a cyber-specific insurance policy to specifically address data breaches and other cyberattack risks.