Cyber-Related Losses Are They Covered by Traditional Insurance Policies


Governo Law Firm partners Nancy Kelly and David Governo published an article in the March 2013 newsletter of the Federation of Defense & Corporate Counsel (FDCC) Insurance Coverage Section. The article explains under what circumstances cyber-related losses are covered by traditional insurance policies and highlights several important cases in this area of law. You may view a copy of the newsletter here or read the article below. Please contact Nancy Kelly ([email protected]) or David Governo ([email protected]) with any questions you may have about data privacy, cyber-liability or cyber coverage issues.

Cyber-Related Losses: Are They Covered by Traditional Policies?
Recent Legal Developments in Cyber Coverage

Cyber risks present increasing challenges for businesses today given that use of computer systems and the internet are now key elements of the infrastructure of virtually every organization. These risks arise from malicious hacking, catastrophic weather events, electronic virus transmission, and human error. First-party losses may include network or website damage, data theft, data loss, or business interruption. Third-party losses may be attributable to internal or external transmission of private information, cyber security failure, regulatory enforcement actions based on non-compliance with data security laws, or class action data breach lawsuits.

In the privacy arena, states have promulgated regulations for the protection of personal information and have mandated specific requirements for the notification of customers in the event of a data breach. Compliance with these regulations requires thoughtful implementation by risk managers and technology experts. Investigation and mandatory notification costs associated with a breach can be significant.

In addition to implementing information technology controls, securing cyber-specific insurance may be a key tool for managing cyber risk. Many carriers are now offering a number of specialized cyber risk products, and the market for these products is growing. In determining insurance needs, companies should consider potential risks and seek appropriate risk management and insurance advice. As part of this evaluation, companies should examine their entire insurance program as more traditional policies, such as CGL, E&O, property, and crime policies, may provide coverage. Whether coverage is available under traditional business policies will depend on the policy wording, the allegations or facts of the underlying claim, and the applicable law. The law is evolving in the cyber coverage area, and we highlight some important cases below.

  • Property: Ward Gen. Ins. Serv., Inc. v. Emp'rs Fire Ins. Co., 114 Cal. App. 4th 548 (2003)

In Ward, the insured suffered a computer crash and a loss of data due to "human error." The insured sought recovery of costs to restore the data and attendant loss of business income under the Building and Personal Property Coverage Form of its first-party commercial insurance policy. The court held that data was not "tangible property" covered by the policy, which suggests that insureds may have difficulty demonstrating a loss of "tangible property" under these types of policies.

  • Crime: Retail Ventures, Inc. v. Nat'l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012).

The insured, Retail Ventures, Inc., prevailed on appeal in its coverage claim seeking $6.8 million in data breach losses under a computer fraud rider to a commercial crime policy. The court found that the loss resulted "directly from" the theft of insured property by computer fraud, and rejected application of the exclusion for losses of "proprietary information, trade secrets, confidential processing methods, or other confidential information of any kind." It is important to note that not all crime policies have this type of rider/endorsement, and others exclude this type of coverage. Also, this type of coverage will only cover criminal acts. Note that data breaches often result from employee negligence.

  • E&O: Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797 (8th Cir. 2010).

An online marketing firm found coverage under its technology E&O policy when the firm's online advertising caused a third-party internet user's computer to be infected with spyware, resulting in computer damage and data loss. The court found that the insured's acts were not intentionally wrongful, and as such, fell within the policy's coverage. The court also found that the insured's CGL policy covered the third party's loss of use of his computer as this fell within the specific wording of the policy as a "loss of use of tangible property that is not physically injured."

  • CGL: Zurich Am. Ins. Co. et al. v. Sony Corp. of Am. et al., No. 651982/2011 (N.Y. Sup. Ct.)

In this case, which is being closely monitored by insurance professionals and counsel, Zurich seeks a declaration that it is not obligated under a CGL policy to defend or indemnify Sony against claims relating to three separate breaches of Sony's PlayStation network in which over 100 million customer records were improperly accessed. Over 50 class action lawsuits have been filed against Sony, with alleged damages in excess of $170 million. A central issue being litigated is whether coverage is provided under Side B Personal and Advertising Injury coverage, i.e. whether the data breaches constituted "publication." There have not yet been any rulings on the coverage issues, but this case may influence coverage claims going forward.

Although not involving coverage under a standard business policy, a recent Seventh Circuit case highlights some interesting issues for businesses and their professional service providers, and further underscores the need to assess the risk of cyber-related losses and how those risks can be managed.

  • Homeowners: Nationwide Ins. Co. v. Cent. Laborers' Pension Fund, 704 F.3d 522 (7th Cir. 2013)

Here, certain pension funds retained the services of an accounting firm. To perform these services, the pension funds provided the firm with a CD containing the confidential personal information of 30,000 participants and beneficiaries of the pension funds. One of the firm's employee accountants took the disc home in her car, from which it was subsequently stolen. As a result of this theft, the pension funds incurred credit monitoring and insurance costs.

Interestingly, the funds elected to sue the accountant herself to recover the costs stemming from the loss of the CD. The accountant sought coverage for this potential liability under her homeowner's policy. In a declaratory judgment action filed by the homeowners' carrier against the insured accountant and the pension funds, the court held that the loss was not covered, based on the application of two exclusions: The policy did not cover property damage to property the "care of" the insured. Also, the policy did not cover property damage arising out of or in connection with a "business"... engaged in by an "insured"... Accordingly, the court affirmed the lower court's judgment that the insurance company had no duty to defend or duty to indemnify the accountant.

This case illustrates one of the avenues a business could utilize to recover data breach losses caused by a third party - direct suit against the third party. Such a suit may not always cover the costs incurred (here, the accountant may not have the assets to cover the $200,000 in damages). Other less costly options may be available to businesses seeking recompense. In a footnote, the Nationwide court noted that efforts made by the pension funds to recover from the accounting firm were pending, although it was unclear whether those efforts were of the legal variety. The funds' choice of suing the accountant invites speculation as to whether the pension funds had traditional policies that could potentially cover this loss.

>View Attachment1