III. “Traditional” Coverage as an Alternative to a Dedicated “Cyber” Policy
Insurance policies are as varied as the risks they address, from ordinary commercial general liability coverage to more exotic coverages such as political risk insurance or warranty and indemnity contracts. However, with respect to the risks commonly associated with a “cyber event,” three traditional coverage types are relevant: liability insurance, property insurance, and crime/fidelity insurance.
Liability Insurance
As it relates to “cyber” claims, liability coverage may include not only general liability coverage, but directors and officers liability (D&O) or professional liability/errors and omissions (E&O) coverage. Commercial general liability (CGL) insurance typically contains two principal coverage parts, A & B. Coverage A insures sums that the insureds become legally obligated to pay as damages because of “bodily injury” or “property damage” caused by an “occurrence” during the policy period. Coverage B typically insures sums that the insureds become legally obligated to pay as damages because of “personal and advertising injury” caused by various enumerated “offenses” committed during the policy period, including false arrest or imprisonment, malicious prosecution, wrongful eviction, slander, libel, business disparagement, publication that violates a person’s right of privacy, use of another’s advertising idea in an advertisement, or infringing on another’s copyright, trade dress, or slogan. Both Coverage A and Coverage B usually also provide the insurer with the right and duty to defend suits seeking covered damages.
Because either “bodily injury” or “property damage” is required to trigger Coverage A, claims involving cyber-related damages have historically prompted disputes over whether the insured’s liability arises out of “property damage,” which is defined as “physical injury to tangible property” and “loss of use of tangible property that is not physically injured.” Those courts finding coverage for cyber-related liability under Coverage A, usually in cases involving data loss or business interruption, have typically done so by tying the insured’s liability to some piece of tangible property, for example, finding that the insured was responsible for causing the loss of use of some physical computer component or data storage medium.1See, e.g., Eyeblaster, Inc. v. Fed. Ins. Co., 613 F.3d 797, 802 (8th Cir. 2010) (finding that a general liability insurer had an obligation to defend an internet marketing firm against allegations that the firm’s “rich media advertising” had infected a user’s computer causing it to “freeze up” and lose data: “Federal did not include a definition of ‘tangible property’ in its General Liability policy, except to exclude ‘software, data or other information that is in electronic form.’ The plain meaning of tangible property includes computers, and the Sefton complaint alleges repeatedly ‘loss of use’ of his computer. We conclude the allegations are within the scope of the General Liability policy.”); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002) (reciting the following procedural history in a coverage dispute over a general liability insurer’s obligations to indemnify a computer service firm for third-party claims alleging damages resulting from the cost incurred to restore lost data: “The district court found that the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed.’ The district court concluded ‘computer data is tangible property.’ These rulings are not challenged on appeal.”); Retail Sys., Inc. v. CNA Ins. Cos., 469 N.W.2d 735, 737 (Minn. Ct. App. 1991) (affirming the trial court’s finding that a general liability insurer had a duty to defend underlying allegations that the insured data processing consultant lost computer tape containing the results of a political survey in 1984 because “the data on the tape was of permanent value and was integrated completely with the physical property of the tape”); State Auto Prop. & Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113, 1116 (W.D. Okla. 2001) (finding for purposes of a computer repair firm’s claim under a liability policy for defense and indemnity against a third-party claim for lost appraisal data and loss of use of computers that (1) computer data cannot be touched, held or sensed by the human mind and is not tangible property; (2) “[b]ecause a computer clearly is tangible property, an alleged loss of use of computers constitutes ‘property damage’ within the meaning of plaintiff’s policy”; but (3) because the loss occurred during the insured’s operations, the damages were excluded from the policy’s coverage). Those courts that have refused coverage for cyber-related damages under Coverage A have focused instead on the absence of any physical injury to tangible property from the mere loss of data.2See generally, e.g., Sony Computer Entm’t Am., Inc. v. Am. Home Assurance Co., 532 F.3d 1007 (9th Cir. 2008) (finding that general liability insurers had no duty to defend underlying class actions lawsuits alleging that Sony’s PlayStation 2 game console suffered from an inherent defect that rendered the products unable to play DVDs and certain games because (1) the underlying suits did not allege a general loss of use of DVDs and games, only an inability to use such items in Sony’s PlayStation 2; and (2) the underlying class action lawsuits did not allege any damage to DVDs or game discs); Am. Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003) (“The insurance policy in this case covers liability for ‘physical damage to tangible property,’ not damage to data and software, i.e., the abstract ideas, logic, instructions, and information. Thus, while it covers any damage that may have been caused to circuits, switches, drives, and any other physical components of the computer, it does not cover the loss of instructions to configure the switches or the loss of data stored magnetically. These instructions, data, and information are abstract and intangible, and damage to them is not physical damage to tangible property.”); cf. Lucker Mfg. v. Home Ins. Co., 23 F.3d 808, 820 (3d Cir. 1994) (affirming the judgment of the district court denying any duty to defend or indemnify under a general liability policy for purposes of an anchoring system manufacturer’s claim against a component manufacturer for a product defect that rendered useless the manufacturer’s original design and required modifications resulting in significant expense to the manufacturer, notwithstanding the court’s conclusion that loss of use includes the loss of economic use resulting from customer rejection, because unlike other cases alleging a loss to storage medium, “[t]he recovery Lucker sought was for the loss of use of the design itself—for the loss in usefulness of the original concept of the LMS,” and “[t]he loss of use of this concept, however, was not loss of use of something which could be touched or felt”); St. Paul Fire & Marine Ins. Co. v. Nat’l Computer Sys., Inc., 490 N.W.2d 626, 631–32 (Minn. Ct. App. 1992) (“Boeing’s claims against NCS alleged that NCS misappropriated Boeing proprietary information. Boeing was not suing NCS for Peters’ misappropriation of the binders in which Boeing’s information was kept; Boeing was suing NCS for taking information that gave NCS a competitive advantage over Boeing … . Peters’ actions did not make the information unusable; they only deprived Boeing of the exclusive use of the information. The information was in a tangible form; it was put on paper. However, the information was not tangible. Therefore, we conclude the Boeing complaint did not allege damage to tangible property covered under St. Paul Fire’s policy.”).
In 2001, the standard ISO CGL form was revised to clarify that “electronic data is not tangible property.” In 2004, the standard ISO CGL form was revised again to include an “electronic data” exclusion applying under Coverage A to “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data,” such as, “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”3As of the April 2013 revision to the ISO CGL form, the “Electronic Data” exclusion now contains an exception for “bodily injury” arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data. Therefore, for “occurrences” of “property damage” taking place since 2004, those insured under the standard CGL form may not have general liability coverage under Coverage A for suits involving loss or damage to data alone. However, to the extent that a third-party cyber claim may allege loss of use of, or even damage to, hardware or other computer equipment, as opposed to “data,” policyholders and parties generally should be sensitive to the requirement of “physical injury” or “loss of use of tangible property” in characterizing a cyber event or other occurrence. This holds true whether circumstances require investigating a loss, making an insurance claim, or pursuing liability claims against a third party.
Under Coverage B, instead of “bodily injury” or “property damage,” “personal and advertising injury” is required to trigger coverage. “Personal and advertising injury” is generally defined under the current ISO CGL form to include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” For those policyholders involved in a data breach that results in the “publication” or disclosure of customers’, employees’, or other parties’ private, personally identifiable information, Coverage B may apply.4See generally Am. States Ins. Co. v. Capital Assocs. of Jackson Cnty., 392 F.3d 939, 941 (7th Cir. 2004) (responding to arguments over the scope of “advertising injury” coverage by stating, in dicta, that “[t]he language reads like coverage of the tort of ‘invasion of privacy,’” and “[p]erhaps the language reasonably could be understood to cover improper disclosures of Social Security numbers, credit records, email addresses, and other details that could facilitate identity theft or spamming”); see also Netscape Commc’ns Corp. v. Fed. Ins. Co., 2009 BL 182862 (9th Cir. 2009) (citations omitted) (“As an initial matter, the district court correctly determined that the claims against AOL were ‘personal injury offenses’ and within the policy’s coverage. The policy covered claims alleging that AOL had made known to any person or organization material that violated a person’s right of privacy. Although the underlying claims against AOL were not traditional breach of privacy claims, given that coverage provisions are broadly construed, the underlying complaints sufficiently alleged that AOL had intercepted and internally disseminated private online communications. While some cases have stated that coverage is triggered by a disclosure to a third party, they do so in dicta while deciding whether the personal injury clause covers invasion of ‘seclusion privacy’ claims. They do not address the policy’s language covering disclosure to ‘any’ person or organization, which we find dispositive.”); Tamm v. Hartford Fire Ins. Co., 16 Mass.L.Rptr. 535 (Mass. Super. Ct. July 10, 2003) (“The Eagle complaint alleges that Tamm accessed the private email accounts of Eagle and its executives and sent these private communications and materials to several outside counsel for Eagle. The allegations of sending these private communications via e-mail to outside attorneys seemingly satisfies both prongs under the invasion of privacy clause of the policy.”). Although, under the 2001 ISO CGL form, and in forms promulgated since then, coverage does not apply to “personal and advertising injury” committed by an insured whose business is (1) advertising, broadcasting, publishing, or telecasting; (2) designing or determining content of websites for others; or (3) an internet search, access, content, or service provider. Moreover, a separate, longstanding exclusion applies to “personal and advertising injury” arising out of oral or written publication of material whose first publication took place before the beginning of the policy period. Nevertheless, again, whether pursuing coverage or third-party claims, individuals and businesses should be aware of the coverage afforded for certain privacy violations under Coverage B, including the “publication” of personally identifiable information, within many ordinary general liability insurance policies.
To the extent that coverage is not afforded under either Coverage A or Coverage B of a traditional general liability insurance policy, when faced with a “cyber” liability claim, insureds should also review and consider the potential coverage available under D&O and E&O policies. D&O insurance generally provides coverage for loss resulting from claims first made during the policy period for covered wrongful acts. Although, for public companies, “D&O” coverage for the insured organization’s liability (as opposed to reimbursement of indemnification paid to individual insureds) is limited to “securities claims.” For non-public companies, however, D&O coverage may provide a source of recovery for some “cyber” related liability. At a minimum, to the extent that a “cyber” breach event results in follow-on litigation, including shareholder derivative litigation against insured officers or directors, D&O coverage would ordinarily respond to such claims. Likewise, E&O coverage generally insures the covered organization and insured persons against loss resulting from a claim first made during the policy period for covered wrongful acts committed in rendering or failing to render defined professional services. So long as the “cyber” liability at issue has the appropriate nexus with the insured(s)’ professional services, E&O coverage may provide another alternative avenue for policyholders facing “cyber” related claims.
Commercial Property Insurance
Commercial property insurance generally comes in two varieties—“all risk” and “named peril” insurance. “All risk” policies will cover the insured against “all risks” of “direct physical loss or damage” to covered property occurring during the policy period. “Named peril” coverage also insures against “direct physical loss or damage” to insured property, but only if caused by specific enumerated hazards, such as fire, theft, and hail. Whether denominated as an “all risk” or “named peril” policy, the benefit of commercial property coverage to an insured involved in a cyber breach depends on the insured’s ability to demonstrate “direct physical loss or damage.”
Historically, the circumstances that may constitute “direct physical loss or damage” are quite broad. For example, otherwise “undamaged” property may nonetheless be covered when rendered useless by contamination or even proximity to other damage.5See, e.g., Adams-Arapahoe Joint Sch. Dist. No. 28-J v. Cont’l Ins. Co., 891 F.2d 772 (10th Cir. 1989) (partial collapse of roof rendered all corroded portions of school roof unsafe); Customized Dist. Servs. v. Zurich Ins. Co., 862 A.2d 560, 565 (N.J. Super. Ct. 2004) (finding that misrotation of goods having no effect on the material composition of the goods but rendering them unfit for sale was “direct physical loss”); Gen. Mills, Inc. v. Gold Medal Ins. Co., 622 N.W.2d 147 (Minn. App. 2001) (concluding that impairment of function and value of food resulting from contamination and failure to comply with FDA regulations supported a finding of “physical damage”); Murray v. State Farm Fire & Cas. Co., 509 S.E.2d 1, 17 (W. Va. 1998) (“Direct physical loss also may exist in the absence of structural damage to the insured property.”); Sentinel Mgmt. Co. v. N.H. Ins. Co., 563 N.W.2d 296, 300 (Minn. App. 1997) (“‘Direct physical loss’ provisions require only that a covered property be insured, not destroyed.”); Matzner v. Seaco Ins. Co., 9 Mass. L. Rptr. 41 (Mass. Sup. Ct. Aug. 12, 1998) (finding that contamination of a building by carbon monoxide did constitute “direct physical loss” notwithstanding lack of structural damage because “the phrase ‘direct physical loss or damage’ is susceptible of at least two different interpretations”). In the context of cyber-related loss, coverage depends on the insured’s ability to demonstrate loss of a tangible, physical object, such as computer or other piece of hardware,6See, e.g., Greco & Traficante v. Fidelity & Guar. Ins. Co., 2009 BL 305746 (Cal. Ct. App. Jan. 26, 2009) (affirming summary judgment in favor of the insurer denying coverage for fees lost when a power outage resulted in lost billing data under a policy requiring “direct physical loss” because (1) “one cannot suffer a direct physical loss of computer data unless that data has been stored on a media and is unavailable for use as a result of corresponding computer damage”; and (2) “Greco presents no evidence to suggest the missing billing data … was ever ‘stored’ on Greco’s computer system”); Se. Health Ctr. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 838–39 (W.D. Tenn. 2006) (“The Court finds that the corruption of the pharmacy computer constitutes ‘direct physical loss of or damage to property’ under the business interruption policy … . The computers ‘physically lost programming information and custom configurations necessary for them to function’ when they were damaged by the power outage.”); Lambrecht & Assocs., Inc. v. State Farm Lloyds, 119 S.W.3d 16, 27 (Tex. App.—Tyler 2003, no pet.) (reversing grant of summary judgment for insurer on an employment agency’s claim “under a business insurance policy for the loss of computer data and the related loss of business income” resulting from a “hacker’s” computer virus: “[t]he trial court erroneously sustained State Farm’s motion for summary judgment because the determination of whether the injection of the virus into Lambrecht’s computers was accidental must be made from Lambrecht’s viewpoint. After resolving all reasonable inferences in Lambrecht’s favor and viewing the injection of a virus into Lambrecht’s computer network system from Lambrecht’s perspective, we conclude that such act was accidental. Furthermore, because the policy defines the type of personal property that Lambrecht is alleged to have lost as a result of the virus and dictates that this property is subject to an ‘accidental physical loss,’ the personal property losses are ‘physical’ under the policy.”); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., 2000 BL 615 (D. Ariz. Apr. 18, 2000) (holding that the loss of use of a computer network caused by a power outage constituted physical damage for purposes of the insured’s business interruption claim); see also NMS Services Inc. v. Hartford, 62 Fed. Appx. 511 (4th Cir. Apr. 21, 2003) (finding property damage and damage to computers from a former employee’s hacking into the insured’s corporate database for purposes of the insured’s business interruption claim). as opposed to the loss of intangible information.7See
Ward Gen. Ins. Servs., Inc. v. Emp’rs Fire Ins. Co., 7 Cal. Rptr. 3d 844, 851 (Cal. Ct. App. 2004) (“Here, the loss suffered by plaintiff was a loss of information, i.e., the sequence of ones and zeroes stored by aligning small domains of magnetic material on the computer’s hard drive in a machine readable manner. Plaintiff did not lose the tangible material of the storage medium. Rather, plaintiff lost the stored information … . We conclude the loss of the database, with its consequent economic loss, but with no loss of or damage to tangible property, was not a ‘direct physical loss of or damage to’ covered property under the terms of the subject insurance policy, and, therefore, the loss is not covered.”); cf. MRI Healthcare Ctr. of Glendale, Inc. v. State Farm Gen. Ins. Co., 115 Cal. Rptr. 3d 27 (Cal. Ct. App. 2010) (affirming summary judgment against the insured seeking coverage for damages, including business interruption, sustained after a MRI machine failed to “ramp up” after it was “ramped down” for roof repairs to the building housing the machine because (1) “[t]he failure of the MRI machine to satisfactorily ‘ramp up’ emanated from the inherent nature of the machine itself rather than from physical ‘damage’”; and (2) “[f]or there to be a ‘loss’ within the meaning of the policy, some external force must have acted upon the insured property to cause a physical change in the condition of the property, i.e., it must have been ‘damaged’ within the common understanding of that term.”). In some cases, a cyber breach may result in actual destruction of physical property.8See, e.g., Ellen Nakashima, Foreign Hackers Targeted U.S. Water Plant In Apparent Malicious Cyber Attack, Expert Says, Wash. Post (Nov. 18, 2011) (describing damage done to a water pump at an Illinois water utility through controls exerted from an ip address in Russia). More commonly, however, insureds seeking to recover lost profits from a service interruption may need to demonstrate, not only a loss of data, but an externally-caused loss of use of tangible hardware.
Crime/Fidelity Insurance
Crime or fidelity coverage refers to the body of insurance that protects insured organizations against direct loss from theft of money, securities, and other “tangible” property, including employee theft of the employer’s or a client’s property. Such policies often expressly make allowance for (1) loss of covered property from “computer fraud,” for example, the transfer of money, securities or other tangible property from the insured’s premises to an outside person or place; and (2) costs incurred to restore or replace certain data or programs, which have become lost because of a virus or vandalism.
While crime and fidelity insurance usually excludes coverage for the loss of intellectual property and there may not be coverage for the theft of PII or other intangible data from a cyber attack,9Peoples Tel. Co., Inc. v. Hartford Fire Ins. Co., 36 F. Supp. 2d 1335, 1341 (S.D. Fla. 1997) (finding that lists containing electronic serial numbers and mobile telephone identification numbers stolen by an employee and sold to third parties to clone cellular phones did not constitute “tangible property” for purposes of the employer’s claim under a crime insurance policy); but see Vonage Holdings Corp. v. Hartford Fire Ins. Co., 2012 BL 74915 (D.N.J. Mar. 29, 2012) (denying the insurer’s motion to dismiss the insured telecommunications company’s claims that the misappropriation of the insured’s communications lines by computer hackers resulted in loss covered by a policy insuring loss of and from damage to money, securities, and other property following and directly related to the use of any computer to fraudulently cause a transfer of property from inside the premises to a person outside the premises or a place outside the premises). policyholders faced with a cyber breach should not overlook the potential for recovery under such policies. For example, even some quasi third-party liabilities directly resulting from the theft of customer information may be insured under a crime policy.10See, e.g., Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (affirming coverage for expenses incurred for customer communications, public relations, customer claims, including chargebacks, card reissuance, credit monitoring and VISA/Mastercard fines, following the third-party theft and use of account information relating to 1.4 million DSW customers under a computer fraud rider to a “Blanket Crime Policy” insuring “Loss which the Insured shall sustain resulting directly from … the theft of any Insured property by Computer Fraud” notwithstanding the insurer’s objections that (1) the loss was not “solely” or “immediately” caused by the theft of insured property; and (2) the loss was excluded by a provision denying coverage for “loss of proprietary information … or other confidential information of any kind”). But, to the extent that crime/fidelity coverage is triggered upon the insured’s discovery of the subject loss, in order to take advantage of the coverage available, insureds should be vigilant in providing notice as required by the policy’s terms.11See, e.g., FDIC v. St. Paul Cos., 634 F. Supp. 2d 1213 (D. Colo. 2008) (denying coverage under a fidelity bond absent timely notice from the insured, without adopting a notice/prejudice rule); compare Lambrecht & Assocs., Inc., 119 S.W.3d at 27 (holding that the insured’s failure to notify authorities after a computer virus was discovered did not justify a denial of coverage for the insured’s claim relating to lost data and business interruption resulting from the virus because the policy’s terms “do not condition payment of a covered loss on contacting the police if a law was broken.”).
