Adding Insult to Injury: Is There Coverage For a Data Breach or Hacking Event That Causes Physical Damage?

In recent years internet-connected devices have become increasingly prevalent, and there is no sign that this trend is slowing. In fact, experts forecast that up to 200 billion “smart” devices may be connected globally by 2020. The exponential growth of the internet of things (IoT) has created corresponding increases in data collection and sharing, increasing the potential risk of a data breaches and hacking events.

If you have turned on a television recently, you have likely seen advertisements for Wi-Fi-networked appliances and devices such as refrigerators or thermostats. While these devices represent a giant leap in consumer convenience, it is not difficult to imagine hackers exploiting a security vulnerability in such a device to access consumers’ personal information. Under most cybersecurity insurance policies, the manufacturer of such a device would be covered for most of the costs associated with such a breach.

However, this soaring level of internet connectivity also poses a risk of physical damage to property or bodily injury as a result of a breach—a risk far less likely to be covered under a cybersecurity insurance policy. For example, a hacker could access a web-connected appliance and potentially disable its temperature controls, overheat the appliance and cause a fire, or exploit a vulnerability in a driverless car’s control system, take control of the car and crash it. The idea of hacking into web connected devices, cars, or even medical devices is not mere speculation—it has already happened.

Even more troubling, hackers have exploited security vulnerabilities within the manufacturing, energy, and utilities industries in recent years, causing massive physical damage and significant losses, and placing human lives at risk. In 2008, hackers exploited a vulnerability in the surveillance camera software of a Turkish pipeline and were able to access the pipeline’s internal network. Using that access, the hackers first shut down alarms, then super-pressurized the oil in the pipeline, resulting in an explosion that disabled the pipeline without triggering any of the disabled alarms. The blast inflicted massive losses on the private companies and governments that held an interest in the pipeline.

In 2010, the Stuxnet computer worm was deployed to sabotage up to 1,000 uranium enrichment centrifuges at an Iranian nuclear plant. In a December 2014 report, the German Federal Office for Information Security disclosed that hackers gained access to a German steel factory’s production networks and tampered with the controls of a blast furnace, causing system components to fail. As a result of these system failures, one blast furnace could not be shut down, resulting in “massive damage.”

Coverage for Property Damage Under Cyber Insurance Policies

Coverage under cybersecurity insurance policies varies greatly between carriers, but such policies generally cover various first and third party costs associated with cybersecurity liability and data breach events. Typical first party coverages include network and business interruption expenses, data and digital asset loss and restoration costs, cybersecurity extortion payments, reimbursement of regulatory fines and event breach expenses such as forensic investigation, public relations, crisis management, notification costs and expenses related to call centers and credit and identity monitoring. Typical third party coverages include liability to customers, clients, and employees, amounts paid in regulatory actions, internet media liability, loss of another’s data, resulting in loss of use and loss of funds of another due to improper transfer.

Such policies are designed to address the types of events that have grabbed headlines in recent years such as the theft or inadvertent disclosure of confidential personal, credit card, and medical information or malware attacks designed to cut off network access. While the numerous policies available in the market vary significantly as to how and to what extent they cover these types of events, one constant across the cybersecurity insurance policies available in the market is that they universally exclude coverage for physical damage resulting from a breach event. These policies uniformly contain exclusions for loss arising out of or attributable to bodily injury or property damage. This is unlikely to change because carriers, still struggling to adapt coverage to address the ever-changing risks associated with headline-grabbing data breaches that compromise personal and confidential information, are reluctant to add coverage against the added risk of physical damage associated with data security breaches.

Given the lack of coverage for property damage resulting from cybersecurity and data breach events under cybersecurity insurance policies, it would be reasonable to assume that coverage for such property damage is available under commercial general liability (CGL) or property policies—i.e., the types of policies that typically are called upon to provide coverage for property damage. However, it has become increasingly difficult to obtain coverage for a cybersecurity event or data breach at all under a CGL policy in recent years, and coverage under a property policy is not a foregone conclusion.

CGL Policies

Unlike cybersecurity insurance policies, the overwhelming majority of CGL policies available are on policy forms utilizing the Insurance Services Office, Inc. (ISO) CGL policy form, or language similar thereto. As a result, with the exception of a small number of manuscript policies, the basic coverage under CGL policies is largely the same across carriers. Accordingly, most CGL policy forms provide coverage for “those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’ or ‘property damage.’” Under these policies, “property damage” is typically defined as “physical injury to tangible property, including all resulting loss of use of that property,” or “loss of use of tangible property that is not physically injured.”

The case of America Online, Inc. v. St. Paul Mercury Insurance Co., 207 F. Supp. 2d 459 (E.D. Va. 2002) initially tested whether CGL policies covered damage to computers, data, or systems. In that case, AOL sought defense of a suit brought against it by consumers alleging that their computers were damaged as a result of installing AOL’s software program. Id. at 463. The court first concluded that computer data, software and systems are not “tangible” property under a CGL policy, and therefore damage to any data, software or systems did not constitute “property damage” as defined under a CGL policy, although a computer itself is “tangible” property. Id. at 466-69. The court next concluded that, although the complaint against AOL did not allege “physical damage” to the plaintiffs’ computers, it did allege loss of use thereof, thereby satisfying the “property damage” requirement. Id. at 469-470. However, the court also concluded that the policy’s “Impaired Property” exclusion—which applied in pertinent part to property that was not physically damaged that resulted from AOL’s faulty or dangerous products or completed work—barred coverage. Id. at 470-71. Accordingly, the court denied AOL’s motion for summary judgment.

The current CGL policy forms incorporate part of the holding of American Online by clarifying that “electronic data is not tangible property.” As a result, damage to data itself cannot constitute “property damage,” eliminating the possibility of coverage for a cybersecurity event or breach that results only in the destruction or corruption of data. However, as data breaches became more prevalent, ISO and the insurance industry took further steps to clarify that the damages resulting from such events would not be covered under a CGL policy.

The current ISO CGL forms include an exclusion that was introduced in 2014, commonly known as “Exclusion P,” that was intended to preclude coverage for virtually all data breaches and hacking events. Exclusion P applies, in pertinent part, to damages arising out of (1) “any access to or disclosure of any person’s or organization’s confidential or personal information” and (2) “the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate ‘electronic data’ that does not result from physical injury to tangible property.”

The language of Exclusion P is likely broad enough to exclude the fictional examples of physical damage related to IoT devices discussed above. Disabling an appliance’s temperature controls to start a fire or taking control of a driverless car to crash it both involve overriding existing data and giving alternate instructions to a system or its controls. As such, both could be deemed to qualify as “loss of use of,” “damage to,” “corruption of” or “inability to access” or “manipulate” electronic data depending on the precise manner in which a hacker gained control and whether legitimate access to the system was blocked during the hacking event. Each of the hacking attacks discussed above involving the Turkish pipeline, Iranian nuclear plant and German steel factory similarly involved overriding existing controls and giving alternate instructions that caused the respective systems to perform in a manner inconsistent with those controls, and therefore would likely be excluded from coverage. Since, as mentioned above, electronic data is not tangible property, these examples of “loss of use of,” “damage to,” “corruption of” or “inability to access” or “manipulate” electronic data would be damage “that does not result from physical injury to tangible property” and would therefore fall within Exclusion P.

Based on the above, coverage for property damage resulting from a data breach or hacking event is unlikely under a CGL policy.

Property Policies

Although coverage for such damage is somewhat more likely under a property policy, it cannot be presumed. As a threshold matter, there is generally limited coverage under a property policy for damage to data itself. Courts were initially receptive to claims from policyholders involving the loss of access to or use of data. In American Guarantee & Liability Ins. Co. v. Ingram Micro, Inc., No. 99-185-TUC ACM, (E.D. Va. June 20, 2002), the policyholder sought coverage after it lost access to electronically stored data after a power outage, preventing the company from performing certain operations. The court held that physical damage was not limited to physical destruction and could include loss of access or loss of use of data.

In NMS Services, Inc. v. The Hartford, 62 F.App’x 511 (4th Cir. 2003), the court held that a former employee of a software company’s act of hacking into the company’s network and erasing vital computer files and databases constituted physical damage to property, even though the information only existed in electronic form 8 ECLR 440, 4/30/03, 4 CTLR 183, 5/2/03, 2 PVLR 475, 5/5/03. In Landmark American Ins. Co. v. Gulf Coast Analytical Labs., Inc., No. 10-809, (M.D. La. March 30, 2012), the court found coverage after the insured’s hard drive storage system failed, resulting in corruption of data stored thereon. The court held that electronic data, although not tangible, is still “physical in nature” because it can be observed, altered or damaged through physical interaction.

The insurance industry responded to such holdings by adding an exception for “electronic data” in the definition of “Covered Property,” and providing additional coverage for “electronic data” limited to $2,500 for all loss or damage sustained in any one policy year, among other things. As a result, damage to electronic data itself is extremely limited under most property policies.

Putting aside the issue of coverage for damaged data itself, coverage for physical damage to things other than data resulting from a data breach or hacking event will likely hinge on the type of property policy at issue. Property policies generally cover direct physical loss of or damage to “Covered Property.” There are two basic types of property policies; (1) “all risk” policies, which generally cover loss of or damage to “Covered Property” arising from any fortuitous cause except those that are specifically excluded; and (2) “named peril” policies, which generally cover only loss of or damage to “Covered Property” caused by or resulting from an enumerated list of events or risks.

The “covered causes of loss” to which named peril property policies respond typically include events such as fire, lightning, explosion and certain weather conditions such as a flood, windstorm or hail. A cybersecurity event is not included as a covered cause of loss. Additionally, damage resulting from a fire or explosion stemming from a cyberattack would generally be deemed to have been “caused by” the cyberattack, not the ensuing fire or explosion. Named peril property policies often provide optional coverage for vandalism, typically defined as “willful and malicious damage to, or destruction of, the described property.” Coverage for the fictional and real-life examples of physical damage discussed above—all of which involved overriding existing controls and giving alternate instructions, leading to damage or destruction of property—arguably fit this definition of “vandalism,” even though none align with the common understanding of that term. Until courts weigh in on whether hacking with the intent to cause physical damage could be deemed “vandalism,” policyholders advancing such an argument should expect pushback from their insurance carriers.

Larger companies sometimes purchase “all risk” policies that may eliminate these issues. As mentioned above, “all risk” policies generally cover loss arising from any fortuitous cause unless specifically excluded. Under such a policy, in contrast to a “named peril” policy, damage resulting from a fire or explosion stemming from a cyberattack should generally be covered unless a cyberattack was a specifically excluded cause of loss. However, some carriers issuing “all risk” policies are reluctant to provide coverage for these types of events and, as a result, limit damages to “electronic data and software” and not tangible property, and bar coverage by exclusion or carve back. This is particularly common within the market for energy companies, an industry in which the Institute Cyber Attack Exclusion Clause CL380, which bars coverage for cybersecurity events, is commonly included in policies issued.

Conclusion

Coverage for physical damage resulting from a cybersecurity event can be elusive. Carriers are still tailoring coverage to evolving cybersecurity risks, and, in many cases, reacting to those risks by eliminating coverage for resulting physical damage to property. Nevertheless, the outlook is not entirely bleak and help may be on the way. First and foremost, coverage under any policy, whether a CGL, property, cybersecurity insurance or other policy, always depends on the policy’s unique language. While the discussion above focuses on general trends and common coverages and exclusions, even a slight variation in policy language can have a dramatic effect on coverage. Additionally, under CGL or property policies, coverage for damage to intangible property (e.g., data), or even for property damage caused by a data breach or hacking event, may be available by endorsement.

Finally, a few carriers have begun to test the waters on “difference-in-conditions” policies—policies specifically designed to provide cybersecurity insurance coverage that fills the gaps in a policyholder’s underlying insurance policies. While these policies are new to the market and not widely available in the U.S., some of the gaps they can cover are for equipment failure and damage and property damage due to fire or explosion, among other things. Ultimately, the most appropriate avenue for coverage seems to be a property policy. However, unless and until such policies begin to unequivocally provide coverage for property damage resulting from a data breach or hacking event, policyholders should always review all relevant policies thoroughly and be aware of any gaps in coverage, and look for policies that fill any gaps in which a coverage dispute could arise based on their company’s business and risk profile.