Don’t Count on CGL to Cover Cyber Claims

  • By: williamjones
  • June 1, 2015

By: Catherine Lyle

Unless your clients only accept cash and do not receive anyone’s personal information, they need cyber insurance. Do not fall prey to the thought that a traditional CGL policy will cover a cyber event.

When asked to find coverage for “cyber claims” under both the “property” and “personal injury” provisions of CGL policies, the courts have provided mixed results.

In a decision issued five years ago in Eyeblaster, Inc. v. Federal Ins. Co., the U.S. Court of Appeals for the Eighth Circuit grappled with whether or not a consumer’s claim—that his laptop had been damaged by spyware put there by an online marketing company—was covered by that company’s CGL policy.

Noting that the policy’s definition of “tangible property” excluded “any software, data or other information that is in electronic form,” the trial court ruled and the appellate court agreed that “The complaint would have had to make a claim for physical injury to the hardware in order for Eyeblaster to have coverage for ‘physical injury to tangible property.'” Ultimately, the Eighth Circuit found a duty to defend, but only because the underlying plaintiff had alleged repeatedly that he lost the use of his computer due to Eyeblaster’s invasion.

In a decision handed down just last year in Recall Total Information Management, Inc., et al. v. Federal Insurance Co, the Connecticut Court of Appeals considered the loss of computer tapes containing employment data for 500,000 IBM employees. Upon discovering that the tapes fell out of a van on a highway exit ramp, IBM was forced to spend more than $6 million taking steps to notify and protect the affected employees pursuant to a state notification statute. The transit company ultimately forced to pay that bill in turn sought coverage from its CGL carrier for the loss on the premise that the IBM employees had sustained “personal injuries.”

The trial court ruled for the carrier on the grounds that there was no “publication.” The Court of Appeals agreed, concluding that, “Regardless of the precise definition of publication, we believe that access is a necessary prerequisite to the communication or disclosure of personal information. In this regard, the plaintiffs have failed to provide a factual basis that the information on the tapes was ever accessed by anyone.”

Other courts have considered whether the CGL policy covers “privacy events” under Coverage B. Most recently, a U.S. District Court in Virginia concluded in Travelers Indemnity v. Portal Healthcare Solutions that the focus of coverage for privacy events comes down to the form of the publication and the entity doing the publication.

Travelers had issued two policies, for 2012 and 2013, which “obligate[d] Travelers to pay sums Portal bec[a]me legally obligated to pay as damages because of injury arising from (1) the ‘electronic publication of material that… gives unreasonable publicity to a person’s private life.’” When an action was brought against Portal alleging that it had posted medical records of patients of an area hospital on the internet, Travelers denied coverage. Both sides filed motions for summary judgment that turned on whether “publication” had occurred.

The Court ruled in Portal’s favor and required Travelers to defend the claim on the grounds that “publication” does not revolve around intent nor does it require that someone reads the material. Instead, “publication” occurs when information is merely “placed before the public.”

But no case better highlights the dangers of relying upon your CGL policy for coverage than Zurich American Insurance Co. v. Sony Corp. of America et al., which arose from a 2011 cyber attack that stole consumers’ personal information. Ruling in favor of Zurich, which had denied any duty to defend or indemnify, the Court based its decision on “who performed the publication,” because the CGL policy “calls for the policy holder to perpetrate or commit the act.” Because third-party hackers had committed the “publication,” not Sony, the Court concluded there was no coverage under the CGL policy. That decision is now up for appeal.

ISO has since stepped forward to clarify the purpose of the CGL policy and provide exclusions for data breach and cyber attacks: CG 2106 5/14, CG 2107 5/14 and CG 2108 5/14.

Catherine Lyle, J.D., is a vice president, claims expert with Swiss Re Corporate Solutions and teleworks from the Overland Park, Kansas office.

The June issue is out now!

Look Inside

Related

Brown & Brown to Buy Accession Risk Management for $9.8 Billion

  • Magazine

Health Care Liability Market Faces Uncertainty as Loss Severity Increases

  • Magazine

License to Lead: Meet 10 Young Agents 35 and Under

  • Magazine

How Automation And Quote-By-Text Can Help Your Agency Win Big

  • Magazine

How Individualized Sales Training Ignites Results

  • Magazine

6 Phishing Techniques Cybercriminals Use to Scam Businesses

  • Magazine

Declaration of Independents: Brock Elliott

  • Magazine
  • Viewpoints

AN Radio: What Agents Need to Know About Rising E&O Claims

  • Podcasts

What’s Driving the Rise in E&O Claims and What Can Your Agency Do to Prevent One?

  • Magazine

The Dangers of Dabbling: E&O Risks for Venturing Outside Your Expertise

  • Magazine