It’s no secret that more and more businesses are getting hit with headline-grabbing data breaches as well as more mundane mishaps associated with online activities and other computer incidents. Businesses large and small faced with such incidents can anticipate claims from third parties as well as expenses for their own losses.
When faced with such claims and expenses, businesses may look to their insurers for coverage under their traditional commercial general liability (CGL) policies, commercial liability umbrella (CLU) policies, directors and officers (D&O) policies, errors and omissions (E&O) policies, and property damage policies. So now the question is, will anyone succeed in obtaining coverage?
The good news for insureds is that several courts have found coverage for such events. For example, in Travelers Indemnity Company of America v. Portal Healthcare Solutions LLC, the Eastern District Court of Virginia held that the inadvertent online posting of patient medical information constitutes a “publication” under a general liability policy sufficient to trigger a duty to defend an insured against a class action seeking damages for a breach of privacy claim.
Rejecting the insurer’s arguments that online posting is not a “publication” (publication was not defined in the policy) and that online posting did not amount to a publication when no third party was alleged to have viewed the information, the court concluded that “publication” does not require actual third-party access, but only requires that the information be “placed before the public,” even if no one ever gains access to or reads it.
As another example, in Eyeblaster Inc. v. Federal Insurance Co., the U.S. Court of Appeals for the Eighth Circuit held that an online marketing company was entitled to a defense under its CGL and E&O policies for a “spyware” claim. The insured, Eyeblaster, is an online marketing company that runs interactive advertising campaigns for its customers using cookies, JavaScript, and Flash technologies.
The insurer refused to defend Eyeblaster against a lawsuit brought by a plaintiff alleging that Eyeblaster installed spyware on his computer without his consent and that the spyware caused damage to his computer. The CGL policy obligated the insurer to provide coverage for property damage caused by a covered occurrence. The policy defined “property damage” as “physical injury to tangible property, including resulting loss of use of that property; or loss of use of tangible property that is not physically injured.” The policy, however, excluded from the definition of tangible property “any software, data, or other information that is in electronic form.”
Notwithstanding this exclusion, the court held that Eyeblaster was entitled to a defense under the CGL policy because the plaintiff alleged that Eyeblaster’s spyware caused temporary loss to the use of his computer. Observing that the “plain meaning of tangible property includes computers,” the court noted that the underlying claim alleged covered property damage based on allegations that the computer “froze up” and became inoperable. The court also held that Eyeblaster was entitled to a defense under the E&O policy because the installation of tracking cookies, JavaScript, and Flash technologies constituted “wrongful acts,” which is defined in the E&O policy as “an error, an unintentional omission, or a negligent act.”
Additionally, courts have held that tangible property includes data. In Retail Systems Inc. v. CNA Insurance Company, a Minnesota appellate court held that a computer tape and the information contained on the tape are tangible property under an insurance provision limiting coverage to physical injury or destruction of tangible property. The court compared a data storage tape to a motion picture, reasoning that “the data on the tape was of permanent value and was integrated completely with the physical property of the tape. Like a motion picture, where the information and the celluloid medium are integrated, so too were the tape and data integrated at the moment the tape was lost.”
Also, in American Guarantee and Liability Insurance Co. v. Ingram Micro Inc., the U.S. District Court for the District of Arizona held that physical injury to property “is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.” The court held that “when a computer’s data is unavailable, there is damage; when a computer’s services are interrupted, there is damage; and when a computer’s software or network is altered, there is damage.”
Insurers have responded to these cases in several ways. One response is the assertion of the “coverage intent” defense, which argues that because there were no cyber risks or cyber breaches when traditional CGL, CLU, D&O, and E&O policies were drafted, neither the insured nor the insurer envisioned losses resulting from data breaches, hacking, or inadvertent electronic data disclosures. Thus, there was no intent on the part of either the insured or the insurer that such loses would be covered under these policies.
Additionally, the Insurance Services Office (ISO), which creates policy forms used by many insurers, has begun seeking state approval of new endorsements both to reinforce the “coverage intent” defense with regard to traditional policy forms and to exclude, or greatly restrict, coverage in such policies for most, if not all, cyber liabilities.
The bottom line is that courts are continuing to develop coverage case laws for cyber incidents under traditional types of policies and have only begun addressing such claims made under newer types of policies. While it is clear that insureds will continue to seek coverage for cyber liability and that insurers will continue to deny such coverage, the jury—so to speak—is still out on how the case law will evolve in resolving these coverage disputes.