Hepler Broom, LLC

Are Data Breach Claims Covered by a Commercial General Liability Policy?

April 1, 2014

“Hello, Mr. Jones. Did you just try to make a $10,000 jewelry purchase in Brazil?” To put it mildly, that is not the type of question that want your customers– or as an insurance company, the customers of your policyholder– to receive. All too often, however, despite the best security efforts, data breaches of sensitive personal information, like credit card data, do occur.

The insurance industry sells a variety of differing products designed specifically to provide coverage for these types of claims and losses. But, would liability for such a data breach be covered by the backbone of most companies’ insurance programs– the commercial general liability or CGL policy? Insurance carriers instinctively say, “No.” Policyholders take a different view.

That issue was the subject of a New York trial judge’s recent decision in Zurich American Insurance v. Sony Corporation of America. Zurich filed that declaratory judgment action against Sony to determine whether it had any liability coverage obligations to Sony in connection with the 2011 data breach of Sony’s Playstation network. An underlying class action had been filed against Sony on behalf of users of the online video game network alleging that they had been damaged by the theft of their personally identifiable information, such as credit card information.

The New York judge’s answer to this coverage question focused on whether the claims against Sony sought damages because of “personal and advertising injury”. Zurich had agreed in Coverage B of its CGL policy with Sony to “pay those sums that [Sony] becomes legally obligated to pay as damages because of ‘personal and advertising injury’”. The policy defined “personal and advertising injury” to include “injury… arising out of… [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”

The court seemed in some sense to agree that the “publication” requirement had been met:

In this case here I have a situation where we have a hacking, an illegal intrusion into the defendant Sony’s secured sites where they had all of the information… That information is there. It’s supposed to be safeguarded. That is the agreement that they had with the consumers that partake or participated in that system… So that in the box it is safe and it is secured. Once it is opened, it comes out… And that is where I believe … the publication comes in. It’s been opened. It comes out. It doesn’t matter if it has to be oral or written.

We are talking about the internet now. We are talking about the electronic age that we live in. So that in itself, by just opening up that safeguard or that safe box where all of the information was, in my mind … publication.

The problem for the trial judge, however, was that the publication was conducted not by Sony, but by outside hackers. Sony argued that the policy did not require Sony to engage in wrongdoing in order for coverage to apply. They argued that the definition of “personal and advertising injury” did not require the insured to publish material that violated a person’s right of privacy. They contended that they just had to “become legally obligated” to pay damages for “injury… arising out of… [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.

The New York judge disagreed. He held that reading the “entire policy”, the “personal and advertising injury” definition requires “some kind of act or conduct by the policyholder in order for coverage to be present”. Because “there was no act or conduct perpetuated by Sony”, but rather third party “hackers breaking into that security system”, the court held that Zurich’s CGL policy did not afford coverage for the class action claims against Sony.

The court’s summary judgment in favor of Zurich is currently on appeal.

How would a Missouri or Illinois court rule on these coverage issues in a data breach situation? Stay tuned.

COVID-19 Updates

HeplerBroom LLC COVID-19 Response

HeplerBroom has been diligently working on its response and continuity plan to the COVID-19 pandemic in order to keep the health and safety of our employees, their families, and our clients as our top priority.

To help ensure everyone’s continued health and well-being, effective Tuesday, March 17, 2020, all attorneys and staff will be working remotely until March 31. This is an unprecedented and dynamic situation, and HeplerBroom is committed to observing governmental suggestions and requirements concerning public health while continuing to provide legal service second to none.

To ensure this, the firm has identified essential personnel in each office who will make certain that critical firm functions that cannot be done remotely continue to be handled. We have put in place protocol for those essential personnel to make sure they are keeping healthy per the CDC cleaning and sanitizing recommendations. All teams have back-up personnel and procedures that we will follow to make sure all deadlines are met and clients receive the same great service and work product that we have always been proud to provide.

HeplerBroom’s IT department has been working hard to make sure all remote employees are set up with equipment and access from home to limit disruption to our clients. Maintaining security and confidentiality has remained, and will continue to remain, at the forefront of all processes and procedures, at all levels throughout the firm.

The firm has created emergency communication measures to communicate any changes to this plan to employees and are communicating on a regular basis with any and all new resources and helpful information during this uncertain time.

During these fluid and unpredictable times, HeplerBroom will continue its commitment to great service and results for our clients, all while keeping safe and healthy.

Wishing you and your families good health.