Hepler Broom, LLC

Do ISO’s New “Access or Disclosure of Confidential or Personal Information and Data-Related Liability” Exclusions Eliminate Insurance Coverage for Cyber Liability and Data Breach Claims?

May 5, 2014

A New York trial judge’s recent decision in Zurich American Insurance v. Sony Corporation of America has set the legal blogosphere aflutter with arguments and counter-arguments as to whether cyber liability and data breach claims fall within the “Personal and Advertising Injury Liability” coverage section (Coverage B) afforded by most commercial general liability (CGL) policies. A new set of data breach exclusionary endorsements, however, filed in many jurisdictions by Insurance Services Office, Inc. (ISO) and set to take effect this month, May 2014, appear poised to end the debate over CGL coverage for these types of claims. But will they?

The issue in Sony was whether the underlying consumer class action claims brought in connection with the 2011 data breach of Sony’s Playstation network sought damages because of “personal and advertising injury” under Coverage B. Zurich’s CGL policy in that case featured the typical definition of “personal and advertising injury”, which included “injury… arising out of… [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” The New York trial judge held that this definition requires “some kind of act or conduct by the policyholder in order for coverage to be present”. Because “there was no act or conduct perpetuated by Sony”, but rather third party “hackers breaking into that security system”, the court held that Zurich’s CGL policy did not afford coverage for the claims against Sony.

Courts in other jurisdictions have arrived at the opposite conclusion regarding coverage for cyber liability and data breach claims under Coverage B. See e.g. Netscape Communications Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th Cir. 2009); Tamm v. Hartford Fire Ins. Co., 16 Mass.L.Rptr. 535, 2003 WL 21960374 (Mass. Super. Ct. 2003).

As a result, ISO initially responded by including in its April 2013 revisions to its CGL forms an optional endorsement labeled “Amendment Of Personal And Advertising Injury Definition” (CG 24 13 04 13). This endorsement removes “injury… arising out of… [o]ral or written publication, in any manner, of material that violates a person’s right of privacy” from the definition of “personal and advertising injury” all together. This removal effectively defeats coverage in most cases for cyber liability and data breach claims under Coverage B. The problem is that eliminating this language from the “personal and advertising injury” definition also defeats coverage for the more traditional type of privacy claims typically covered by a CGL policy.

In contrast, ISO’s new exclusionary endorsements set to take effect in May 2014 are more narrowly tailored to the cyber liability or data breach context. For example, one of the new mandatory endorsements labeled “Exclusion– Access or Disclosure of Confidential or Personal Information and Data-Related Liability– With Limited Bodily Injury Exception” (CG 21 06 05 14) applies specifically to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.

This endorsement features a similar exclusion for coverage provided by the “Bodily Injury And Property Damage” section of the standard CGL form (Coverage A). By removing coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information”, the new endorsement certainly seems to target coverage for cyber liability and data breach claims.

Policyholders likely will argue that ISO’s inclusion of these new exclusionary endorsements demonstrate that the standard CGL form, without these exclusions, necessarily provide coverage for cyber liability and data breach claims. Otherwise, the argument will go, there is no need for these new exclusions. That type of argument has had mixed success in other contexts. For example, insureds have argued that the presence of the “your work” exclusion in CGL policies serves as a concession that defective construction work claims necessarily meet the “occurrence” and “property damage” requirements of Coverage A. Insurers that issue or have issued policies without these new “Access or Disclosure of Confidential or Personal Information and Data-Related Liability” endorsements may face this argument.

Insurers that do issue policies with these new exclusionary endorsements will have to show that they apply to cyber liability and data breach claims. Although the exclusionary provisions are new, carriers can expect policyholders to raise familiar arguments to try to defeat them.

For example, many liability policies contain exclusions for bodily injury claims arising out of sexual acts, conduct or abuse. Those exclusions certainly eliminate coverage for the direct perpetrator of the act or abuse. Some jurisdictions, however, have held that those exclusions may not apply to claims against indirect tortfeasors, such as employers or parents of the direct perpetrator, under various negligent hiring, retention or supervision theories. The policyholder argument for coverage lies in the theory that the plaintiff’s claim against the employer or parent was one for injury caused not by sexual abuse or conduct, but by negligent hiring, retention or supervision. Whether courts will apply that same reasoning to these new data breach exclusions, and whether it even makes sense to do so, remains to be seen.

ISO’s new exclusionary endorsements appear designed to end the debate over whether CGL policies cover cyber liability and data breach claims. Whether those endorsements have ended the debate, or simply sent it in a new direction, will be decided by the courts in the upcoming years.