“Are CGL Data Breach Cases Already Meaningless?”
Law360 04/22/16 By Jeffrey O. Davis
As detailed in this publication just this week, the Fourth Circuit's decision in Travelers v. Portal Healthcare Solutions is but the latest in a series of decisions addressing coverage for data breach liability under a commercial general liability policy. Others include Recall Total Information Management. v. Federal Insurance Co., Zurich American Insurance Co. v. Sony and Hartford Casualty Insurance Co. v. Corcino & Associates. These decisions make up a small body of case law addressing personal and advertising injury coverage for data breach liability stemming from various circumstances. Portal involved an insured that inadvertently allowed patient records to be uploaded, unprotected, to the internet. Corcino involved similar facts — the insured provided a job applicant patient information for testing purposes who then posted it on an internet help site — with the added twist that the plaintiffs alleged statutory claims that were the subject of an express exclusion in addition to common law claims that were not. Recall Total Information involved a loss of computer tapes containing personal information due to a highway mishap in which the tapes fell out of the back of a van. Sony involved the theft of customer information held by Sony through the hacking into Sony's Playstation network.
The overarching issue in these cases was whether an insured possessing third-party information that is the subject of a data breach, and is subsequently sued, has coverage under the "Coverage B" portion of its policy — the Personal and Advertising Injury section — which (in the standard iteration) covers injury "arising out of ... oral or written publication, in any manner, of material that violates a person's right of privacy." Portal Healthcare and Corcino favored the policyholder; Total Information and Sony the insurer, though each case had aspects that made them unique and distinguishable from each other.
Perhaps, in light of the Portal Healthcare case, the first federal circuit court decision in which "publication" was found to include a data breach (though the decision is unpublished, and largely consisted of blessing the district court decision), policyholders can claim that the tide is turning their way in these cases. Portal Healthcare and Corcino both had little trouble concluding that posting data on the internet was a "publication" (the primary issue in Corcino was whether the statutory counts triggered an exclusion for statutory liability, which the court said it did not). The Sony court also found the publication requirement satisfied, in that case merely by the taking of the information by third party hackers. (The state trial judge in Sony barred coverage only because he was of the view that the data breach had to be committed by the insured in order to be covered, in the process ignoring the language of the policy, to say nothing of its purpose to cover risk of the insured's liability.) "Publication" is not a defined term, but it is hard to quarrel with these courts' conclusion that the ordinary meaning of this term is satisfied based on the ease of access created by the insured's error. As the Portal court noted, "any member of the public with an internet connection could have viewed the plaintiff's private medical records during the time all records were available online," which falls pretty squarely within the definition of "publication" — "to place before the public" — that Travelers itself had asserted.
A Pyrrhic Victory?
One could divine from these cases a sense that, for at least many types of data breach, policyholders are slowly winning the battle for CGL coverage. But whether or not that is the case, they are very quickly losing the war. In 2013, the ISO came out with a series of data breach exclusions that render CGL coverage for data breach incidents a near impossibility (though one of the endorsements carves out bodily injury where the data breach involves the loss of data or its use). The exclusions have been universally adopted by insurance regulators and are becoming standard in carrier quotes. Nor is this a situation like asbestos and environmental liability, where the horse was out of the barn by the time the industry thought to exclude coverage. Though exclusions for those risks have been around for the past 30 years, the latency of injury in those cases, and occurrence-based nature of the policies, has caused coverage under pre-1986 policies to remain highly relevant today and for the foreseeable future in covering these risks. That doesn't seemly likely with cyber. Coverage under the personal and advertising injury section is triggered based on the timing of an "offense." While there could be some latency period due to the potential delay between the offense and resulting injury in data breach cases, that latency period is typically measured in months, not years.
For those policyholders facing a current data breach claim or incident, the possibility of CGL coverage should not necessarily be counted out — there are still policies out there without the exclusion. Indeed, even going forward, one risk management strategy might well include quietly seeking a renewal of existing coverage rather than switching carriers in order to increase the odds that the same exclusionless form remains in place in the renewal. But as time goes on, the possibility of CGL coverage will become more and more remote.
What all this means, of course, is that any policyholder concerned about insurance coverage for data breach incidents — and increasingly that includes all corporate policyholders who maintain electronic records — has little choice but to explore the new wave of cyber policies that are quickly becoming ubiquitous. That is not necessarily a bad thing. Standalone cyber policies provide more certain and comprehensive coverage for the various forms in which a data breach can take and the various forms of liability and damages that may ensue, ranging from breach notification costs to government and credit card issuer fines to ransomware. The cyber policy purchasing decision presents its own challenges, since the policies are not uniform, and key financial terms such as limits are, at least at this point, not easily benchmarked. That is a topic for another article. Or two.
Has Coverage B Been Relegated to Obscurity Once Again?
Getting back to the CGL, a broader question, and one that is not really getting a lot of attention just yet, concerns the overall future of personal/advertising coverage as a relevant part of a company's risk management program. Some type of personal and/or advertising injury coverage has been around some 40 years and its early iterations were broad enough to encompass many claims that today are excluded. Intellectual property, TCPA (i.e., "blast fax"), FCRA cases — all at one time or another gave personal and advertising injury coverage a prominent role to play in a corporate risk management strategy. Today, all of these risks are, for the most part, expressly excluded, and covered if at all by standalone coverage outside of the standard CGL. What's left? First, there are a various hodgepodge of claims that are rarely, if ever, the subject of corporate liability. False arrest, malicious prosecution, trespass — these are old-fashioned torts that are rarely seen in today's Corporate America. Defamation and trade libel arise on occasion in business disputes, but one rarely sees these cases result in significant exposure. False advertising is covered — but only where involving disparagement of one's competitor. Liability for copyright and infringement of certain forms of trade dress and slogan, provided they involve the insured's advertising, pretty much make up the balance of this coverage. Not exactly the types of risk that keep most executives awake at night.
In short, insurers seem determined to keep the Personal and Advertising Injury section in a dark corner of the policy where it serves little purpose as a meaningful way to manage genuine corporate risk, at least for many. Changes to Coverage B over the years — with significant revisions coming in 1998, 2001, 2005, 2007 and 2013 — have dwarfed those to other coverage parts and in most cases the change has restricted coverage to eliminate some newly formulated risk, with cyber exclusions being the latest manifestation of that pattern. Indeed, there seems to be a sense among some risk managers that this coverage is something of a "throw-in," and they would readily jettison it rather than pay premiums for risks that are highly unlikely to materialize. Whether that perception is accurate — and the related question of what portion of premium goes toward this type of coverage — is one that brokers and risk managers may be well advised to start exploring.