Standard CGL Policy May NOT Cover Most Cyber Risks.
It has become clear that network security alone is inadequate to mitigate a company’s cyber risk. Hackers have shown just this last year that they can penetrate firewalls and network security systems.
Insurance coverage should be part of your risk management protocol. But to what extent are you covered? A 2012 Towers Watson report revealed that 72% of the 153 Risk Managers polled admitted that they had not purchased network security or privacy liability policies. (2012 Towers Watson Risk and Finance Manager Survey at p. 1.) It just is not on anyone’s general radar for coverage options. Also most assume that coverage is included in their all-risk policy forms.
But it is not. There are gaps about which you should be aware as you reconsider your policy portfolio this upcoming year. Insurers have denied that the standard CGL policy covers certain types of cyber risk.
Policyholders have had some success challenging these positions in the courts. There is little case law that addresses whether claims arising from data breaches or other cyber crimes are covered by the “bodily injury” or “physical injury” all risk language in a CGL policy. Bodily injury could involve emotional harm. Thus there may be an argument for coverage for claims made by third parties if a hacker distributed or used your data on third parties to the third parties’ detriment. Also the privacy and personal injury (advertising) coverage could cover such losses.
For example in Tamm v. Hartford Fire Insurance Co., 2003 WL 21960374 (Mass. Super. Ct. 2003) the policyholder sued its insurer after a hacker accessed private e-mail accounts and threatened to contact a specific list of e-mail addresses for certain individuals. The court found that the insurer had a duty to defend underlying suits against the company. But the holding was fact specific because the e-mails were sent to outside counsel, which could be seen as an invasion of privacy. This type of loss – invasion of privacy claims – is covered under a CGL policy, the court there found.
The case of Zurich American Ins. Co. v. Fieldstone Mortgage Co., 2007 WL 3268460 (D. Md. Oct. 26, 2007) is also instructive. There a plaintiff alleged in an underlying lawsuit that the policyholder, Fieldstone, improperly accessed his credit information and sent it to others. The insurer denied Fieldstone’s tender of defense of the underlying lawsuit. The court disagreed. It found that a standard CGL does require that the insurance company provide a defense to claims for breach of privacy when facts are “published,” which they were there.
At the other end of the spectrum, the case of Liberty Corporate Capital Ltd. v. Sec. Safe Outlet, Inc., 937 F. Supp. 2d 891 (E.D. Ky. 2013) gives us some guidance. There the policyholder, Security Safe Outlet, was accused of stealing Bud’s Gun Shop’s customer data base information. The policyholder then tendered the claim to its insurer, Liberty Corporate Capital, which denied coverage. The court held that Security Safe’s CGL coverage did not apply to losses following criminal access of a customer database. Id. at 896.
With such variance of case law in the legal landscape, and so little of it to give us good guidance, policyholders of all-risk insurance might sensibly decide to explicitly cover foreseeable cyber risks. Why leave it up to the courts, years after the losses have occurred, to resolve coverage issues for you? Insurers have stated that they do not believe that their policies cover most cyber risks. Purchasing an endorsement or an extra policy form to cover cyber losses is more than prudent – it is good risk management.